Configuring the device as an ssh server, Ssh server configuration task list, Generating local key pairs – H3C Technologies H3C S6300 Series Switches User Manual
Page 284: Configuration restrictions and guidelines
269
Configuring the device as an SSH server
SSH server configuration task list
Tasks at a glance
Remarks
(Optional.)
N/A
Required for Stelnet and SCP servers.
Required for SFTP servers.
(Required.) Configuring NETCONF over SSH
Required for NETCONF-over-SSH servers.
(Required.) Configuring the user lines for SSH login
Required for Stelnet and NETCONF-over-SSH
servers.
Configuring a client's host public key
Required if the authentication method is publickey,
password-publickey, or any.
Configuring the PKI domain for verifying the client
certificate
See "
Required if publickey authentication is configured
for users and if the clients send the public keys to
the server through digital certificates for validity
check.
The PKI domain must have the CA certificate to
verify the client certificate.
Required if the authentication method is publickey,
password-publickey, or any.
Optional if the authentication method is password.
(Optional.)
Setting the SSH management parameters
Generating local key pairs
The DSA, RSA, or ECDSA key pairs are required for generating the session key and session ID in the key
exchange stage. They can also be used by a client to authenticate the server. When a client tries to
authenticate the server, it compares the public key that it receives from the server with the server public
key that it saved locally. If the keys are consistent, the client uses the locally saved server's public key to
decrypt the digital signature received from the server. If the decryption succeeds, the server passes the
authentication.
Configuration restrictions and guidelines
When you generate local key pairs, follow these restrictions and guidelines:
•
To support SSH clients that use different types of key pairs, generate DSA, RSA, and ECDSA key
pairs on the SSH server.
•
SSH supports ECDSA key pairs in Release 2311P04 and later versions.
•
The SSH server operating in FIPS mode supports only RSA and ECDSA key pairs. Do not generate
the local DSA key pair when the device operates as an SSH server in FIPS mode.
•
SSH supports locally generated DSA, RSA, and ECDSA key pairs only with default names. For more
information about the commands that are used to generate keys, see Security Command Reference.