HP ProCurve 9304M Security Manual page 78

Security Guide for ProCurve 9300/9400 Series Routing Switches
Notes:
• If an RSA host key pair is stored in internal memory on the HP device, it is used even if the startup-config file
contains a different RSA host key pair.
• If no RSA host key pair is stored in internal memory, but the startup-config file contains an RSA host key pair,
the key pair in the startup-config file is used. If you later generate an RSA host key pair with the crypto key
generate rsa command, the new key pair takes effect only after you store it in internal memory with the write
memory command and reboot the HP device.
• If no RSA host key pair is stored in internal memory, and the startup-config file contains an RSA host key pair,
the first time you enter the write memory command, it will save the RSA host key pair in the startup-config
file to internal memory and remove it from the startup-config file.
• If no RSA host key pair is stored in internal memory, the startup-config file contains an RSA host key pair, and
you generate an RSA host key pair with the crypto key generate rsa command, the new pair is stored in
internal memory the first time you enter the write memory command.
• T he crypto key zeroize rsa command disables the currently active RSA host key pair. If you subsequently
enter the write memory command without generating another RSA host key pair, the RSA host key pair
stored in internal memory is removed.
• On devices managed by the T-Flow, if you erase the startup-config file, the RSA host key pair will still reside in
internal memory. To remove the RSA host key pair from internal memory, you must enter the crypto key
zeroize rsa command.
• If you enter the ssh no-show-host-keys command to hide the RSA host key pair in the running-config file,
then reload the software, the RSA host key pair is once again visible in the running-config file. The setting to
hide the RSA host key pair is not carried across software reloads.
• In a configuration using redundant management modules, if the active module has an RSA host key pair, but
the standby module does not, the RSA host key pair is not carried over when switchover occurs. You must
create an RSA host key pair on the standby module manually.
• The SSH key generation process causes UDLD-enabled interfaces to go down instantaneously. This in turn
requires the reconvergence of the route tables on the Routing Switches across the network. Non-UDLD-
enabled interfaces do not experience this issue.
Providing the Public Key to Clients
If you are using SSH to connect to an HP device from a UNIX system, you may need to add the HP device's public
key to a "known hosts" file; for example, $HOME/.ssh/known_hosts. The following is an example of an entry in a
known hosts file:
10.10.20.10 1024 37 118771881862677030464851288737258046856031640635887679230111
84247022636175804896633384620574930068397650231698985431857279323745963240790218
03229084221453472515782437007702806627934784079949643404159653290224014833380339
09542147367974638560060162945329307563502804231039654388220432832662804242569361
58342816331
In this example, 10.10.20.10 is the IP address of an SSH-enabled HP Routing Switch. The second number, 1024,
is the size of the host key, and the third number, 37, is the encoded public exponent. The remaining text is the
encoded modulus.
Configuring RSA Challenge-Response Authentication
With RSA challenge-response authentication, a collection of clients' public keys are stored on the HP device.
Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to
one of the stored public keys can gain access to the device using SSH.
When RSA challenge-response authentication is enabled, the following events occur when a client attempts to
gain access to the device using SSH:
3 - 4 June 2005