Users Guide
7. The OS10 SSH server validates the public certificate, including validating the trust chain, valid date range, and usage fields. If
any of the fields are invalid, the authentication fails.
8. If the configured OS10 security profile calls for revocation checking, the OS10 SSH server verifies that the certificate is not
revoked. Verification is done by checking either the appropriate CRL or by sending an OCSP request to the appropriate
OCSP responder.
9. If the certificate is revoked, the authentication fails.
10. If peer-name-checking is enabled in the security profile, the OS10 SSH server matches the common name or principal name
fields from the user certificate against the username.
11. If there is no match, the OS10 SSH server attempts to match the user certificate fields against any configured certificate for
that local username.
12. If there is no match, the authentication fails.
13. The OS10 SSH server prompts you for a password.
14. The OS10 SSH server performs standard local user authentication using the username and returned password.
15. On successful authentication, the SSH session continues.
Local user authentication without a password
When you configure OS10 SSH server for X.509v3 SSH local authentication, and when connecting using SSH, the following
sequence occurs:
1. Insert a CAC or PIV smart card into the card reader slot in your computer or keyboard.
2. Start an RFC 6187 X.509v3 compatible SSH client application, set authentication to smart card or CAC, and make a
connection to the OS10 switch.
3. The SSH client application makes the initial connection to the switch, negotiates X.509v3 authentication, and validates the
OS10 switch X.509v3 certificate.
4. The SSH client application prompts you to select the required authentication certificate from the CAC or PIV card.
5. The SSH client application prompts you to enter the PIN for the CAC or PIV card.
6. The SSH client application sends an authentication request with the X.509v3 certificate.
7. The OS10 SSH server validates the public certificate, including validating the trust chain, valid date range, and usage fields. If
any of the fields are invalid, the authentication fails.
8. If the configured OS10 security profile calls for revocation checking, the OS10 SSH server verifies that the certificate is not
revoked. Verification is done by checking either the appropriate CRL or by sending an OCSP request to the appropriate
OCSP responder.
9. If the certificate is revoked, the authentication fails.
10. The OS10 SSH server attempts to match the user certificate fields against the configured certificate for that local username.
11. If there is a match, the authentication succeeds and the SSH session proceeds without a password prompt.
General X.509v3 configuration for X.509v3 SSH authentication
Both forms of X.509v3 authentication require configuring the X.509v3 PKI support. The following are the security profile details:
● Install CA and host PKI certificates.
crypto ca-cert install ca-cert-filepath [filename]
crypto cert install cert-file home://cert-filepath key-file {key-path | private}
[password passphrase] [fips]
● Create a security profile with certificate and required attributes.
crypto security-profile profile-name
certificate certificate-name
peer-name-check
key-usage-check
revocation-check
Configure remote user authentication with a password
To support remote user authentication by smart card and password, configure the following:
1394
Security