HP procurve 2500 用户手册
93
Enhancements in Release F.04.08
Configuring Secure Shell (SSH)
Configuring Secure Shell (SSH)
With steps 1 - 3, above, completed and SSH properly configured on the switch, if an SSH client contacts
the switch, login authentication automatically occurs first, using the switch and client public-keys.
After the client gains login access, the switch controls client access to the manager level by requiring
the passwords configured earlier by the
the switch, login authentication automatically occurs first, using the switch and client public-keys.
After the client gains login access, the switch controls client access to the manager level by requiring
the passwords configured earlier by the
aaa authentication ssh enable command.
Syntax:
copy tftp pub-key-file < ip-address > < filename >
Copies a public key file into the switch
.
aaa authentication ssh login rsa
Configures the switch to authenticate
< local | none >
a client public-key at the login level
with an optional secondary password
method (default:
with an optional secondary password
method (default:
none).
C a u t i o n
To allow SSH access only to clients having the correct public key, you must configure the secondary
(password) method for
(password) method for
login rsa to none. Otherwise a client without the correct public key can still
gain entry by submitting a correct local login password.
aaa authentication ssh enable
Configures a password method for the
< local | tacacs | radius >
primary and secondary enable (Mana-
< local | none >
ger) access. If you do not specify an
optional secondary method, it defaults
to
optional secondary method, it defaults
to
none.
For example, assume that you have a client public-key file named
Client-Keys.pub (on a TFTP server
at 10.33.18.117) ready for downloading to the switch. For SSH access to the switch you want to allow
only clients having a private key that matches a public key found in
only clients having a private key that matches a public key found in
Client-Keys.pub. For Manager-level
(enable) access for successful SSH clients you want to use TACACS+ for primary password authen-
tication and
tication and
local for secondary password authentication, with a Manager username of "1eader" and
a password of "m0ns00n". To set up this operation you would configure the switch in a manner
similar to the following:
similar to the following: