Configuring Secure Shell (SSH)
Configuring the Switch for SSH Operation
SSH Client Contact Behavior.
At the first contact between the switch and
an SSH client, if the switch’s public key has not been copied into the client,
then the client’s first connection to the switch will question the connection
and, for security reasons, provide the option of accepting or refusing. If it is
safe to assume that an unauthorized device is not using the switch’s IP address
in an attempt to gain access to the client’s data or network, the connection
can be accepted. (As a more secure alternative, the client can be directly
connected to the switch’s serial port to download the switch’s public key into
the client. See the following Note.)
N o t e
When an SSH client connects to the switch for the first time, it is possible for
a "man-in-the-middle" attack; that is, for an unauthorized device to pose
undetected as the switch, and learn the usernames and passwords controlling
access to the switch. This possibility can be removed by directly connecting
the management station to the switch’s serial port, using a
show
command to
display the switch’s public key, and copying the key from the display into a
file. This requires a knowledge of where the client stores public keys, plus the
knowledge of what key editing and file format might be required by the client
application. However, if the first contact attempt between a client and the
switch does not pose a security problem, this is unnecessary.
To enable SSH on the switch.
1. Generate a public/private key pair if you have not already done so. (Refer
to “2. Generating the Switch’s Public and Private Key Pair” on page 7-10.)
2. Execute the
ip ssh
command.
To disable SSH on the switch, do either of the following:
■
Execute
no ip ssh
.
■
Zeroize the switch’s existing key pair. (page 7-11).
Syntax:
[no] ip ssh
Enables or disables SSH on the switch.
[key-size < 512 | 768 | 1024 >] Version 1 only
The size of the internal, automatically generated key
the switch uses for negotiations with an SSH client. A
larger key provides greater security; a smaller key
results in faster authentication (default: 512 bits).
7-16
Summary of Contents for J8697A
Page 1: ...6200yl Access Security Guide 5400zl 3500yl ProCurve Switches K 11 XX www procurve com ...
Page 2: ......
Page 22: ...Product Documentation Feature Index xx ...
Page 55: ...Configuring Username and Password Security Front Panel Security 2 21 ...
Page 56: ...Configuring Username and Password Security Front Panel Security 2 22 ...
Page 58: ...Virus Throttling Contents Operating Notes 3 30 Connection Rate Log and Trap Messages 3 31 3 2 ...
Page 88: ...Virus Throttling Connection Rate Log and Trap Messages This page is intentionally unused 3 32 ...
Page 118: ...Web and MAC Authentication Client Status This page intentionally unused 4 30 ...
Page 356: ...Configuring and Monitoring Port Security Operating Notes for Port Security 11 44 ...
Page 370: ...Using Authorized IP Managers Operating Notes This page is intentionally unused 12 14 ...
Page 388: ...10 Index ...
Page 389: ......