R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

321

322

323

324

325

326

327

328

329

330

308

FIPS compliance

The router supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,

commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.

Configuring the device as an SSH server

You can configure the device as an Stelnet, SFTP, or SCP server. Because the configuration procedures

are similar, the SSH server represents the Stelnet, SFTP, and SCP server unless otherwise specified.

SSH server configuration task list

Task Remarks

Generating local DSA or RSA key pairs Required.

Enabling the SSH server function Required for Stelnet, SFTP, and SCP servers.

Enabling the SFTP server function Required only for SFTP server.

Configuring the user interfaces for SSH clients Required.

Configuring a client's host public key

Required if publickey authentication is configured for

users and the clients directly send the public keys to

the server for validity check.

Configuring the PKI domain of the client certificate

See "Configuring PKI."

Required if publickey authentication is configured for

users and the clients send the public keys to the server

through digital certificates for validity check.

The PKI domain must have the CA certificate to verify

the client certificate.

Configuring an SSH user

Required for publickey authentication users and

optional for other authentication users.

Setting the SSH management parameters Optional.

Generating local DSA or RSA key pairs

DSA or RSA key pairs are required for generating the session key and session ID in the key exchange

stage, and can also be used by a client to authenticate the server. When a client tries to communicate

with a server, it compares the public key that it receives from the server with the server public key that it

saved locally. If the keys are consistent, the client uses the public key to authenticate the digital signature

that receives from the server. If the digital signatures are consistent, the authentication succeeds. If the

digital signatures are consistent, the authentication succeeds.

The public-key local create rsa command generates a server RSA key pair and a host RSA key pair. Each

of the key pairs consists of a public key and a private key. The public key in the server key pair of the SSH

server is used in SSH1 to encrypt the session key for secure transmission of the key. As SSH2 uses the DH

algorithm to generate the session key on the SSH server and client respectively, no session key

transmission is required in SSH2 and the server key pair is not used.