KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

231

232

233

234

235

236

237

238

239

240

4. Enable SSH on the switch and anticipate SSH client contact behavior.

The ip ssh command enables or disables SSH on the switch, and modifies parameters the

switch uses for transactions with clients. After you enable SSH, the switch can authenticate

itself to SSH clients.

NOTE: Before enabling SSH on the switch you must generate the switch public/private key

pair. If not yet done, see Step 2.

When configured for SSH, the switch uses its host public key to authenticate itself to SSH

clients.For SSH clients to authenticate themselves to the switch, configure SSH on the switch

for client public-key authentication at the login (operator) level. To enhance security also

configure local, TACACS+, or RADIUS authentication at the enable (manager) level.

See Step 5.

SSH client contact behavior

At the first contact between the switch and an SSH client, if the switch public key has not been

copied into the client, then the client's first connection to the switch will question the connection

and, for security reasons, provide the option of accepting or refusing. If it is safe to assume

that an unauthorized device is not using the switch IP address in an attempt to gain access to

the client's data or network, the connection can be accepted. (As a more secure alternative,

the client can be directly connected to the switch serial port to download the switch public

key into the client.)

NOTE: When an SSH client connects to the switch for the first time, it is possible for a

"man-in-the-middle" attack; that is, for an unauthorized device to pose undetected as the

switch, and learn the usernames and passwords controlling access to the switch. This possibility

can be removed by directly connecting the management station to the switch serial port, using

a show command to display the switch public key, and copying the key from the display into

a file. This requires a knowledge of where the client stores public keys, plus the knowledge

of what key editing and file format might be required by the client application. However, if

the first contact attempt between a client and the switch does not pose a security problem,

this is unnecessary.

Enabling SSH on the switch

a. Generate a public/private key pair if you have not already done so. See Step 2.

b. Execute the ip ssh command.

Disabling SSH on the switch

Perform either of the following:

• Execute no ip ssh.

• Zeroize the switch existing key pair, see “To generate or erase the switch public/private

host key pair” (page 229) for more details.

Syntax:

[no] ip ssh

Enables or disables SSH on the switch.

[ cipher | <cipher-type> ]

Specify a cipher type to use for connection.

Valid types are:

• aes128-cbc

• 3des-cbc

Configuring 233