Enabling Ssh On The Switch And Anticipating Ssh Client Contact Behavior - HP 3500yl Series Access Security Manual
Switch software
Hide thumbs
Also See for 3500yl Series:
- Release notes (219 pages) ,
- Specifications (16 pages) ,
- Features (6 pages)
Table of Contents
Advertisement
Configuring Secure Shell (SSH)
Configuring the Switch for SSH Operation
The two commands shown in figure 8-9 convert the displayed format of the
switch's (host) public key for easier visual comparison of the switch's public
key to a copy of the key in a client's "known host" file. The switch has only
one RSA host key. The 'babble' and 'fingerprint' options produce two hashes
for the key--one that corresponds to the challenge hash you will see if con-
necting with a v1 client, and the other corresponding to the hash you will see
if connecting with a v2 client. These hashes do not correspond to different
keys, but differ only because of the way v1 and v2 clients compute the hash
of the same RSA key. The switch always uses ASCII version (without babble
or fingerprint conversion) of its public key for file storage and default display
format.
4. Enabling SSH on the Switch and Anticipating SSH
Client Contact Behavior
T
he ip ssh command enables or disables SSH on the switch and modifies
parameters the switch uses for transactions with clients. After you enable
SSH, the switch can authenticate itself to SSH clients.
Note
Before enabling SSH on the switch you must generate the switch's public/
private key pair. If you have not already done so, refer to "2. Generating the
Switch's Public and Private Key Pair" on page 8-9.
When configured for SSH, the switch uses its host public-key to authenticate
itself to SSH clients. If you also want SSH clients to authenticate themselves
to the switch you must configure SSH on the switch for client public-key
authentication at the login (Operator) level. To enhance security, you should
also configure local, TACACS+, or RADIUS authentication at the enable
(Manager) level.
Refer to "5. Configuring the Switch for SSH Authentication" on page 8-20.
SSH Client Contact Behavior. At the first contact between the switch and
an SSH client, if the switch's public key has not been copied into the client,
then the client's first connection to the switch will question the connection
and, for security reasons, provide the option of accepting or refusing. If it is
safe to assume that an unauthorized device is not using the switch's IP address
in an attempt to gain access to the client's data or network, the connection
can be accepted. (As a more secure alternative, the client can be directly
connected to the switch's serial port to download the switch's public key into
the client. See the following Note.)
8-15
Hide quick links:
Advertisement
Chapters
Table of Contents
