The client sends its public key to the HP device.
The HP device compares the client's public key to those stored in memory.
If there is a match, the HP device uses the public key to encrypt a random sequence of bytes.
The HP device sends these encrypted bytes to the client.
The client uses its private key to decrypt the bytes.
The client sends the decrypted bytes back to the HP device.
. The HP device compares the decrypted bytes to the original bytes it sent to the client. If the two sets of bytes
match, it means that the client's private key corresponds to an authorized public key, and the client is
Setting up RSA challenge-response authentication consists of the following steps:
Importing authorized public keys into the HP device.
Enabling RSA challenge response authentication
Importing Authorized Public Keys into the HP Device
SSH clients that support RSA authentication normally provide a utility to generate an RSA key pair. The private
key is usually stored in a password-protected file on the local host; the public key is stored in another file and is not
protected. You should collect one public key from each client to be granted access to the HP device and place all
of these keys into one file. This public key file is imported into the HP device.
The following is an example of a public key file containing two public keys:
1024 65537 162566050678380006149460550286514061230306797782065166110686648548574
1024 35 152676199889856769693556155614587291553826312328095300428421494164360924
You can import the authorized public keys into the active configuration by loading them from a file on a TFTP
server. Once the authorized public keys are loaded, you can optionally save them to the startup-config file. If you
import a public key file from a TFTP server, the file is automatically loaded into the active configuration the next
time the device is booted.
HP devices support Secure Copy (SCP) for securely transferring files between hosts on a network. Note that
when you copy files using SCP, you enter the commands on the SCP-enabled client, rather than the console on
the HP device.
If password authentication is enabled for SSH, the user will be prompted for a password in order to copy the file.
See "Using Secure Copy" on page 4-9 for more information on SCP.
After the file is loaded onto the TFTP server, it can be imported into the active configuration each time the device
To cause a public key file called pkeys.txt to be loaded from a TFTP server each time the HP device is booted,
enter a command such as the following:
HP9300(config)# ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt
Syntax: ip ssh pub-key-file tftp <tftp-server-ip-addr> <filename>
To display the currently loaded public keys, enter the following command:
HP9300# show ip client-public-key
Configuring Secure Shell
4 - 3