Configuring Secure Shell (SSH)

 

Configuring the Switch for SSH Operation

 

 

Note on Port

ProCurve recommends using the default TCP port number (22). However, you

Number

can use ip ssh port to specify any TCP port for SSH connections except those

 

reserved for other purposes. Examples of reserved IP ports are 23 (Telnet)

 

and 80 (http). Some other reserved TCP ports on the switch are 49, 80, 1506,

 

and 1513.

 

 

 

 

 

 

 

 

 

 

ProCurve(config) ip ssh

Enable SSH

 

 

 

ProCurve(config)# show ip ssh

 

 

 

 

 

 

 

 

 

 

SSH Enabled

: Yes

Secure Copy Enabled

: No

TCP Port Number : 22

Timeout (sec)

: 120

 

IP Version

: IPv4orIPv6

 

 

 

 

 

Host Key Type

: RSA

Host Key Size

: 1024

 

Ciphers : aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc,

 

 

 

rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

MACs

: hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96

 

 

Ses Type

Source IP

 

 

 

Port

--- -------- + ---------------------------------------------- -----

 

1

console

 

 

 

 

 

2

telnet

 

 

 

 

 

 

With SSH running, the switch allows one console

 

3

ssh

12.255.255.255

 

 

 

session and up to five other sessions (SSH and/or

 

4

inactive

 

 

 

Telnet). Web browser sessions are also allowed, but

 

5

inactive

 

 

 

do not appear in the show ip ssh listing.

 

 

 

 

Figure 6-10. Example of Enabling IP SSH and Displaying the SSH Configuration

 

 

 

 

 

 

 

 

Caution

 

Protect your private key file from access by anyone other than yourself. If

 

 

someone can access your private key file, they can then penetrate SSH security

 

 

on the switch by appearing to be you.

 

 

SSH does not protect the switch from unauthorized access via the web interface, Telnet, SNMP, or the serial port. While web and Telnet access can be restricted by the use of passwords local to the switch, if you are unsure of the security this provides, you may want to disable web-based and/or Telnet access (no web-managementand no telnet). If you need to increase SNMP security, you should use SNMP version 3 only. If you need to increase the security of your web interface see the section on SSL. Another security measure is to use the Authorized IP Managers feature described in the switch’s Management and Configuration Guide. To protect against unauthorized

6-19