beautypg.com

Ssh/scp integration with tacacs+ authentication, Securid support, Using securid with ssh – Blade ICE RACKSWITCH G8124-E User Manual

Page 61: Using securid with scp

background image

BLADEOS 6.5.2 Application Guide

BMD00220, October 2010

Chapter 3: Securing Administration 61

SSH/SCP Integration with TACACS+ Authentication

SSH/SCP is integrated with TACACS+ authentication. After the TACACS+ server is enabled on
the switch, all subsequent SSH authentication requests will be redirected to the specified TACACS+
servers for authentication. The redirection is transparent to the SSH clients.

SecurID Support

SSH/SCP can also work with SecurID, a token card-based authentication method. The use of
SecurID requires the interactive mode during login, which is not provided by the SSH connection.

Note –

There is no SNMP or Browser-Based Interface (BBI) support for SecurID because the

SecurID server, ACE, is a one-time password authentication and requires an interactive session.

Using SecurID with SSH

Using SecurID with SSH involves the following tasks.

To log in using SSH, use a special username, “ace,” to bypass the SSH authentication.

After an SSH connection is established, you are prompted to enter the username and password
(the SecurID authentication is being performed now).

Provide your username and the token in your SecurID card as a regular Telnet user.

Using SecurID with SCP

Using SecurID with SCP can be accomplished in two ways:

Using a RADIUS server to store an administrator password.

You can configure a regular administrator with a fixed password in the RADIUS server if it can
be supported. A regular administrator with a fixed password in the RADIUS server can
perform both SSH and SCP with no additional authentication required.

Using an SCP-only administrator password.

Set the SCP-only administrator password (

ssh scp-password

) to bypass checking SecurID.

An SCP-only administrator’s password is typically used when SecurID is not used. For
example, it can be used in an automation program (in which the tokens of SecurID are not
available) to back up (download) the switch configurations each day.

Note –

The SCP-only administrator’s password must be different from the regular administrator’s

password. If the two passwords are the same, the administrator using that password will not be
allowed to log in as an SSH user because the switch will recognize him as the SCP-only
administrator. The switch will only allow the administrator access to SCP commands.

This manual is related to the following products: