Ssh and scp encryption of management messages, Generating rsa host and server keys for ssh access – HP 445946-001 User Manual

Accessing the switch

33

Applying and saving configuration

Enter the

apply

and

save

commands after the command above (

scp ad4.cfg

205.178.15.157:putcfg

), or use the following commands. You will be prompted for a password.

>> # scp <local_filename> <user>@<switch IP addr>:putcfg_apply

>> # scp <local_filename> <user>@<switch IP addr>:putcfg_apply_save

For example:

>> # scp ad4.cfg [email protected]:putcfg_apply

>> # scp ad4.cfg [email protected]:putcfg_apply_save

NOTE:

•

The

diff

command is automatically executed at the end of

putcfg

to notify the remote client of the

difference between the new and the current configurations.

•

putcfg_apply

runs the

apply

command after the

putcfg

is done.

•

putcfg_apply_save

saves the new configuration to the flash after

putcfg_apply

is done.

•

The

putcfg_apply

and

putcfg_apply_save

commands are provided because extra

apply

and

save

commands are usually required after a

putcfg.

SSH and SCP encryption of management messages

The following encryption and authentication methods are supported for SSH and SCP:

•

Server Host Authentication—Client RSA authenticates the switch at the beginning of every connection

•

Key Exchange—RSA

•

Encryption—AES256-CBC, AES192-CBC, 3DES-CBC, 3DES, ARCFOUR

•

User Authentication—Local password authentication, RADIUS, TACACS+

Generating RSA host and server keys for SSH access

To support the SSH server feature, two sets of RSA keys (host and server keys) are required. The host key

is 1024 bits and is used to identify the switch. The server key is 768 bits and is used to make it
impossible to decipher a captured session by breaking into the switch at a later time.
When the SSH server is first enabled and applied, the switch automatically generates the RSA host and

server keys and is stored in the flash memory.
To configure RSA host and server keys, first connect to the switch console connection (commands are not
available via Telnet connection), and enter the following commands to generate them manually:

>> # /cfg/sys/sshd/hkeygen (Generates the host key)

>> # /cfg/sys/sshd/skeygen (Generates the server key)

These two commands take effect immediately without the need of an

apply

command.

When the switch reboots, it will retrieve the host and server keys from the flash memory. If these two keys

are not available in the flash memory and if the SSH server feature is enabled, the switch automatically

generates them during the system reboot. This process may take several minutes to complete.
The switch can also automatically regenerate the RSA server key. To set the interval of RSA server key

autogeneration, use the following command:

>> # /cfg/sys/sshd/intrval <number of hours (0-24)>