4000 Router Series Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP MSR3024 TAA-compliant AC Router

221

222

223

224

225

226

227

228

229

230

212

• Password-publickey authentication—The server requires SSH2 clients to pass both password

authentication and publickey authentication. However, an SSH1 client only needs to pass either

authentication, regardless of the requirement of the server.

• Any authentication—The server requires clients to pass either password authentication or publickey

authentication.

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,

commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.

Configuring the device as an SSH server

You can configure the device as an Stelnet, SFTP, or SCP server. Because the configuration procedures

are similar, the SSH server represents the Stelnet, SFTP, or SCP server unless otherwise specified.

SSH

server configuration task list

Tasks at a

lance

Remarks

(Required.) Generating local DSA or RSA key pairs

N/A

(Required.) Enabling the SSH server function Required for Stelnet, SFTP, and SCP servers.

(Required.) Enabling the SFTP server function Required for SFTP server.

(Required.) Configuring the user lines for SSH clients N/A

(Required.) Configuring a client's host public key

Required if the authentication method is publickey,

password-publickey, or any.

(Required/optional.) Configuring an SSH user

Required if the authentication method is publickey,

password-publickey, or any.

Optional if the authentication method is password.

(Optional.) Setting the SSH management parameters N/A

Generating local DSA or RSA key pairs

IMPORTANT:

Do not generate the local DSA key pair when the device operates as an SSH server in FIPS mode. User

authentication will fail because the SSH server operating in FIPS mode supports only RSA key pairs.

The DSA or RSA key pairs are required for generating the session key and session ID in the key exchange

stage, and can also be used by a client to authenticate the server. When a client tries to authenticate the

server, it compares the public key that it receives from the server with the server public key that it saved

locally. If the keys are consistent, the client uses the public key to authenticate the digital signature that

receives from the server. If the digital signatures are consistent, the authentication succeeds.

To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the

SSH server.