Enabling client public-key authentication – HP 4100GL User Manual

Configuring Secure Shell (SSH)
Further Information on SSH Client Public-Key Authentication

Syntax:

clear crypto public-key

Deletes the client-public-key file from the switch.

Syntax:

clear crypto public-key 3

Deletes the entry with an index of 3 from the client­

public-key file on the switch.

Enabling Client Public-Key Authentication.

After you TFTP a client

-

public-key file into the switch (described above), you can configure the switch
to allow one of the following:

■

If an SSH client’s public key matches the switch’s client-public-key
file, allow that client access to the switch. If there is not a public-key
match, then deny access to that client.

■

If an SSH client’s public key does not have a match in the switch’s
client-public-key file, allow the client access if the user can enter the
switch’s login (Operator) password. (If the switch does not have an
Operator password, then deny access to that client.

Syntax: aaa authentication ssh login public-key none

Allows SSH client access only if the switch detects a
match between the client’s public key and an entry in
the client-public-key file most recently copied into the
switch.

aaa authentication ssh login public-key local

Allows SSH client access if there is a public key match
(see above) or if the client’s user enters the switch’s
login (Operator) password.

With

login public-key local configured, if the switch does not have an Operator

level password, it blocks client public-key access to SSH clients whose private
keys do not match a public key in the switch’s client-public-key file.

C a u t i o n

To enable client public-key authentication to block SSH clients whose public
keys are not in the client-public-key file copied into the switch, you must
configure the Login Secondary as

none. Otherwise, the switch allows such

clients to attempt access using the switch’s Operator password.

4-26