Implementing Secure Shell on Cisco IOS XR Software
Information About Implementing Secure Shell
SC-202
Cisco IOS XR System Security Configuration Guide for the Cisco CRS-1 Router
OL-20382-01
SSH Client
The SSH client feature is an application running over the SSH protocol to provide device authentication
and encryption. The SSH client enables a Cisco router to make a secure, encrypted connection to another
Cisco router or to any other device running the SSH server. This connection provides functionality that
is similar to that of an outbound Telnet connection except that the connection is encrypted. With
authentication and encryption, the SSH client allows for a secure communication over an insecure
network.
The SSH client in the Cisco IOS XR software worked with publicly and commercially available SSH
servers. The SSH client supported the ciphers of AES, 3DES, message digest algorithm 5 (MD5), SHA1,
and password authentication. User authentication was performed in the Telnet session to the router. The
user authentication mechanisms supported for SSH were RADIUS, TACACS+, and the use of locally
stored usernames and passwords.
SFTP Feature Overview
SSH includes support for standard file transfer protocol (SFTP) , a new standard file transfer protocol
introduced in SSHv2. This feature provides a secure and authenticated method for copying router
configuration or router image files.
The SFTP client functionality is provided as part of the SSH component and is always enabled on the
router. Therefore, a user with the appropriate level can copy files to and from the router. Like the copy
command, the sftp command can be used only in EXEC mode.
The SFTP client is VRF-aware, and you may configure the secure FTP client to use the VRF associated
with a particular source interface during connections attempts. The SFTP client also supports interactive
mode, where the user can log on to the server to perform specific tasks via the Unix server.
The SFTP Server is a sub-system of the SSH server. In other words, when an SSH server receives an
SFTP server request, the SFTP API creates the SFTP server as a child process to the SSH server. A new
SFTP server instance is created with each new request.
The SFTP requests for a new SFTP server in the following steps:
• The user runs the sftp command with the required arguments
• The SFTP API internally creates a child session that interacts with the SSH server
• The SSH server creates the SFTP server child process
• The SFTP server and client interact with each other in an encrypted format
When the SSH server establishes a new connection with the SSH client, the server daemon creates a new
SSH server child process. The child server process builds a secure communications channel between the
SSH client and server via key exchange and user authentication processes. If the SSH server receives a
request for the sub-system to be an SFTP server, the SSH server daemon creates the SFTP server child
process. For each incoming SFTP server subsystem request, a new SSH server child and a SFTP server
instance is created. The SFTP server authenticates the user session and initiates a connection. It sets the
environment for the client and the default directory for the user.
Once the initialization occurs, the SFTP server waits for the SSH_FXP_INIT message from the client,
which is essential to start the file communication session. This message may then be followed by any
message based on the client request. Here, the protocol adopts a 'request-response' model, where the
client sends a request to the server; the server processes this request and sends a response.
The SFTP server displays the following responses:
• Status Response
To Next Page
Loading...
Need help?
General
