4-18
Configuring Secure Shell (SSH)
Configuring the Switch for SSH Operation
5. Configuring the Switch for SSH Authentication
Note that all methods in this section result in authentication of the switch’s
public key by an SSH client. However, only Option B, below results in the
switch also authenticating the client’s public key. Also, for a more detailed
discussion of the topics in this section, refer to “MoreInformation on SSH
Client Public-Key Authentication” on page 4-21
Note Hewlett-Packard recommends that you always assign a Manager-Level
(enable) password to the switch. Without this level of protection, any user
with Telnet, web, or serial port access to the switch can change the switch’s
configuration. Also, if you configure only an Operator password, entering
the Operator password through Telnet, web, or serial port access enables full
manager privileges. See “1. Assigning Local Operator and Manager Pass-
words” on page 4-9.
Option A: Configuring SSH Access for Password-Only SSH
Authentication. When configured with this option, the switch uses its pub-
lic key to authenticate itself to a client, but uses only passwords for client
authentication.
Option B: Configuring the Switch for Client Public-Key SSH
Authentication. If configured with this option, the switch uses its public
key to authenticate itself to a client, but the client must also provide a client
public-key for the switch to authenticate. This option requires the additional
step of copying a client public-key file from a TFTP server into the switch. This
means that before you can use this option, you must:
1. Create a key pair on an SSH client.
2. Copy the client’s public key into a public-key file (which can contain up
to ten client public-keys).
Syntax: aaa authentication ssh login < local | tacacs | radius >[< local | none >]
Configures a password method for the primary and
secondary login (Operator) access. If you do not specify
an optional secondary method, it defaults to none.
aaa authentication ssh enable < local | tacacs | radius>[< local | none >]
Configures a password method for the primary and
secondary enable (Manager) access. If you do not spec-
ify an optional secondary method, it defaults to none.
!FishSecurity.book Page 18 Thursday, October 10, 2002 9:19 PM
To Next Page
Loading...
