Public-Key Infrastructure (PKI) in Secure Shell (SSH) Overview

The major disadvantage with user-key-based authentication is scalability. As the number of users increases, a greater number of keys must be copied and stored in the switch. This problem can be solved with the Public-Key Infrastructure (PKI). Moreover, PKI has its own advantages of added security, certificate revocation checking, avoiding manual mapping of keys with users, etc.

For the details about configuring PKI, see Using Public-Key Infrastructure (PKI) in Your Network.

expand icon
Public-Key Infrastructure Login Flow Overview
../Graphics/PKI_SSH.png

In Public-Key Infrastructure Login Flow Overview, Callout 1 is the initial series of message exchanges initiated by the Secure Shell (SSH) client. The ExtremeXOS device is providing the SSH client with the list of supported authentication methods, one of which is public key. The SSH client responds with its public key certificate.

At Callout 2, the ExtremeXOS device verifies if the extended key usage of client certificate contains ?client authentication‘. If not, the SSH PKI connection is not established. Next, the ExtremeXOS device extracts the Common-Name field from the public key certificate and validates it against the local-accounts present/configured in the switch. If there is no matching accounts/user-name, then the SSH PKI connection is not established. Next, it checks to ensure the certificate signature from SSH client matches a trusted certificate authority?s certificate present on the ExtremeXOS device.

At Callout 3, the ExtremeXOS device sends an Online Certificate Status Protocol (OCSP) request to the OCSP responder to check the validity of the Clients X.509 certificate. If the OCSP responder determines that the certificate has not been revoked by the certificate authority, the server sends back a GOOD response. After the preceding steps are completed, then the user is logged in automatically using SSH with X509, which can be seen using the command show session {{detail} {sessID}} {history} with the output shown as follows (the Auth field has a value of x509v3, which indicates that this is a SSH login using PKI):
# show session
                                                             CLI
    #       Login Time               User     Type    Auth   Auth Location
================================================================================
*5          Tue Oct 18 12:24:12 2016 samar .. ssh2    x509v3 dis  10.127.3.143

Limitations

  • Certificate-based authentication is supported only for ExtremeXOS Secure Shell (SSH) server, not for ExtremeXOS SSH client.
  • Revocation check is done only for the SSH client-end certificate using OCSP only at the time of login. There are no periodic revocation checks.
  • The SSH client certificate must have client authentication purpose in the extendedKeyUsage field.
  • Username must be present in CommonName (CN) in the subject of the certificate. The login username and this CN must match for access to be granted.
  • Supports only RSA, DSA-based SSH client certificates.