Whether the HP device allows users to log in without supplying a password
The port number for SSH connections
The SSH login timeout value
A specific interface to be used as the source for all SSH traffic from the device
Setting the Number of SSH Authentication Retries
By default, the HP device attempts to negotiate a connection with the connecting host three times. The number of
authentication retries can be changed to between 1 – 5.
For example, the following command changes the number of authentication retries to 5:
HP9300(config)# ip ssh authentication-retries 5
Syntax: ip ssh authentication-retries <number>
Setting the Server RSA Key Size
The default size of the dynamically generated server RSA key is 768 bits. The size of the server RSA key can be
between 512 – 896 bits.
For example, the following command changes the server RSA key size to 896 bits:
HP9300(config)# ip ssh key-size 896
Syntax: ip ssh key-size <number>
NOTE: The size of the host RSA key that resides in the system-config file is always 1024 bits and cannot be
Deactivating User Authentication
After the SSH server on the HP device negotiates a session key and encryption method with the connecting client,
user authentication takes place. HP's implementation of SSH supports RSA challenge-response authentication
and password authentication.
With RSA challenge-response authentication, a collection of clients' public keys are stored on the HP device.
Clients are authenticated using these stored public keys. Only clients that have a private key that corresponds to
one of the stored public keys can gain access to the device using SSH.
With password authentication, users are prompted for a password when they attempt to log into the device
(provided empty password logins are not allowed; see "Enabling Empty Password Logins" on page 4-5). If there
is no user account that matches the user name and password supplied by the user, the user is not granted
You can deactivate one or both user authentication methods for SSH. Note that deactivating both authentication
methods essentially disables the SSH server entirely.
To disable RSA challenge-response authentication:
HP9300(config)# ip ssh rsa-authentication no
Syntax: ip ssh rsa-authentication no | yes
To deactivate password authentication:
HP9300(config)# ip ssh password-authentication no
Syntax: ip ssh password-authentication no | yes
Enabling Empty Password Logins
By default, empty password logins are not allowed. This means that users with an SSH client are always
prompted for a password when they log into the device. To gain access to the device, each user must have a user
Configuring Secure Shell
4 - 5