NOTE:
For more information about the public-key local create command, see the
•
Reference
You should generate both DSA and RSA key pairs on the SSH server to support SSH clients using
•
different types of key pairs.
•
The public-key local create rsa command generates a server key pair and a host key pair. Each of the
key pairs consists of a public key and a private key. The public key in the server key pair of the SSH
server is used in SSH1 to encrypt the session key for secure transmission of the key. As SSH2.0 uses the
DH algorithm to generate the session key on the SSH server and client respectively, no session key
transmission is required in SSH2.0 and the server key pair is not used.
The length of the modulus of RSA server keys and host keys must be in the range 512 to 2048 bits. Some
•
SSH2.0 clients require that the length of the key modulus be at least 768 bits on the SSH server side.
The public-key local create dsa command generates only the host key pair. SSH1 does not support the
•
DSA algorithm.
The length of the modulus of DSA host keys must be in the range 512 to 2048 bits. Some SSH2.0 clients
•
require that the length of the key modulus be at least 768 bits on the SSH server side.
Enabling the SSH server function
Follow these steps to enable the SSH server function:
To do...
Enter system view
Enable the SSH server function
Configuring the user interfaces for SSH clients
An SSH client accesses the device through a VTY user interface. Therefore, you need to configure the user
interfaces for SSH clients to allow SSH login. The configuration takes effect only for clients logging in
after the configuration.
Follow these steps to configure the protocols for the current user interface to support:
To do...
Enter system view
Enter user interface view of one or
more user interfaces
Set the login authentication mode
to scheme
Configure the user interface(s) to
support SSH login
.
Use the command...
system-view
ssh server enable
Use the command...
system-view
user-interface vty number
[ ending-number ]
authentication-mode scheme
protocol inbound { all | ssh }
246
Security Command
Remarks
—
Required
Disabled by default
Remarks
—
—
Required
By default, the authentication
mode is password.
Optional
All protocols are supported by
default.