HP 4100GL User Manual

Configuring Secure Shell (SSH)

Configuring the Switch for SSH Operation

Configures a password method for the primary and
secondary enable (Manager) access. If you do not spec­
ify an optional secondary method, it defaults to

none.

Option B: Configuring the Switch for Client Public-Key SSH
Authentication.

If configured with this option, the switch uses its public

key to authenticate itself to a client, but the client must also provide a client
public-key for the switch to authenticate. This option requires the additional
step of copying a client public-key file from a TFTP server into the switch. This
means that before you can use this option, you must:

1. Create a key pair on an SSH client.

2.

Copy the client’s public key into a public-key file (which can contain up
to ten client public-keys).

3.

Copy the public-key file into a TFTP server accessible to the switch and
download the file to the switch.

(For more on these topics, refer to “Further Information on SSH Client Public-
Key Authentication” on page 4-22.)

With steps 1 - 3, above, completed and SSH properly configured on the switch,
if an SSH client contacts the switch, login authentication automatically occurs
first, using the switch and client public-keys. After the client gains login
access, the switch controls client access to the manager level by requiring the
passwords configured earlier by the

aaa authentication ssh enable command.

Syntax: copy tftp pub-key-file < ip-address > < filename >

Copies a public key file into the switch.

aaa authentication ssh login public-key

Configures the switch to authenticate a client public­
key at the login level with an optional secondary pass­
word method (default:

none).

C a u t i o n

To allow SSH access only to clients having the correct public key, you must
configure the secondary (password) method for

login public-key to none.

Otherwise a client without the correct public key can still gain entry by
submitting a correct local login password.

4-19