Configuring SSH Bidirectional Certificate Authentication for NETCONF Connections
Security Policy Overview
- Certificate authentication requests and certificate obtaining requests can be exchanged between the SSH and PKI components.
- After receiving a connection request, if the negotiated host authentication method is certificate authentication, the SSH component sends a CERT Req message to the PKI component to obtain the certificate and the corresponding KEY file.
- A timer is started to retransmit a certificate request message if no CERT RSP ACK message is received. The timer interval is 5s, and the certificate request message is retransmitted for a maximum of three times. This mechanism prevents DoS attacks.
- After three timeouts, the SSH connection is torn down, and the cause of the SSH login failure is recorded as no response from the PKI component during host authentication.
- When receiving a user certificate authentication request, the SSH component sends an authentication request message to the PKI component.
- A timer is started to retransmit an authentication request message if no AUTH RSP ACK message is received. The timer interval is 5s, and the certificate request message is retransmitted for a maximum of three times. This mechanism prevents DoS attacks.
- After three timeouts, the SSH connection is torn down, and the cause of the SSH login failure is recorded as no response from the PKI component during user authentication.
Configuration and Maintenance Methods
- Run the ssh server assign pki pki-keyname command to bind the certificate source for host certificate authentication. The user certificate in the PKI domain is required.
- Run the ssh server publickey x509v3-ssh-rsa command to set the host authentication method to certificate authentication in x509 format.
- Run the ssh user user-name authentication-type { password-x509v3-rsa | x509v3-rsa } command to set the authentication mode of the SSH user to certificate authentication in x509 format.
- Run the ssh user user-name assign pki pki-name command to bind a PKI domain to the SSH user.
- Run the commit command to commit the configuration.