HP (Hewlett-Packard) 2500 Switch User Manual


 
93
Enhancements in Release F.04.08
Configuring Secure Shell (SSH)
(For more on these topics, refer to “Further Information on SSH Client Public-Key Authentication”
on page 95.)
With steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts
the switch, login authentication automatically occurs first, using the switch and client public-keys.
After the client gains login access, the switch controls client access to the manager level by requiring
the passwords configured earlier by the aaa authentication ssh enable command.
Syntax: copy tftp pub-key-file < ip-address > < filename > Copies a public key file into the switch.
aaa authentication ssh login rsa Configures the switch to authenticate
< local | none > a client public-key at the login level
with an optional secondary password
method (default: none).
Caution
To allow SSH access only to clients having the correct public key, you must configure the secondary
(password) method for login rsa to none. Otherwise a client without the correct public key can still
gain entry by submitting a correct local login password.
aaa authentication ssh enable Configures a password method for the
< local | tacacs | radius > primary and secondary enable (Mana-
< local | none > ger) access. If you do not specify an
optional secondary method, it defaults
to none.
For example, assume that you have a client public-key file named Client-Keys.pub (on a TFTP server
at 10.33.18.117) ready for downloading to the switch. For SSH access to the switch you want to allow
only clients having a private key that matches a public key found in Client-Keys.pub. For Manager-level
(enable) access for successful SSH clients you want to use TACACS+ for primary password authen-
tication and local for secondary password authentication, with a Manager username of "1eader" and
a password of "m0ns00n". To set up this operation you would configure the switch in a manner
similar to the following: