beautypg.com

Generating a dsa or rsa key pair, Enabling the ssh server function, Configuring the user interfaces for ssh clients – H3C Technologies H3C SecPath F1000-E User Manual

Page 61

background image

5

Generating a DSA or RSA Key Pair

In the key and algorithm negotiation stage, the DSA or RSA key pair is required to generate the session

ID and for the client to authenticate the server.
Follow these steps to generate a DSA or RSA key pair on the SSH server:

To do…

Use the command…

Remarks

Enter system view

system-view

Generate a DSA or RSA key pair

public-key local create { dsa
| rsa }

Required
By default, there is neither DSA key

pair nor RSA key pair.

NOTE:

For more information about the public-key local create command, see

Public Key Commands in the

Security Volume.

You are recommended to generate both DSA and RSA key pairs on the SSH server to support SSH
clients using different types of key pairs.

The public-key local create rsa command generates two RSA key pairs: a server key pair and a host key
pair. Each of the key pairs consists of a public key and a private key. The public key in the server key pair
of the SSH server is used in SSH1 to encrypt the session key for secure transmission of the key. As SSH2.0

uses the DH algorithm to generate the session key on the SSH server and client respectively, no session

key transmission is required in SSH2.0 and the server key pair is not used.

The length of the modulus of RSA server keys and host keys must be in the range 512 to 2048 bits. Some
SSH2.0 clients require that the length of the key modulus be at least 768 bits on the SSH server side.

The public-key local create dsa command generates only the host key pair. SSH1 does not support the
DSA algorithm.

The length of the modulus of DSA host keys must be in the range 512 to 2048 bits. Some SSH2.0 clients
require that the length of the key modulus be at least 768 bits on the SSH server side.

Enabling the SSH Server Function

Follow these steps to enable the SSH server function:

To do…

Use the command…

Remarks

Enter system view

system-view

Enable the SSH server function

ssh server enable

Required
Disabled by default

Configuring the User Interfaces for SSH Clients

An SSH client accesses the device through a VTY user interface. Therefore, you need to configure the user

interfaces for SSH clients to allow SSH login. Note that the configuration takes effect only for clients

logging in after the configuration.