KB.15.15

[fingerprint]

Displays fingerprints of the switch public key in hexadecimal format, see “Displaying

the Public Key” (page 232).

Example

To generate and display a new key:

Figure 163 Example of generating a public/private host key pair for the switch

To compare the switch key to the key stored in your client's known-hosts file, note that the

formatting and comments need not match.

NOTE: "Zeroizing" the switch key automatically disables SSH (sets ip ssh to no). Thus, if

you zeroize the key and then generate a new key, you must also re-enable SSH with the ip

ssh command before the switch can resume SSH operation.

Configuring Key lengths

The crypto key generate ssh command allows you to specify the type and length of

the generated host key. The size of the host key is platform-dependent as different switches

have different amounts of processing power. The size is represented by the keysize parameter

and has the values shown in . The default value is used if keysize is not specified.

Table 24 RSA/DSA values for various HP networking switches

DSA Key Size (in bits)Maximum RSA Key Size (in bits)Platform

10241024, 2048, 30725400/3500/6200/8200/2900

Default: 2048

10241024, 20484200/2900/2810/2610/2510

Default: 2048

5128965300/2800/3400/2600

3. Provide the switch public key to clients.

When an SSH client contacts the switch for the first time, the client will challenge the connection

unless you have already copied the key into the client's "known host" file. Copying the switch

key in this way reduces the chance that an unauthorized device can pose as the switch to

learn your access passwords. The most secure way to acquire the switch public key for

distribution to clients is to use a direct, serial connection between the switch and a management

device (laptop, PC, or UNIX workstation), as described below.

The public key generated by the switch consists of three parts, separated by one blank space

each:

230 Secure Shell (SSH)