Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

N o t e

SSH does not protect the switch from unauthorized access via the web interface, Telnet, SNMP, or the serial port. While web and Telnet access can be restricted by the use of passwords local to the switch, if you are unsure of the security this provides, you may want to disable web-based and/or Telnet access (no web-managementand no telnet). If you need to increase SNMP security, you should use SNMP version 3 only. If you need to increase the security of your web interface see the section on SSL. Another security measure is to use the Authorized IP Managers feature described in the switch’s Management and Configuration Guide. To protect against unauthorized access to the serial port (and the Clear button, which removes local password protection), keep physical access to the switch restricted to authorized per- sonnel.

5. Configuring the Switch for SSH Authentication

Note that all methods in this section result in authentication of the switch’s public key by an SSH client. However, only Option B, below results in the switch also authenticating the client’s public key. Also, for a more detailed discussion of the topics in this section, refer to “Further Information on SSH Client Public-Key Authentication” on page 4-22

Hewlett-Packard recommends that you always assign a Manager-Level (enable) password to the switch. Without this level of protection, any user with Telnet, web, or serial port access to the switch can change the switch’s configuration. Also, if you configure only an Operator password, entering the Operator password through telnet, web, ssh or serial port access enables full manager privileges. See “1. Assigning a Local Login (Operator) and Enable (Manager) Password” on page 4-9.

Option A: Configuring SSH Access for Password-Only SSH

Authentication. When configured with this option, the switch uses its pub- lic key to authenticate itself to a client, but uses only passwords for client authentication.

Syntax: aaa authentication ssh login < local tacacs radius >[< local none >]

Configures a password method for the primary and secondary login (Operator) access. If you do not specify an optional secondary method, it defaults to none.

aaa authentication ssh enable < local tacacs radius>[< local none >]

4-18

Page 102
Image 102
HP 4100gl manual Configuring the Switch for SSH Authentication, Option a Configuring SSH Access for Password-Only SSH