F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices System Management and Maintenance Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

171

172

173

174

175

176

177

178

179

180

162

Task Remarks

877H

Configuring a client's host public key

Required if publickey authentication is configured for

users and the clients directly send the public keys to

the server for validity check.

Configuring the PKI domain of the client certificate

See VPN Configuration Guide.

Required if publickey authentication is configured for

users and the clients send the public keys to the server

through digital certificates for validity check.

The PKI domain must have the CA certificate to verify

the client certificate.

878H

Configuring an SSH user

Required for publickey authentication users and

optional for other authentication users.

879H

Setting the SSH management parameters Optional.

274BGenerating local DSA or RSA key pairs

DSA or RSA key pairs are required for generating the session key and session ID in the key exchange

stage, and can also be used by a client to authenticate the server. When a client tries to communicate

with a server, it compares the public key that it receives from the server with the server public key that it

saved locally. If the keys are consistent, the client uses the public key to authenticate the digital signature

that receives from the server. If the digital signatures are consistent, the authentication succeeds. If the

digital signatures are consistent, the authentication succeeds.

The public-key local create rsa command generates a server RSA key pair and a host RSA key pair. Each

of the key pairs consists of a public key and a private key. The public key in the server key pair of the SSH

server is used in SSH1 to encrypt the session key for secure transmission of the key. As SSH2 uses the DH

algorithm to generate the session key on the SSH server and client respectively, no session key

transmission is required in SSH2 and the server key pair is not used.

The public-key local create dsa command generates only the host key pair. SSH1 does not support the

DSA algorithm.

To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the

SSH server.

To generate local DSA or RSA key pairs on the SSH server:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Generate DSA or RSA key

pairs.

public-key local create { dsa | rsa }

By default, neither DSA key pair

nor RSA key pairs exist.

NOTE:

In FIPS mode, the router does not support a DSA key pair.

275BEnabling the SSH server function

The SSH server function on the device allows clients to communicate with the device through SSH.