Configuring SSH security on devices

About the SSH protocol

The SSH protocol provides secure file transfer and file system access between the NFM-P and managed NEs. SSH version 2, or SSH2, is enabled by default on many devices. SSH2 uses paired public and private encryption keys to perform authentication. After an SSH key pair is generated on an NE, the private key is stored locally, and the public key is used by SSH2 clients. A public key persists in the NFM-P for future SSH2 communication with the NE, and is used to verify that the client is connecting to the correct SSH2 entity. An SSH2 server on an NE identifies itself to a client by sending a message that is signed using the private key of the server. The NFM-P uses the public key of the SSH2 server to authenticate the server identity.

SSH2 host key management

An NE sends an SSH2 host key when the NFM-P first tries to establish an SSH2 connection. The NFM-P automatically accepts the public key fingerprint and stores it locally. The NFM-P uses the local fingerprint copy for authentication during subsequent sessions.

If an NE sends a different host key in a subsequent session, the NFM-P rejects the connection attempt and raises an alarm. If an operator determines that the host key change is valid, for example, because of an NE reboot while host key persistence on the NE is disabled, the operator can manually delete the mismatched host key from the NFM-P and accept the new key. The NFM-P subsequently accepts SSH2 connection requests from the NE.

Note: Nokia recommends that you enable host key persistence on an SSH2 NE to retain the public key fingerprint after NE reboots. If public key persistence is disabled, connection attempts after an NE reboot fail until an NFM-P operator manually deletes the stored key. See To manually accept a mismatched SSH host key for information about deleting a mismatched host key.

By default, SSH host keys persistence is disabled on the 7210 SAS, 7450 ESS, 7705 SAR, 7750 SR, and 7950 XRS.

SSH2 and device CLI sessions

When SSH2 for CLI sessions is enabled in the mediation policy of an SSH2-capable device, SSH2 instead of Telnet is used for each CLI session.

SSH1 is used only in SSH CLI sessions on NEs that do not support SSH2. SSH1 is not supported for communications with GNEs.

SSH2 and secure file transfers

When secure file transfers are specified in the mediation policy of an SSH2-capable device, SCP is used instead of FTP for backups, restores, software upgrades, and statistics collection.