HP (Hewlett-Packard) 2500 Switch User Manual


 
87
Enhancements in Release F.04.08
Configuring Secure Shell (SSH)
3. Providing the Switch’s Public Key to Clients
When an SSH client contacts the switch for the first time, the client will challenge the connection
unless you have already copied the key into the client’s "known host" file. Copying the switch’s key
in this way reduces the chance that an unauthorized device can pose as the switch to learn your
access passwords. The most secure way to acquire the switch’s public key for distribution to clients
is to use a direct, serial connection between the switch and a management device (laptop, PC, or
UNIX workstation), as described below.
Note on the Public Key Format
The switch uses SSH version 1, but can be authenticated by SSH version 2 clients that are backwards-
compatible to SSHv1. However, if your SSH client supports SSHv2, then it may use the PEM format
for storing the switch’s public key in its "known host" file. In this case, the following procedure will
not work for the client unless you have a method for converting the switch’s ASCII-string public key
into the PEM format. If you do not have a conversion method, then you can still set up authentication
of the switch to the client over the network by simply using your client to contact the switch and
then accepting the resulting challenge that your client should pose to accepting the switch. This
should be acceptable as long as you are confident that there is no "man-in-the-middle" spoofing
attempt during the first contact. Because the client will acquire the switch’s public key after you
accept the challenge, subsequent contacts between the client and the switch should be secure.
The public key generated by the switch consists of three parts, separated by one blank space each:
Figure 32. Example of a Public Key Generated by the Switch
(The generated public key on the switch is always 896 bits.)
With a direct serial connection from a management station to the switch:
1. Use a terminal application such as HyperTerminal to display the switch’s public key with the
show ip host-public-key command, as shown in figure 31.
2. Bring up the SSH client’s "known host" file in a text editor such as Notepad as straight ASCII
text, and copy the switch’s public key into the file.
896 35 427199470766077426366625060579924214851527933248752021855126493
2934075407047828604329304580321402733049991670046707698543529734853020
0176777055355544556880992231580238056056245444224389955500310200336191
3610469786020092436232649374294060627777506601747146563337525446401
Key
Size
Encoded
Public Exponent
Encoded
Modulus