Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Phonetic "Hash" of Switch’s Public Key

Hexadecimal

"Fingerprints" of

the Same Switch

Figure 4-11. Examples of Visual Phonetic and Hexadecimal Conversions of the Switch’s Public Key

The two commands shown in figure 4-11 convert the displayed format of the switch’s (host) public key for easier visual comparison of the switch’s public key to a copy of the key in a client’s "known host" file. The switch has only one RSA host key. The 'babble' and 'fingerprint' options produce two hashes for the key--one that corresponds to the challenge hash you will see if connecting with a v1 client, and the other corresponding to the hash you will see if connecting with a v2 client. These hashes do not correspond to different keys, but differ only because of the way v1 and v2 clients compute the hash of the same RSA key. The switch always uses ASCII version (without babble or fingerprint conversion) of its public key for file storage and default display format.

4.Enabling SSH on the Switch and Anticipating SSH Client Contact Behavior

The ip ssh command enables or disables SSH on the switch and modifies parameters the switch uses for transactions with clients. After you enable SSH, the switch can authenticate itself to SSH clients.

N o t e

Before enabling SSH on the switch you must generate the switch’s public/

 

private key pair. If you have not already done so, refer to “2. Generating the

 

Switch’s Public and Private Key Pair” on page 4-10.

When configured for SSH, the switch uses its host public-key to authenticate itself to SSH clients. If you also want SSH clients to authenticate themselves to the switch you must configure SSH on the switch for client public-key authentication at the login (Operator) level. To enhance security, you should also configure local, TACACS+, or RADIUS authentication at the enable (Manager) level.

4-15

Page 99
Image 99
HP 4100gl manual Switch’s Public and Private Key Pair on