Enhancements in Release F.04.08

Configuring Secure Shell (SSH)

Terminology

SSH Server: An HP Series 2500 switch with SSH enabled.

Key Pair: A pair of keys generated by the switch or an SSH client application. Each pair includes a public key (that can be read by anyone) and a private key that is held internally in the switch or by a client.

PEM (Privacy Enhanced Mode): Refers to an ASCII-formatted client public-key that has been encoded for greater security. SSHv2 client public-keys are typically stored in the PEM format. See figures 28 and 29 for examples of PEM-encoded ASCII and non-encoded ASCII keys.

Private Key: An internally generated key used in the authentication process. A private key generated by the switch is not accessible for viewing or copying. A private key generated by an SSH client application is typically stored in a file on the client device and, together with its public key counterpart, can be copied and stored on multiple devices.

Public Key: An internally generated counterpart to a private key. Public keys are used for authenticating a

Enable Level: Manager privileges on the switch.Login Level: Operator privileges on the switch.

Local password or username: A Manager-level or Operator-level password configured in the switch.

SSH Enabled: (1) A public/private key pair has been generated on the switch (crypto key generate [rsa]) and (2) SSH is enabled (ip ssh). (You can generate a key pair without enabling SSH, but you cannot enable SSH without first generating a key pair. See “2. Generating the Switch’s Public and Private Key Pair” on page 85 and “4. Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior” on page 89.)

Prerequisite for Using SSH

Before using a Series 2500 switch as an SSH server, you must install a publicly or commercially available SSH client application on the computer(s) you use for management access to the switch. If you want client public-key authentication (page 78), then the client program must have the capability to generate public and private key pairs.

Public Key Format Requirement

Any client application you use for client public-key authentication with the switch must have the capability to store a public key in non-encoded ASCII format. The switch does not interpret keys generated using the PEM (Privacy Enhanced Mode) format (also in ASCII characters) that some SSHv2 client applications use for storing public keys. If your client application stores PEM-encoded

80