beautypg.com

Generating local dsa or rsa key pairs, Configuration guidelines, Configuration procedure – H3C Technologies H3C SecPath F1000-E User Manual

Page 165: Enabling the ssh server function

background image

154

Task Remarks

Configuring a client's host public key

Required for publickey authentication users and
optional for password authentication users

Configuring an SSH user

Optional

Setting the SSH management parameters

Optional

Generating local DSA or RSA key pairs

In the key and algorithm negotiation stage, the DSA or RSA key pair is required to generate the session
key and session ID and for the client to authenticate the server.

Configuration guidelines

Follow these guidelines when you use the command to generate the DSA or RSA key pair:

In FIPS mode, the device does not support the DSA key pair.

To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs
on the SSH server.

The public-key local create rsa command generates a server RSA key pair and a host RSA key pair.
Each of the key pairs consists of a public key and a private key. The public key in the server key pair

of the SSH server is used in SSH1 to encrypt the session key for secure transmission of the key. As
SSH uses the DH algorithm to generate the session key on the SSH server and client respectively, no

session key transmission is required in SSH and the server key pair is not used.

The length of the modulus of RSA server keys and host keys must be in the range 512 to 2048 bits.
Some SSH clients require that the length of the key modulus be at least 768 bits on the SSH server

side.

The public-key local create dsa command generates only the host key pair. SSH1 does not support
the DSA algorithm.

The length of the modulus of DSA host keys must be in the range 512 to 2048 bits. Some SSH clients
require that the length of the key modulus be at least 768 bits on the SSH server side.

Configuration procedure

To generate local DSA or RSA key pairs on the SSH server:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Generate local DSA or RSA

key pairs.

public-key local create { dsa | rsa }

By default, neither DSA nor RSA
key pairs exists.

For more information about the public-key local create command, see VPN Command Reference.

Enabling the SSH server function

Step Command

Remarks

1.

Enter system view.

system-view

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Safety: