Secure Shell Fundamentals

Methods of remote access such as Telnet or FTP generate unencrypted traffic. Anyone that can see the network traffic can see all data, including passwords and user names. Secure Shell (SSH) is a client and server protocol that specifies the way to conduct secure communications over a network. Secure Shell can replace Telnet and other remote login utilities. Secure File Transfer Protocol (SFTP) can replace FTP with an encrypted alternative.

Note

Note

If both SSH and SFTP are concurrently active, you have the ability to disable SFTP while allowing SSH to remain active. For more information, see Disabling SFTP without disabling SSH.

The switch software supports Secure CoPy protocol (SCP), which is a secure file transfer protocol. Use SCP to securely transfer files between a local host and a remote host. SCP is in off state by default, but you can turn it on when you enable SSH using the boot config flags command in the global config mode. The switch supports SCP only as an SCP server, which means that clients can send files to the switch or can request files from the switch. Secure CoPy (SCP) can replace FTP with an encrypted alternative.

Secure Shell supports a variety of the different public and private key encryption schemes available. Using the public key of the host server, the client and server negotiate to generate a session key known only to the client and the server. This one-time key encrypts all traffic between the client and the server. The switch supports Secure Shell version 2 (SSHv2).

Click to expand in new window
Overview of the SSHv2 protocol

By using a combination of host, server, and session keys, the SSHv2 protocol can provide strong authentication and secure communication over an insecure network, offering protection from the following security risks:

Even if network security is compromised, traffic cannot be played back or decrypted, and the connection cannot be hijacked.

The SSH secure channel of communication does not provide protection against break-in attempts or denial-of-service (DoS) attacks.

With the SSHv2 server in the switch, you can use an SSHv2 client to make a secure connection to the switch and work with commercially available SSHv2 clients. For more information about supported clients, see Third-Party SSH and SCP Client Software. The switch also supports outbound connections to remote SSHv2 servers to provide complete inbound and outbound secure access.