R3721-F3210-F3171-HP High-End Firewalls System Management and Maintenance Configuration Guide-6PW101
148
Generating a DSA or RSA key pair
In the key and algorithm negotiation stage, the DSA or RSA key pair is required to generate the session
key and session ID and for the client to authenticate the server.
Configuration guidelines
Follow these guidelines when you use the command to generate the DSA or RSA key pair:
• In FIPS mode, the device does not support the DSA key pair.
• To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs
on the SSH server.
• The public-key local create rsa command generates a server RSA key pair and a host RSA key pair.
Each of the key pairs consists of a public key and a private key. The public key in the server key pair
of the SSH server is used in SSH1 to encrypt the session key for secure transmission of the key. As
SSH2.0 uses the DH algorithm to generate the session key on the SSH server and client respectively,
no session key transmission is required in SSH2.0 and the server key pair is not used.
• The length of the modulus of RSA server keys and host keys must be in the range 512 to 2048 bits.
Some SSH2.0 clients require that the length of the key modulus be at least 768 bits on the SSH
server side.
• The public-key local create dsa command generates only the host key pair. SSH1 does not support
the DSA algorithm.
• The length of the modulus of DSA host keys must be in the range 512 to 2048 bits. Some SSH2.0
clients require that the length of the key modulus be at least 768 bits on the SSH server side.
Configuration procedure
To generate a DSA or RSA key pair on the SSH server:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Generate a DSA or RSA key
pair.
public-key local create { dsa | rsa }
By default, neither DSA key pair
nor RSA key pair exists.
For more information about the public-key local create command, see VPN Command Reference.
Enabling the SSH server function
To enable the SSH server function:
Ste
p
Command
Remarks
1. Enter system view.
system-view N/A
2. Enable the SSH server
function.
ssh server enable Disabled by default.