BLADE OS™ Application Guide HP GbE2c Ethernet Blade Switch for c-Class BladeSystem Version 5.1 Advanced Functionality Software
Table Of Contents
- Contents
- Figures
- Tables
- Preface
- Part 1: Basic Switching
- Accessing the Switch
- The Management Network
- Local Management Using the Console Port
- The Command Line Interface
- Remote Management Access
- Client IP Address Agents
- Securing Access to the Switch
- Setting Allowable Source IP Address Ranges
- RADIUS Authentication and Authorization
- TACACS+ Authentication
- LDAP Authentication and Authorization
- Secure Shell and Secure Copy
- Configuring SSH/SCP Features on the Switch
- Configuring the SCP Administrator Password
- Using SSH and SCP Client Commands
- SSH and SCP Encryption of Management Messages
- Generating RSA Host and Server Keys for SSH Access
- SSH/SCP Integration with Radius Authentication
- SSH/SCP Integration with TACACS+ Authentication
- End User Access Control
- Ports and Trunking
- Port-Based Network Access Control
- VLANs
- Spanning Tree Protocol
- RSTP and MSTP
- Link Layer Discovery Protocol
- Quality of Service
- Accessing the Switch
- Part 2: IP Routing
- Basic IP Routing
- Routing Information Protocol
- IGMP
- OSPF
- OSPF Overview
- OSPF Implementation in BLADE OS
- OSPF Configuration Examples
- Remote Monitoring
- Part 3: High Availability Fundamentals
- High Availability
- Layer 2 Failover
- Server Link Failure Detection
- VRRP Overview
- Failover Methods
- BLADE OS Extensions to VRRP
- Virtual Router Deployment Considerations
- High Availability Configurations
- High Availability
- Part 4: Appendices
- Index
BLADE OS 5.1 Application Guide
58 Chapter 1: Accessing the Switch BMD00113, September 2009
Generating RSA Host and Server Keys for SSH Access
To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The
host key is 1024 bits and is used to identify the GbE2c. The server key is 768 bits and is used to
make it impossible to decipher a captured session by breaking into the GbE2c at a later time.
When the SSH server is first enabled and applied, the switch automatically generates the RSA host
and server keys and is stored in the FLASH memory.
Note – To configure RSA host and server keys, first connect to the GbE2c through the console port
(commands are not available via external Telnet connection), and enter the following commands to
generate them manually.
These two commands take effect immediately without the need of an apply command.
When the switch reboots, it will retrieve the host and server keys from the FLASH memory. If these
two keys are not available in the flash and if the SSH server feature is enabled, the switch
automatically generates them during the system reboot. This process may take several minutes to
complete.
The switch can also automatically regenerate the RSA server key. To set the interval of RSA server
key autogeneration, use this command:
A value of 0 (zero) denotes that RSA server key autogeneration is disabled. When greater than 0,
the switch will autogenerate the RSA server key every specified interval; however, RSA server key
generation is skipped if the switch is busy doing other key or cipher generation when the timer
expires.
Note – The switch will perform only one session of key/cipher generation at a time. Thus, an
SSH/SCP client will not be able to log in if the switch is performing key generation at that time.
Also, key generation will fail if an SSH/SCP client is logging in at that time.
SSH/SCP Integration with Radius Authentication
SSH/SCP is integrated with RADIUS authentication. After the RADIUS server is enabled on the
switch, all subsequent SSH authentication requests will be redirected to the specified RADIUS
servers for authentication. The redirection is transparent to the SSH clients.
>> # /cfg/sys/sshd/hkeygen (Generates the host key)
>> # /cfg/sys/sshd/skeygen (Generates the server key)
>> # /cfg/sys/sshd/intrval <number of hours (0-24)>