Manualshelf

HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/32B SAN Switch
919293949596979899100
Fabric OS 6.1.1 administrator guide 91
Commands that require a secure login channel must originate from an SSH session. If you start an SSH
session, and then use the login command to start a nested SSH session, commands that require a secure
channel will be rejected.
Fabric OS 6.1.x and later supports SSH protocol version 2.0 (ssh2). For more information on SSH, see the
SSH IETF website:
http://www.ietf.org/ids.by.wg/secsh.html
For more information, see SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard
Silverman and Robert G. Byrnes.
SSH public key authentication
OpenSSH public key authentication provides password-less logins known as SSH authentication that uses
public and private key pairs for incoming and outgoing authentication. This feature allows only one
allowed-user to be configured to utilize OpenSSH public key authentication. Using OpenSSH RSA and
DSA, the authentication protocols are based on a pair of specially generated cryptographic keys, called
the private key and the public key. The advantage of using these key-based authentication systems is that in
many cases, it is possible to establish secure connections without having to manually enter a password.
RSA and DSA asynchronous algorithms are FIPS-compliant.
Allowed-user
The default admin user has to set up the allowed-user with the admin role. By default, the admin is the
configured allowed-user. However, while creating the key pair, the configured allowed-user can choose a
passphrase with which the private key is encrypted. Then the passphrase must always be entered when
authenticating using a key pair. The allowed-user needs to have an admin role and can perform OpenSSH
public key authentication, import and export keys, generation of a key pair for an outgoing connection,
delete public and private keys. Once the allowed-user is changed, all the public keys related to the old
allowed-user are lost.
Configuring SSH authentication
Incoming authentication is used when the remote host needs to authenticate to the switch. Outgoing
authentication is used when the switch needs to authenticate to a server or remote host, more commonly
used for the configUpload command. Both password and public key authentication can coexist on the
switch.
After the allowed-user is configured, the remaining setup steps must be completed by the allowed-user.
Authentication setup overview
1. Log in to the switch as the default admin.
2. Change the allowed-user’s role to admin, if applicable.
switch:admin> userconfig --change username -r admin
where username is the name of the user you want to perform SSH public key authentication, import,
export, and delete keys.
3. Set up the allowed-user by typing the following command:
switch:admin> sshutil allowuser username
where username is the name of the user you want to perform SSH public key authentication, import,
export, and delete keys.
4. Generate a key pair for host-to-switch (incoming) authentication by logging in to your host as admin,
verifying that SSH v2 is installed and working (see your host’s documentation as necessary), and
issuing the following command:
ssh-keygen -t dsa
If you need to generate a key pair for outgoing authentication, skip steps 4 and 5 and proceed to step
6.