ProLiant BL p-Class GbE2 Interconnect Switch Application Guide
Accessing the GbE2 Interconnect Switch 28
SSH and SCP encryption of management messages
The following encryption and authentication methods are supported for SSH and SCP:
• Server Host Authentication—Client RSA authenticates the switch at the beginning of every connection
• Key Exchange—RSA
• Encryption—AES256-CBC, AES192-CBC, 3DES-CBC, 3DES, ARCFOUR
• User Authentication—Local password authentication, RADIUS, TACACS+
IMPORTANT: The SCP-only administrator password must be different from the regular administrator password.
Generating RSA host and server keys for SSH access
To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key is 1024
bits and is used to identify the GbE2 Interconnect Switch. The server key is 768 bits and is used to make it
impossible to decipher a captured session by breaking into the GbE2 Interconnect Switch at a later time.
When the SSH server is first enabled and applied, the GbE2 Interconnect Switch automatically generates the RSA
host and server keys and is stored in the flash memory.
To configure RSA host and server keys, first connect to the GbE2 Interconnect Switch console connection
(commands are not available via Telnet connection), and enter the following commands to generate them
manually:
>> # /cfg/sys/sshd/hkeygen (Generates the host key)
>> # /cfg/sys/sshd/skeygen (Generates the server key)
These two commands take effect immediately without the need of an apply command.
When the GbE2 Interconnect Switch reboots, it will retrieve the host and server keys from the flash memory. If
these two keys are not available in the flash memory and if the SSH server feature is enabled, the GbE2
Interconnect Switch automatically generates them during the system reboot. This process may take several
minutes to complete.
The GbE2 Interconnect Switch can also automatically regenerate the RSA server key. To set the interval of RSA
server key autogeneration, use the following command:
>> # /cfg/sys/sshd/intrval <number of hours (0-24)>
A value of 0 denotes that RSA server key autogeneration is disabled. When greater than 0, the GbE2
Interconnect Switch will auto generate the RSA server key every specified interval; however, RSA server key
generation is skipped if the GbE2 Interconnect Switch is busy doing other key or cipher generation when the
timer expires.
The GbE2 Interconnect Switch will perform only one session of key/cipher generation at a time. Thus, an
SSH/SCP client will not be able to log in if the GbE2 Interconnect Switch is performing key generation at that
time, or if another client has logged in immediately prior. Also, key generation will fail if an SSH/SCP client is
logging in at that time.
SSH/SCP integration with RADIUS and TACACS+ authentication
SSH/SCP is integrated with RADIUS and TACACS+ authentication. After the RADIUS or TACACS+ server is
enabled on the GbE2 Interconnect Switch, all subsequent SSH authentication requests will be redirected to the
specified RADIUS or TACACS+ servers for authentication. The redirection is transparent to the SSH clients.