SSH Commands

The IDS sensor has several CLI commands to assist in generating certificates and Secure Shell (SSH) keys and adding client public keys to the sensor. We grouped these commands here to provide a quick reference. Make sure that you know these commands and refer to the Cisco command reference for more details before attempting the exam.

The tls generate-key Command

You use the tls generate-key command to generate a self-signed X.509 certificate, which you need when communicating with the Transport Layer Security (TLS) and Secure Hypertext Transfer Protocol (HTTPS) protocols. Each time that you change the command and control interface IP address, you have to execute this command to recreate the certificate. Following is a sample output of this command:

 sensor#  tls generate-key  MD5: 1F:94:6F:2E:38:AD:FB:2C:42:0C:AE:61:EC:29:74:BA SHA1: 16:AC:EC:AC:9D:BC:84:F5:D8:E4:1A:05:C4:01:BB:65:7B:4F:FC:AB sensor(config)# 

The tls generate command generates a new self-signed certificate for the sensor. After that process is complete, you should reboot the sensor.

The ssh-host Command

The ssh-host command adds entries to the known host table to allow secure communications. If you do not provide the modulus , exponent, and length parameters, the SSH server contacts the IP address to obtain a key. If it does, the host must be available for a successful exchange. Following is the syntax for this command:

 ssh host-key ipaddress [ key-modulus-length public-exponent public-modulus ] no ssh host-key  ipaddress  

Table 8.5 lists options for the ssh-host command and describes their functions.

Table 8.5. ssh-host Command Options

The next two examples display the different ways of using the ssh-host command to add an entry to the known host table for 10.1.2.3. First is example 1:

 sensor(config)#  ssh host-key 10.1.2.3 1024   1393062135418352403853329222539688146856845235200641319978399051136401202   1781686969670872170463132284429207385173056504487908267067755415793705848   5203995572114631296604552161309712601068614812749969593513740598331393154   8849883023021829223533351526538605891636519449978428745836278832774601385   06084043415861927  

Next is example 2:

 sensor(config)#  ssh host-key 10.1.2.3  MD5 fingerprint is 49:3F:FD:62:26:58:94:A3:E9:88:EF:92:5F:52:6E:7Bsensor(config)# Would you like to add this to the known hosts table for this host? [yes] sensor(config)# 

As you can see in example 1, the modules and public key parameters could easily be entered incorrectly. Example 2 displays an easier version of the command that just uses the IP address of the host.

The ssh-authorized-key Command

You use the ssh-authorized-key command to add a public key to the current user. This key gives the user the ability to use Rivest Shamir Adleman (RSA) authentication to the sensor's SSH server. For example, if the user tina wants to use RSA authentication between her and the sensor, she first logs in to the sensor and then executes the ssh-authorized-key command to add her public key. The example demonstrates how to use this command:

 sensor(config)#  ssh authorized-key system1 1023 37   660394680239485093284509283459024590  sensor(config)# 

This example adds a public key to the current user account named system1 .

The ssh-generate-key Command

You use the ssh-generate-key command for creating a new server host key used by the sensor for SSH communications. When a new key is generated, you must restart the system for the key to take effect. The example displays an example of this command:

 sensor#  ssh generate-key  MD5: 49:3F:FD:62:26:58:94:A3:E9:88:EF:92:5F:52:6E:7B Bubble Babble: xebiz-vykyk-fekuh-ruhuh-cabaz-paret-gosym-serum-korus-fypop-huxyx Warning: The node must be rebooted for the changes to go into effect. Continue with reboot? [yes] 

The example shows the ssh generate-key command creating a new server host key. At the bottom of the example, the sensor asks to be rebooted to activate the new keys.

Make sure you know that the IDS sensor 4.0 supports SSH version 1 and 2.