R2511-HP MSR Router Series Security Configuration Guide(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

371

372

373

374

375

376

377

378

379

380

360

Configuring the user interfaces for SSH clients

An SSH client accesses the device through a VTY user interface. You must configure the user interfaces for

SSH clients to allow SSH login. The configuration takes effect only on the clients at next login.

IMPORTANT:

Before you configure a user interface to support SSH, you must configure its authentication mode to

scheme. Otherwise, the protocol inbound command fails.

To configure the user interfaces for SSH clients:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter VTY user interface view.

user-interface vty number

[ ending-number ]

N/A

3. Set the login authentication

mode to scheme.

authentication-mode scheme

By default, the authentication

mode is password.

4. Configure the user interfaces

to support SSH login.

protocol inbound { all | ssh }

Optional.

By default, all protocols (Telnet,

PAD, and SSH) are supported.

For more information about the authentication-mode and protocol inbound commands, see

Fundamentals Command Reference.

Configuring a client's host public key

This configuration task is only necessary if publickey authentication is configured for users and the clients

directly send the public key to the server for authentication.

During a publickey authentication for a client, the server first compares the SSH username and host

public key received from the client with those saved locally. If the information is consistent, it examines the

digital signature that the client sends. The digital signature is calculated by the client according to the

private key associated with the host public key.

You must configure the client's DSA or RSA host public key on the server, and specify the associated host

private key on the client to generate the digital signature, so that the client can pass publickey

authentication with correct digital signature. If the device serves as a client, the associated host private

key is specified by the specified public key algorithm.

You can manually configure the public key of an SSH client on the server, or import it from the public key

file:

• Manual configuration—Type or copy the client host public key on the client to the SSH server. The

host public key must be in the DER encoding format, which has not been converted.

Manually configured client host public keys must be in the specified format. If you use the device

to act as the client, you can use the display public-key local public command to view the host

public key and copy its contents to the server. A host public key obtained in other ways might be

in incorrect format and cannot be saved on the server. HP recommends that you configure a client

public key by importing it from a public key file.

• Importing from the public key file—Upload the client's host public key file (in binary) to the server

(for example, through FTP or TFTP), and import the uploaded file to the server. During the import