KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

231

232

233

234

235

236

237

238

239

240

5. Configure the switch for SSH authentication.

Note that all methods in this section result in authentication of the switch public key by an SSH

client. However only Option B below results in the switch also authenticating the client's public

key. Also, for a more detailed discussion of the topics in this section, see “SSH client public-key

authentication notes” (page 243).

NOTE: HP recommends that you always assign a manager-level (enable) password to the

switch. Without this level of protection, any user with Telnet, web, or serial port access to the

switch can change the switch configuration. If you configure only an operator password,

entering the operator password through telnet, web, ssh or serial port access enables full

manager privileges. See Step 1.

Option A: Configuring SSH access for password-only SSHauthentication

When configured with this option, the switch uses its public key to authenticate itself to a client,

but uses only passwords for client authentication.

Syntax:

aaa authentication ssh login <local | tacacs | radius> [

<local | none> ]

Configures a password method for the primary and secondary login (operator)

access. If you do not specify an optional secondary method, it defaults to none. If

the primary method islocal, the secondary method must be none.

aaa authentication ssh enable <local | tacacs | radius> [

<local | none> ]

Configures a password method for the primary and secondary enable (manager)

access. If you do not specify an optional secondary method, it defaults to none. If

the primary method is local, the secondary method must be none.

Option B: Configuring the switch for client Public-Key SSH authentication

If configured with this option, the switch uses its public key to authenticate itself to a client,

but the client must also provide a client public key for the switch to authenticate. This option

requires the additional step of copying a client public-key file from a TFTP or SFTP server into

the switch. This means that before you can use this option, you must:

a. Create a key pair on an SSH client.

b. Copy the client's public key into a public-key file (which can contain up to 10 client public

keys.)

c. Copy the public-key file into a TFTP or SFTP server accessible to the switch and download

the file to the switch.

For more on these topics, see “SSH client public-key authentication notes” (page 243).

With steps 1-3 complete and SSH properly configured on the switch, if an SSH client contacts

the switch, login authentication automatically occurs first, using the switch and client public

keys. After the client gains login access, the switch controls client access to the manager level

by requiring the passwords configured earlier by the aaa authentication ssh enable

command.

Syntax:

copy tftp pub-key-file <ip-address> <filename>

Copies a public-key file into the switch.

aaa authentication ssh login public-key

236 Secure Shell (SSH)