HP (Hewlett-Packard) 2500 Switch User Manual


 
85
Enhancements in Release F.04.08
Configuring Secure Shell (SSH)
1. Assigning a Local Login (Operator) and Enable (Manager) Password
At a minimum, HP recommends that you always assign at least a Manager password to the switch.
Otherwise, under some circumstances, anyone with Telnet, Web, or serial port access could modify
the switch’s configuration.
To Configure Local Passwords. You can configure both the Operator and Manager password with
one command.
Syntax: password < manager | operator | all >
Figure 30. Example of Configuring Local Passwords
2. Generating the Switch’s Public and Private Key Pair
You must generate a public and private host key pair on the switch. The switch uses this key pair,
along with a dynamically generated session key pair to negotiate an encryption method and session
with an SSH client trying to connect to the switch.
The host key pair is stored in the switch’s flash memory, and only the public key in this pair is readable.
The public key should be added to a "known hosts" file (for example, $HOME/.ssh/known_hosts
on UNIX systems) on the SSH clients who you want to have access to the switch. Some SSH client
applications automatically add the the switch’s public key to a "known hosts" file. Other SSH
applications require you to manually create a known hosts file and place the switch’s public key in
the file. (Refer to the documentation for your SSH client application.)
(The session key pair mentioned above is not visible on the switch. It is a temporary, internally
generated pair used for a particular switch/client session, and then discarded.)
Notes
When you generate a host key pair on the switch, the switch places the key pair in flash memory (and
not in the running-config file). Also, the switch maintains the key pair across reboots, including
power cycles. You should consider this key pair to be "permanent"; that is, avoid re-generating the
key pair without a compelling reason. Otherwise, you will have to re-introduce the switch’s public
key on all management stations you have set up for SSH access to the switch using the earlier pair.
Removing (zeroizing) the switch’s public/private key pair renders the switch unable to engage in SSH
operation and automatically disables IP SSH on the switch. (To verify whether SSH is enabled,
execute show ip ssh.)