Enhancements in Release F.04.08

Configuring Secure Shell (SSH)

5. Configuring the Switch for SSH Authentication

Note that all methods in this section result in authentication of the switch’s public key by an SSH client. However, only Option B, below results in the switch also authenticating the client’s public key. Also, for a more detailed discussion of the topics in this section, refer to “Further Information on SSH Client Public-Key Authentication” on page -95.

Note

Hewlett-Packard recommends that you always assign a Manager-Level (enable) password to the switch. Without this level of protection, any user with Telnet, Web, or serial port access to the switch can change the switch’s configuration. Also, if you configure only an Operator password, entering the Operator password through Telnet, Web, or serial port access enables full manager privileges. See “1. Assigning a Local Login (Operator) and Enable (Manager) Password” on page 85.

Option A: Configuring SSH Access for Password-Only SSH Authentication. When configured with this option, the switch uses its public key to authenticate itself to a client, but uses only passwords for client authentication.

Syntax: aaa authentication ssh login < local tacacs radius > [< local none >]

aaaauthentication ssh enable < local tacacs radius> [< local none >]

Configures a password method for the primary and secondary login (Operator) access. If you do not specify an optional secondary method, it defaults to none.

Configures a password method for the primary and secondary enable (Manager) access. If you do not specify an optional secondary method, it defaults to none.

Option B: Configuring the Switch for Client Public-Key SSH Authentication. If configured with this option, the switch uses its public key to authenticate itself to a client, but the client must also provide a client public-key for the switch to authenticate. This option requires the additional step of copying a client public-key file from a TFTP server into the switch. This means that before you can use this option, you must:

1.Create a key pair on an SSH client.

2.Copy the client’s public key into a public-key file (which can contain up to ten client public-keys).

3.Copy the public-key file into a TFTP server accessible to the switch and download the file to the switch.

92