Optional ssh parameters, Setting the number of ssh authentication retries, Deactivating user authentication – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Optional SSH parameters

You can adjust the following SSH settings on the Brocade device:

• The number of SSH authentication retries
• The user authentication method the Brocade device uses for SSH connections
• Whether the Brocade device allows users to log in without supplying a password
• The port number for SSH connections
• The SSH login timeout value
• A specific interface to be used as the source for all SSH traffic from the device
• The maximum idle time for SSH sessions

Setting the number of SSH authentication retries

By default, the Brocade device attempts to negotiate a connection with the connecting host three
times. The number of authentication retries can be changed to between 1 - 5.

NOTE
The ip ssh authentication-retries command is not applicable on Brocade devices which acts as an
SSH client. When the Brocade device acts as an SSH client and when you try to establish an SSH
connection with wrong credentials, the session is not be established. The connection is terminated.
The device does not check the SSH authentication retry configuration set using the ip ssh
authentication-retries command. The command is applicable only to SSH clients like PUTTY, Secure
CRT, and so on.

For example, the following command changes the number of authentication retries to 5.

device(config)#ip ssh authentication-retries 5

Syntax: ip ssh interactive--authentication-retries number

Deactivating user authentication

After the SSH server on the Brocade device negotiates a session key and encryption method with the
connecting client, user authentication takes place. The Brocade implementation of SSH supports DSA
or RSA challenge-response authentication and password authentication.

With DSA or RSA challenge-response authentication, a collection of clients’ public keys are stored on
the Brocade device. Clients are authenticated using these stored public keys. Only clients that have a
private key that corresponds to one of the stored public keys can gain access to the device using SSH.

With password authentication, users are prompted for a password when they attempt to log into the
device (provided empty password logins are not allowed). If there is no user account that matches the
user name and password supplied by the user, the user is not granted access.

You can deactivate one or both user authentication methods for SSH. Note that deactivating both
authentication methods essentially disables the SSH server entirely.

To disable DSA or RSA challenge-response authentication, enter the following command.

device(config)#ip ssh key-authentication no

Syntax: ip ssh key--authentication { yes | no }

Optional SSH parameters

88

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03