R3166-R3206-HP High-End Firewalls System Management and Maintenance Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

141

142

143

144

145

146

147

148

149

150

135

Configuring the firewall as an SSH server

SSH server configuration task list

Complete the following tasks to configure an SSH server:

Task Remarks

Generating a DSA or RSA key pair Required

Enabling SSH server Required

Configuring the user interfaces for SSH clients Required

Configuring a client public key

Required for publickey authentication users and

optional for password authentication users

Configuring an SSH user Optional

Setting the SSH management parameters Optional

Generating a DSA or RSA key pair

The DSA or RSA key pair will be used to generate the session ID in the key and algorithm negotiation

stage and used by the client to authenticate the server.

Follow these steps to generate a DSA or RSA key pair on the SSH server:

To do… Use the command…

Remarks

Enter system view system-view —

Generate a DSA or RSA

key pair

public-key local create { dsa |

rsa }

Required

By default, there is neither DSA key pair nor

RSA key pair.

NOTE:

• To ensure that all SSH clients can log into the SSH server successfully, HP recommends you to

enerate

both DSA and RSA key pairs on the SSH server. This is because different SSH clients may use differen

publickey algorithms, though a single client usually uses only one type of publickey algorithm.

• The public-key local create rsa command generates two RSA key pairs: a server key pair and a host

key pair. Each of the key pairs consists of a public key and a private key. The public key in the server key

pair of the SSH server is used in SSH1 to encrypt the session key for secure transmission of the key. As

SSH2 uses the DH algorithm to generate the session key on the SSH server and client respectively, no

session key transmission is required in SSH2 and the server key pair is not used.

• The length of the modulus of RSA server keys and host keys must be in the ran

e 512 to 2048 bits. Some

SSH2 clients require that the length of the key modulus be at least 768 bits on the SSH server side.

• The public-key local create dsa command

enerates only the host key pair. SSH1 does not support the

DSA algorithm.

• The length of the modulus of DSA host keys must be in the ran

e 512 to 2048 bits. Some SSH2 clients

require that the length of the key modulus be at least 768 bits on the SSH server side.