Fips compliance, Configuring the device as an ssh server, Ssh server configuration task list – H3C Technologies H3C S12500-X Series Switches User Manual

171

•

Password-publickey authentication—The server requires SSH2 clients to pass both password

authentication and publickey authentication. However, an SSH1 client only needs to pass either
authentication, regardless of the requirement of the server.

•

Any authentication—The server requires clients to pass either password authentication or publickey
authentication.

116B

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,
commands, and parameters might differ in FIPS mode (see "

874H

Configuring FIPS

") and non-FIPS mode.

117B

Configuring the device as an SSH server

You can configure the device as an Stelnet, SFTP, or SCP server. Because the configuration procedures

are similar, the SSH server represents the Stelnet, SFTP, or SCP server unless otherwise specified.

263B

SSH

server configuration task list

Tasks at a glance

Remarks

(Required.)

875H

Generating local DSA or RSA key pairs

N/A

(Required.)

876H

Enabling the SSH server function

Required for Stelnet and SCP servers.

(Required.)

877H

Enabling the SFTP server function

Required for SFTP server.

(Required.)

878H

Configuring the user lines for Stelnet clients

N/A

(Required.)

879H

Configuring a client's host public key

Required if the authentication method is publickey,
password-publickey, or any.

(Required/optional.)

880H

Configuring an SSH user

Required if the authentication method is publickey,
password-publickey, or any.
Optional if the authentication method is password.

(Optional.)

881H

Setting the SSH management parameters

N/A

264B

Generating local DSA or RSA key pairs

IMPORTANT:

Do not generate the local DSA key pair when the device operates in FIPS mode as an SSH server. User
authentication will fail because the SSH server operating in FIPS mode supports only RSA key pairs.

The DSA or RSA key pairs are required for generating the session key and session ID in the key exchange

stage, and can also be used by a client to authenticate the server. When a client tries to authenticate the

server, it compares the public key that it receives from the server with the server public key that it saved

locally. If the keys are consistent, the client uses the public key to authenticate the digital signature that
receives from the server. If the digital signatures are consistent, the authentication succeeds.
To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the

SSH server.