R2511-HP MSR Router Series Security Configuration Guide(V5)
358
Hardware FIPS mode
MSR93X No.
MSR20-1X No.
MSR20 Yes.
MSR30 Yes (except the MSR30-16).
MSR50 Yes.
MSR1000 Yes.
Configuring the device as an SSH server
You can configure the device as an Stelnet, SFTP, or SCP server. Because the configuration procedures
are similar, the SSH server represents the Stelnet server, SFTP server, and SCP server unless otherwise
specified.
SSH server configuration task list
Task Remarks
Generating local DSA or RSA key pairs Required.
Enabling the SSH server function Required for Stelnet, SFTP and SCP servers.
Enabling the SFTP server function Required only for SFTP server.
Configuring the user interfaces for SSH clients Required.
Configuring a client's host public key
Required if both of the following conditions exist:
• Publickey authentication is configured for users.
• The clients directly send the public keys to the
server for validity check.
Configuring the PKI domain of the client certificate
See "Configuring PKI."
Required if both of the following conditions exist:
• Publickey authentication is configured for users.
• The clients send the public keys to the server
through digital certificates for validity check.
The PKI domain must have the CA certificate to verify
the client certificate.
Configuring an SSH user
Required for publickey authentication users and
optional for other authentication users.
Setting the SSH management parameters Optional.
Generating local DSA or RSA key pairs
DSA or RSA key pairs are required for generating the session key and session ID in the key exchange
stage, and can also be used by a client to authenticate the server. When a client tries to communicate
with a server, it compares the public key that it receives from the server with the server public key that it
saved locally. If the keys are consistent, the client uses the public key to authenticate the digital signature