Public-Key Infrastructure (PKI) in Secure Shell (SSH) Overview
The major disadvantage with user-key-based authentication is scalability. As the number of users increases, a greater number of keys must be copied and stored in the switch. This problem can be solved with the Public-Key Infrastructure (PKI). Moreover, PKI has its own advantages of added security, certificate revocation checking, avoiding manual mapping of keys with users, etc.
For the details about configuring PKI, see Using Public-Key Infrastructure (PKI) in Your Network.
In Public-Key Infrastructure Login Flow Overview, Callout 1 is the initial series of message exchanges initiated by the Secure Shell (SSH) client. The ExtremeXOS device is providing the SSH client with the list of supported authentication methods, one of which is public key. The SSH client responds with its public key certificate.
At Callout 2, the ExtremeXOS device verifies if the extended key usage of client certificate contains ‘client authentication‘. If not, the SSH PKI connection is not established. Next, the ExtremeXOS device extracts the Common-Name field from the public key certificate and validates it against the local-accounts present/configured in the switch. If there is no matching accounts/user-name, then the SSH PKI connection is not established. Next, it checks to ensure the certificate signature from SSH client matches a trusted certificate authority‘s certificate present on the ExtremeXOS device.
# show session CLI # Login Time User Type Auth Auth Location ================================================================================ *5 Tue Oct 18 12:24:12 2016 samar .. ssh2 x509v3 dis 10.127.3.143
- Certificate-based authentication is supported only for ExtremeXOS Secure Shell (SSH) server, not for ExtremeXOS SSH client.
- Revocation check is done only for the SSH client-end certificate using OCSP only at the time of login. There are no periodic revocation checks.
- The SSH client certificate must have client authentication purpose in the extendedKeyUsage field.
- Username must be present in CommonName (CN) in the subject of the certificate. The login username and this CN must match for access to be granted.
- Supports only RSA, DSA-based SSH client certificates.