HP procurve 2500 Manuale Utente

Enhancements in Release F.04.08
Configuring Secure Shell (SSH)

(For more on these topics, refer to “Further Information on SSH Client Public-Key Authentication”
on page 95.)

With steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts
the switch, login authentication automatically occurs first, using the switch and client public-keys.
After the client gains login access, the switch controls client access to the manager level by requiring
the passwords configured earlier by the

aaa authentication ssh enable command.

Syntax:

copy tftp pub-key-file < ip-address > < filename >

Copies a public key file into the switch

aaa authentication ssh login rsa

Configures the switch to authenticate

< local | none >

a client public-key at the login level
with an optional secondary password
method (default:

none).

C a u t i o n

To allow SSH access only to clients having the correct public key, you must configure the secondary
(password) method for

login rsa to none. Otherwise a client without the correct public key can still

gain entry by submitting a correct local login password.

aaa authentication ssh enable

Configures a password method for the

< local | tacacs | radius >

primary and secondary enable (Mana-

< local | none >

ger) access. If you do not specify an
optional secondary method, it defaults
to

none.

For example, assume that you have a client public-key file named

Client-Keys.pub (on a TFTP server

at 10.33.18.117) ready for downloading to the switch. For SSH access to the switch you want to allow
only clients having a private key that matches a public key found in

Client-Keys.pub. For Manager-level

(enable) access for successful SSH clients you want to use TACACS+ for primary password authen-
tication and

local for secondary password authentication, with a Manager username of "1eader" and

a password of "m0ns00n". To set up this operation you would configure the switch in a manner
similar to the following: