API Guide
Table Of Contents
- Dell EMC SmartFabric OS10 Security Best Practices Guide May 2021
- Contents
- OS10 security best practices
Configure local user authentication without a password
To support password-less local user authentication using a smart card and password, configure the following:
● Enable password-less X.509v3 authentication in the SSH server.
ip ssh server x509v3-authentication security-profile profile-name password-less
● Leave plain password authentication enabled for users that do not have a configured certificate.
ip ssh server password-authentication
● Leave plain public key authentication enabled if it is required that users can alternatively use SSH public key password-less
authentication.
ip ssh server pubkey-authentication
● Configure the user X.509v3 certificate details to allow the SSH server to match the user certificate to the account.
username username certificate subject “x509v3-subject-string”
or
username username certificate principal-name user-principal-name-string
or
username username certificate fingerprint fingerprint-value
Generate and install a new security certificate on OS10 10.4.3.0
and later releases for full switch mode
Rationale: Switches running on OS 10.5.0.7P3 and previous supported releases, that have VLT or SmartFabric Services
enabled, use secure channels to communicate with each other. To establish secure channels, OS10 uses X.509v3 certificates.
When a user logs in to the system, OS10 images from 10.4.3.x to 10.5.0.7P3 display a warning message that the cluster manager
is using the default credentials.
Configuration notes:
● Even if you reinstall OS10, the certificate is present on the system. If you reinstall OS10, reinstall the certificate by removing
and readding the security profile using the no cluster security-profile and the cluster security-profile
profile-name commands.
Use the following procedure to install a valid certificate so that the system stops displaying the warning message and continues
to function properly. This procedure only works for OS10 releases 10.4.3.0 and later. If you are running OS10 releases between
10.4.1.4 and 10.4.2.x, upgrade to a later release.
Configuration:
1. Verify the OS10 version on both devices.
Switch-A:
Switch-A# show version
Dell EMC Networking OS10 Enterprise
Copyright (c) 1999-2020 by Dell Inc. All Rights Reserved. OS Version: 10.5.0.7P3
Build Version: 10.5.0.7.745
Build Time: 2020-06-02T22:46:24+0000
System Type: MX9116N-ON
Architecture: x86_64
Up Time: 00:07:32
Switch-B:
Switch-B# show version
Dell EMC Networking OS10 Enterprise
Copyright (c) 1999-2020 by Dell Inc. All Rights Reserved. OS Version: 10.5.0.7P3
Build Version: 10.5.0.7.745
Build Time: 2020-06-02T22:46:24+0000
System Type: MX9116N-ON
Architecture: x86_64
Up Time: 00:08:10
32
OS10 security best practices