API Guide
10. If peer-name-checking is enabled in the security profile, the OS10 SSH server matches the common name or principal name
fields from the user certificate against the username.
11. If there is no match, the OS10 SSH server attempts to match the user certificate fields against any configured certificate for
that local username.
12. If there is no match, the authentication fails.
13. The OS10 SSH server prompts you for a password.
14. The OS10 SSH server performs standard local user authentication using the username and returned password.
15. On successful authentication, the SSH session continues.
Local user authentication without a password
When you configure OS10 SSH server for X.509v3 SSH local authentication, and when connecting using SSH, the following
sequence occurs:
1. Insert a CAC or PIV smart card into the card reader slot in your computer or keyboard.
2. Start an RFC 6187 X.509v3 compatible SSH client application, set authentication to smart card or CAC, and make a
connection to the OS10 switch.
3. The SSH client application makes the initial connection to the switch, negotiates X.509v3 authentication, and validates the
OS10 switch X.509v3 certificate.
4. The SSH client application prompts you to select the required authentication certificate from the CAC or PIV card.
5. The SSH client application prompts you to enter the PIN for the CAC or PIV card.
6. The SSH client application sends an authentication request with the X.509v3 certificate.
7. The OS10 SSH server validates the public certificate, including validating the trust chain, valid date range, and usage fields. If
any of the fields are invalid, the authentication fails.
8. If the configured OS10 security profile calls for revocation checking, the OS10 SSH server verifies that the certificate is not
revoked. Verification is done by checking either the appropriate CRL or by sending an OCSP request to the appropriate
OCSP responder.
9. If the certificate is revoked, the authentication fails.
10. The OS10 SSH server attempts to match the user certificate fields against the configured certificate for that local username.
11. If there is a match, the authentication succeeds and the SSH session proceeds without a password prompt.
Configure remote user authentication with a password
To support remote user authentication by smart card and password, configure the following:
● Enable RADIUS or TACACS+ authentication.
radius-server host {hostname | ip-address} key {0 authentication-key | 9
authentication-key | authentication-key} [auth-port port-number]
aaa authentication login default group radius local
● Enable X.509v3 authentication in the SSH server.
ip ssh server x509v3-authentication security-profile profile-name
● If all SSH login attempts require an X.509v3 certificate, disable the plain password authentication and SSH public key
authentication in the SSH server.
no ip ssh server password-authentication
no ip ssh server pubkey-authentication
Configure local user authentication with a password
To support local user authentication by smart card and password, configure the following:
● Enable X.509v3 authentication in the SSH server.
ip ssh server x509v3-authentication security-profile profile-name
● If all SSH login attempts present an X.509v3 certificate, disable the plain password authentication and SSH public key
authentication in the SSH server.
no ip ssh server password-authentication
no ip ssh server pubkey-authentication
OS10 security best practices
31