Print
this page
Email this topic
Feedback
View PDF
Download EPUBSecure Shell (SSH) Public Key Infrastructure (PKI) with X509v3 Certificate-Based Authentication
This feature adds Secure Shell (SSH) Public Key Infrastructure (PKI) with X509v3 Certificate-Based Authentication to ExtremeXOS.
Previously, the ExtremeXOS SSH server supported the following two types of
authentication methods to authenticate the SSH clients:
- Password-based authentication—Simple mapping of configured user and password.
- User key-based authentication—User generates the key pair (public and private keys). The public key is copied to the switch and associated to a particular user name. When the user tries to login to the switch with their private key, the ExtremeXOS SSH server verifies the key and its association to the user. If this succeeds, the login is allowed. If key-based authentication fails, it fails back to password-based authentication.
The major disadvantage with user key-based authentication is scalability. As number of users increase, more keys are copied and stored on the switch. This problem can be solved with the PKI. Additionally, PKI provides added security, certificate revocation checking, avoiding manual mapping of key with user, etc.
Supported Platforms
Summit X450-G2, X460-G2, X670-G2, X770, and ExtremeSwitching X620, X440-G2 series switches.
Limitations
- Certificate-based authentication is supported only for ExtremeXOS SSH server, not for ExtremeXOS SSH client.
- Revocation check is done only for the SSH client-end certificate using Online Certificate Status Protocol (OCSP) only at the time of login. No periodic revocation checks occur.
- The SSH client certificate must have client authentication purpose in the extendedKeyUsage field.
- Username must be present in CommonName (CN) in the subject of the certificate. The login username and this CN must match for access to be granted.
- Support only for RSA, DSA-based SSH client certificates.