Support User Manuals

HP (Hewlett-Packard) 2300 Switch User Manual

Open as PDF

of 270

99

Enhancements in Release F.04.08

Configuring Secure Shell (SSH)

Replacing or Clearing the Public Key File. The client public-key file remains in the switch’s flash

memory even if you erase the startup-config file, reset the switch, or reboot the switch.

■ You can replace the existing client public-key file by copying a new client public-key file into

the switch

■ You can remove the existing client public-key file by executing the clear public-key command.

Syntax: clear public-key Deletes the client-public-key from the switch.

For example:

HP2512(config)# clear public-key

HP2512(config)# show ip client-public-key

show_client_public_key: cannot stat keyfile

Clearing the public key file removes file from flash memory, and does not require a write memory

command to make the change permanent.

Enabling Client Public-Key Authentication. After you TFTP a client-public-key file into the

switch (described above), you can configure the switch to allow one of the following:

■ If an SSH client’s public key matches the switch’s client-public-key file, allow that client

access to the switch. If there is not a public-key match, then deny access to that client.

■ If an SSH client’s public key does not have a match in the switch’s client-public-key file, allow

the client access if the user can enter the switch’s login (Operator) password. (If the switch

does not have an Operator password, then deny access to that client.

Syntax: aaa authentication ssh login rsa none Allows SSH client access only if the switch

detects a match between the client’s public

key and an entry in the client-public-key file

most recently copied into the switch.

aaa authentication ssh login rsa local Allows SSH client access if there is a public

key match (see above) or if the client’s user

enters the switch’s login (Operator) password.

With login rsa local configured, if the switch does not have an Operator-level password, it blocks client

public-key access to SSH clients whose private keys do not match a public key in the switch’s client-

public-key file.

Caution

To enable client public-key authentication to block SSH clients whose public keys are not in the

client-public-key file copied into the switch, you must configure the Login Secondary as none.

Otherwise, the switch allows such clients to attempt access using the switch’s Operator password.

previous next