4000 Router Series Security Command Reference

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

331

332

333

334

335

336

337

338

339

340

320

• aes128: Specifies the encryption algorithm aes128-cbc.

• aes256: Specifies the encryption algorithm aes256-cbc.

• des: Specifies the encryption algorithm des-cbc.

prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1.

Algorithm sha1 features stronger security but costs more time in calculation than md5.

• md5: Specifies the HMAC algorithm hmac-md5.

• md5-96: Specifies the HMAC algorithm hmac-md5-96.

• sha1: Specifies the HMAC algorithm hmac-sha1.

• sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in

non-FIPS mode and dh-group14 in FIPS mode. Algorithm dh-group14 features stronger security but costs

more time in calculation than dh-group1

• dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.

• dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.

• dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.

prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1.

dscp dscp-value: Specifies the DSCP value in the IPv6 SSH packets sent by the SSH client, in the range

of 0 to 63. The default value is 48. The DSCP value determines the transmission priority of the packet.

publickey keyname: Specifies the server by its host public key, which is used to authenticate the server.

The keyname argument is a case-insensitive string of 1 to 64 characters.

source: S

pecifies a source IP address or source interface to connect to the server. By default, the device

automatically selects the source IP address from the routing table. To avoid the communication failure

between the client and the server due to interface faults, use the specified loopback interface or dialer

interface as the source interface, and either IP address of the two interfaces as the source IP address.

interface interface-type interface-number: Specifies a source interface by its type and number. The IPv6

address of this interface is the source IP address to send packets.

ipv6 ipv6-address: Specifies a source IPv6 address.

Usage guidelines

When the server adopts publickey authentication to authenticate a client, the client must get the local

private key for digital signature. Because publickey authentication uses either RSA or DSA algorithm, you

must specify a public key algorithm (by using the identity-key keyword) in order to get the correct data

for the local private key.

Examples

# Establish a connection to the IPv6 Stelnet server 2000::1 and specify the public key of the server as

svkey. The SSH client uses publickey authentication. Use the following algorithms:

• Preferred key exchange algorithm is dh-group14.

• Preferred server-to-client encryption algorithm is aes128.

• Preferred client-to-server HMAC algorithm is sha1.

• Preferred server-to-client HMAC algorithm is sha1-96.

• Preferred compression algorithm between the server and client is zlib.