8-12
Configuring Secure Shell (SSH)
Configuring the Switch for SSH Operation
The 'show crypto host-public-key' displays it in two different formats because 
your client may store it in either of these formats after learning the key.  If you 
wish to compare the switch key to the key as stored in your client's known-
hosts file, note that the formatting and comments need not match.  For version 
1 keys, the three numeric values bit size, exponent <e>, and modulus <n> must 
match; for PEM keys, only the PEM-encoded string itself must match. 
Notes "Zeroizing" the switch’s key automatically disables SSH (sets ip ssh to no). 
Thus, if you zeroize the key and then generate a new key, you must also re-
enable SSH with the ip ssh command before the switch can resume SSH 
operation.
Configuring Key Lengths
The crypto key generate ssh command allows you to specify the type and length 
of the generated host key. The size of the host key is platform-dependent as 
different switches have different amounts of processing power. The size is 
represented by the <keysize> parameter and has the values shown in 
Table 8-2. The default value is used if keysize is not specified.
3. Providing the Switch’s Public Key to Clients
When an SSH client contacts the switch for the first time, the client will 
challenge the connection unless you have already copied the key into the 
client’s "known host" file. Copying the switch’s key in this way reduces the 
chance that an unauthorized device can pose as the switch to learn your access 
passwords. The most secure way to acquire the switch’s public key for 
distribution to clients is to use a direct, serial connection between the switch 
and a management device (laptop, PC, or UNIX workstation), as described 
below.
Table 8-2.  RSA/DSA Values for Various HP Switches
Platform Maximum RSA Key Size (in bits) DSA Key Size (in bits)
2900/3800/3500/5400/6200/8200 1024, 2048, 3072
Default: 2048
1024
2610 1024, 2048
Default: 1024
1024