HP ProCurve 9304M Security Manual page 79

1. The client sends its public key to the HP device.
2. The HP device compares the client's public key to those stored in memory.
3. If there is a match, the HP device uses the public key to encrypt a random sequence of bytes.
4. The HP device sends these encrypted bytes to the client.
5. The client uses its private key to decrypt the bytes.
6. The client sends the decrypted bytes back to the HP device.
7. The HP device compares the decrypted bytes to the original bytes it sent to the client. If the two sets of bytes
match, it means that the client's private key corresponds to an authorized public key, and the client is
authenticated.
Setting up RSA challenge-response authentication consists of the following steps:
8. Importing authorized public keys into the HP device.
9. Enabling RSA challenge response authentication
Importing Authorized Public Keys into the HP Device
SSH clients that support RSA authentication normally provide a utility to generate an RSA key pair. The private
key is usually stored in a password-protected file on the local host; the public key is stored in another file and is not
protected. You should collect one public key from each client to be granted access to the HP device and place all
of these keys into one file. This public key file is imported into the HP device.
The following is an example of a public key file containing two public keys:
1024 65537 162566050678380006149460550286514061230306797782065166110686648548574
94957339232259963157379681924847634614532742178652767231995746941441604714682680
00644536790333304202912490569077182886541839656556769025432881477252978135927821
67540629478392662275128774861815448523997023618173312328476660721888873946758201
user@csp_client
1024 35 152676199889856769693556155614587291553826312328095300428421494164360924
76207475545234679268443233762295312979418833525975695775705101805212541008074877
26586119857422702897004112168852145074087969840642408451742714558592361693705908
74837875599405503479603024287131312793895007927438074972787423695977635251943 ro
ot@unix_machine
You can import the authorized public keys into the active configuration by loading them from a file on a TFTP
server. Once the authorized public keys are loaded, you can optionally save them to the startup-config file. If you
import a public key file from a TFTP server, the file is automatically loaded into the active configuration the next
time the device is booted.
HP devices support Secure Copy (SCP) for securely transferring files between hosts on a network. Note that
when you copy files using SCP, you enter the commands on the SCP-enabled client, rather than the console on
the HP device.
If password authentication is enabled for SSH, the user will be prompted for a password in order to copy the file.
See "Using Secure Copy" on page 3-11 for more information on SCP.
After the file is loaded onto the TFTP server, it can be imported into the active configuration each time the device
is booted.
To cause a public key file called pkeys.txt to be loaded from a TFTP server each time the HP device is booted,
enter a command such as the following:
ProCurveRS(config)# ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt
Syntax: ip ssh pub-key-file tftp <tftp-server-ip-addr> <filename>
To display the currently loaded public keys, enter the following command:
June 2005
Configuring Secure Shell
3 - 5