R2511-HP MSR Router Series Security Configuration Guide(V5)
496
• The SSH server does not support SSHv1 clients.
• RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a modulus
length from 1024 to 2048 bits.
• SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.
Displaying and maintaining FIPS
Task Command Remarks
Display the FIPS mode state. display fips status Available in any view.
FIPS configuration example
Network requirements
As shown in Figure 154, the host connects to the router through a console port.
Configure the router to operate in FIPS mode, and create a local user for the host so that the host can log
in to the router.
Figure 154 Network diagram
Configuration procedure
CAUTION:
• After you enable FIPS mode, you must create a local user and its password before you reboot the device.
Otherwise, you cannot log in to the device. To log in to the device, reboot the device without the
configuration file (by ignoring or removing the configuration file) so that the device operates in non-FIPS
mode, and then make correct configurations.
• Modify the system time before the mode switching. Otherwise, the password expires. Disable the
password control function before you disable FIPS mode. Then, save the configuration and reboot the
device. For more information about password control, see "Configuring password control."
# Enable FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
# Enable the password control function.
[Sysname] password-control enable
# Create a local user named test, and set its service type to terminal, privilege level to 3, and password
to AAbbcc1234%. The password is a string of at least 10 characters by default and must contain both
uppercase and lowercase letters, digits, and special characters. (Use an interactive way to configure the
password for the local user. That is, enter password in local user view and follow the prompts to enter the
password.)
[Sysname] local-user test