R0106-HP MSR Router Series Security Configuration Guide(V7)

ManualsBrandsHP ManualsNetwork HardwareHP MSR4060 Router Chassis

331

332

333

334

335

336

337

338

339

340

321

NOTE:

SSH1 clients do not support secondary password authentication that is initiated by the AAA server.

• Publickey authentication—The server authenticates a client through the digital signature. In a

publickey authentication, a client sends the server a publickey authentication request that contains

the following information:

{ Username.

{ Public key of the client.

{ Publickey algorithm (or the digital certificate that carries the public key information).

The server examines the validity of the public key. If the public key is invalid, the authentication

fails. If the public key is valid, the server authenticates the client by using the digital signature.

Finally, the server informs the client of the authentication result. The device supports using the

public key algorithms RSA and DSA for digital signature.

For more information about public key configuration, see "Managing public keys."

• Password-publickey authentication—The server requires SSH2 clients to pass both password

authentication and publickey authentication. However, an SSH1 client only needs to pass either

authentication, regardless of the requirement of the server.

• Any authentication—The server requires clients to pass password authentication or publickey

authentication.

FIPS compliance

Some MSR routers support the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for

features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more

information about FIPS mode, see "Configuring FIPS."

Security strength

By default, the device provides low encryption. To obtain high encryption, you must install the Strong

Cryptography feature license. This feature provides stronger cryptography, additional IPsec tunnels, and

higher encryption performance. For more information about obtaining the Strong Cryptography feature

license, see the release notes or contact your HP sales representative.

Support for features, commands, and parameters depends on the cryptography capability.

Configuring the device as an SSH server

You can configure the device as an Stelnet, SFTP, or SCP server. Because the configuration procedures

are similar, the SSH server represents the Stelnet, SFTP, or SCP server unless otherwise specified.

SSH

server configuration task list

Tasks at a

lance

Remarks

(Required.) Generating local DSA or RSA key pairs

N/A

(Required.) Enabling the SSH server function Required for Stelnet and SCP servers.

(Required.) Enabling the SFTP server function Required for SFTP server.