HP (Hewlett-Packard) 2500 Switch User Manual


 
90
Enhancements in Release F.04.08
Configuring Secure Shell (SSH)
SSH Client Contact Behavior. At the first contact between the switch and an SSH client, if you
have not copied the switch’s public key into the switch, your client’s first connection to the switch
will question the connection and, for security reasons, give you the option of accepting or refusing.
As long as you are confident that an unauthorized device is not using the switch’s IP address in an
attempt to gain access to your data or network, you can accept the connection. (As a more secure
alternative, you can directly connect the client to the switch’s serial port and copy the switch’s public
key into the client. See the Note, below.)
Note
When an SSH client connects to the switch for the first time, it is possible for a "man-in-the-middle"
attack; that is, for an unauthorized device to pose undetected as the switch, and learn the usernames
and passwords controlling access to the switch. You can remove this possibility by directly
connecting the management station to the switch’s serial port, using a show command to display the
switch’s public key, and copying the key from the display into a file. This requires a knowledge of
where your client stores public keys, plus the knowledge of what key editing and file format might
be required by your client application. However, if your first contact attempt between a client and
the switch does not pose a security problem, this is unnecessary.
To enable SSH on the switch.
1. Generate a public/private key pair if you have not already done so. (Refer to “2. Generating the
Switch’s Public and Private Key Pair” on page 85.)
2. Execute the ip ssh command.
To disable SSH on the switch, do either of the following:
Execute no ip ssh.
Zeroize the switch’s existing key pair. (page 86).
Syntax: [no] ip ssh Enables or disables SSH on the switch.
[key-size < 512 | 768 | 1024 >] The size of the internal, automatically generated key
the switch uses for negotiations with an SSH client. A
larger key provides greater security; a smaller key
results in faster authentication (default: 512 bits).
See the following Note.
[port < 1-65535 | default >] The IP port number for SSH connections
(default: 22).
Important: See the following "Note" on port number.
[timeout < 5 - 120 >] The SSH login timeout value (default: 120 seconds).