Generating Local Dsa Or Rsa Key Pairs - HP VSR1000 Security Configuration Manual
Virtual services router
Hide thumbs
Also See for VSR1000:
- Configuration manual (463 pages) ,
- High availability configuration manual (91 pages) ,
- Layer 2 - wan access command reference (50 pages)
Table of Contents
Advertisement
Tasks at a glance
Configuring the PKI domain for verifying the client
certificate
(Required/optional.)
(Optional.)
Generating local DSA or RSA key pairs
IMPORTANT:
Do not generate the local DSA key pair when the device operates in FIPS mode as an SSH server. User
authentication will fail because the SSH server operating in FIPS mode supports only RSA key pairs.
The DSA or RSA key pairs are required for generating the session key and session ID in the key exchange
stage, and can also be used by a client to authenticate the server. When a client authenticates the server,
it compares the public key received from the server with the server public key that the client saved locally.
If the keys are consistent, the client authenticates the digital signature from the server by using the public
key. If the digital signatures are consistent, the authentication succeeds.
Configuration restrictions and guidelines
When you generate local DSA or RSA key pairs, follow these restrictions and guidelines:
To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs
•
on the SSH server.
SSH supports locally generated DSA and RSA key pairs with default names rather than with the
•
specified names.
•
The public-key local create rsa command generates a server key pair and a host key pair for RSA.
In SSH1, the public key in the server key pair is used to encrypt the session key for secure
transmission of the session key. Because SSH2 uses the DH algorithm to separately generate each
session key on the SSH server and the client, no session key transmission is required. The server key
pair is not used in SSH2.
The public-key local create dsa command generates only a host key pair. SSH1 does not support
•
the DSA algorithm.
The key modulus length must be less than 2048 bits when you generate the DSA key pair on the
•
SSH server.
Configuration procedure
To generate local DSA or RSA key pairs on the SSH server:
Configuring an SSH user
Setting the SSH management parameters
Remarks
See
"Configuring
Required if the following conditions exist:
•
Publickey authentication is configured for users.
•
The clients send the public keys to the server
through digital certificates for validity check.
The PKI domain must have the CA certificate to
verify the client certificate.
Required if the authentication method is publickey,
password-publickey, or any.
Optional if the authentication method is password.
N/A
248
PKI."
- Quick Links:
- Configuring the Device as an Ssh...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
