HP 6120 SSH Client Contact Behavior, To enable SSH on the switch

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Note

Before enabling SSH on the switch you must generate the switch’s public/ private key pair. If you have not already done so, refer to “2. Generating the Switch’s Public and Private Key Pair” on page 6-10.

When configured for SSH, the switch uses its host public-key to authenticate itself to SSH clients. If you also want SSH clients to authenticate themselves to the switch you must configure SSH on the switch for client public-key authentication at the login (Operator) level. To enhance security, you should also configure local, TACACS+, or RADIUS authentication at the enable (Manager) level.

Refer to “5. Configuring the Switch for SSH Authentication” on page 6-20.

SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if the switch’s public key has not been copied into the client, then the client’s first connection to the switch will question the connection and, for security reasons, provide the option of accepting or refusing. If it is safe to assume that an unauthorized device is not using the switch’s IP address in an attempt to gain access to the client’s data or network, the connection can be accepted. (As a more secure alternative, the client can be directly connected to the switch’s serial port to download the switch’s public key into the client. See the following Note.)

When an SSH client connects to the switch for the first time, it is possible for

a“man-in-the-middle” attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames and passwords controlling access to the switch. This possibility can be removed by directly connecting the management station to the switch’s serial port, using a show command to display the switch’s public key, and copying the key from the display into a file. This requires a knowledge of where the client stores public keys, plus the knowledge of what key editing and file format might be required by the client application. However, if the first contact attempt between a client and the switch does not pose a security problem, this is unnecessary.

To enable SSH on the switch.

1.Generate a public/private key pair if you have not already done so. (Refer to “2. Generating the Switch’s Public and Private Key Pair” on page 6-10.)

2.Execute the ip ssh command.

6-16