KB.15.15

ManualsBrandsHP ManualsNetwork HardwareHP 5406R-8XGT/8SFP+ (No PSU) v2 zl2 Switch

241

242

243

244

245

246

247

248

249

250

About configuring SSH

Prerequisite for using SSH

Before using the switch as an SSH server, install a publicly or commercially available SSH client

application on the computers to be used for management access to the switch. For client public-key

authentication the client program must have the capability to generate or import keys, see “Client

Public-Key authentication (login/operator level) with user password authentication (enable/manager

level)” (page 254) for more details.

NOTE: SSH in HP switches is based on the OpenSSH software toolkit. For more information on

OpenSSH, visit www.openssh.com

SSH client and secure sessions

SSH Client provides a method for establishing a secure session from one HP switch to another. In

addition to providing secure sessions, SFTP is enhanced to allow bidirectional secure copying of

files between a switch and an SFTP server, initiated from the switch with the copy command. The

SFTP server can be another switch or a workstation/server with a running SSH server that supports

SFTP.

Each switch with the SSH Client feature will have a known hosts file that can contain the public

key from switches and servers that have been determined to be genuine. New public keys can be

added to the known hosts file when new SSH servers are contacted, up to a maximum of 10 entries

(if memory allows). The known hosts file can also be copied to another switch or to a server where

it can be edited.

NOTE: You must be in manager context to use this SSH and SFTP feature.

Public key formats

Any client application used for client public-key authentication with the switch must have the

capability to export public keys. The switch can accept keys in the PEM-encoded ASCII format or

in the non-encoded ASCII format.

Figure 174 Public key in PEM-encoded ASCII format common for SSHv2 clients

SSH client public-key authentication notes

When configured for SSH operation, the switch automatically attempts to use its own host public

key to authenticate itself to SSH clients. To provide the optional, opposite service—client public-key

authentication to the switch—you can configure the switch to store up to 10 public keys for

authenticating clients. This requires storing an ASCII version of each client's public key (without

babble conversion, or fingerprint conversion) in a client public-key file that you create and TFTP-copy

to the switch. In this case, only clients with a private key corresponding to one of the stored public

keys can gain access to the switch using SSH. If you use this feature, only the clients whose public

keys are in the client public-key file you store on the switch will have SSH access to the switch over

the network. If you do not allow secondary SSH login (operator) access via local password the

switch will refuse other SSH clients.

SSH clients that support client public-key authentication normally provide a utility to generate a

key pair. The private key is usually stored in a password-protected file on the local host; the public

key is stored in another file and is not protected.

Configuring 243