Generating a dsa or rsa key pair, Enabling the ssh server function, Configuring the user interfaces for ssh clients – H3C Technologies H3C SecPath F1000-E User Manual
Page 61

5
Generating a DSA or RSA Key Pair
In the key and algorithm negotiation stage, the DSA or RSA key pair is required to generate the session
ID and for the client to authenticate the server.
Follow these steps to generate a DSA or RSA key pair on the SSH server:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Generate a DSA or RSA key pair
public-key local create { dsa
| rsa }
Required
By default, there is neither DSA key
pair nor RSA key pair.
NOTE:
•
For more information about the public-key local create command, see
Public Key Commands in the
Security Volume.
•
You are recommended to generate both DSA and RSA key pairs on the SSH server to support SSH
clients using different types of key pairs.
•
The public-key local create rsa command generates two RSA key pairs: a server key pair and a host key
pair. Each of the key pairs consists of a public key and a private key. The public key in the server key pair
of the SSH server is used in SSH1 to encrypt the session key for secure transmission of the key. As SSH2.0
uses the DH algorithm to generate the session key on the SSH server and client respectively, no session
key transmission is required in SSH2.0 and the server key pair is not used.
•
The length of the modulus of RSA server keys and host keys must be in the range 512 to 2048 bits. Some
SSH2.0 clients require that the length of the key modulus be at least 768 bits on the SSH server side.
•
The public-key local create dsa command generates only the host key pair. SSH1 does not support the
DSA algorithm.
•
The length of the modulus of DSA host keys must be in the range 512 to 2048 bits. Some SSH2.0 clients
require that the length of the key modulus be at least 768 bits on the SSH server side.
Enabling the SSH Server Function
Follow these steps to enable the SSH server function:
To do…
Use the command…
Remarks
Enter system view
system-view
—
Enable the SSH server function
ssh server enable
Required
Disabled by default
Configuring the User Interfaces for SSH Clients
An SSH client accesses the device through a VTY user interface. Therefore, you need to configure the user
interfaces for SSH clients to allow SSH login. Note that the configuration takes effect only for clients
logging in after the configuration.