HP 5500 Ei 5500 Si Switch Series Configuration Guide

 286 
Configuring SSH2.0 
Overview 
Introduction to SSH2.0 
Secure Shell (SSH) offers an approach to logging in to a remote device securely. Using encryption and 
strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password 
interception. 
The swi tch c an not only work  as  an SSH ser ver  to  suppor t c onnections wi th SSH cl ients, but al so  work  as  
an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server....

 287 
secondary protocol version numbers constitute the protocol version number. The software version 
number is used for debugging.  
4. After receiving the packet, the client resolves  the packet and compares the server’s protocol 
version number with that of its own. If the serv er’s protocol version is lower and supportable, the 
client uses the protocol version of the server; otherw ise, the client uses its own protocol version. In 
either case, the client sends a packet to the server  to notify the...

 288 
its username, public key, and publickey algorithm information. The server checks whether the public 
key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates 
the client by the digital signature. Finally, the server sends a message to the client to inform it of the 
authentication result. The switch supports using the publickey algorithms RSA and DSA for digital 
signature. 
An SSH2.0 server might require the client to pass both password...

 289 
SSH connection across VPNs (available only on the HP 5500 
EI) 
With this function, you can configure the device as an SSH client to establish connections with SSH 
servers in different VPNs. 
As shown in Figure 100, the ho
 sts in VPN 1 and VPN 2 access the MPLS backbone through PEs, with the 
s e r v i c e s  o f  t h e  t w o  V P N s  i s o l a t e d .  A f t e r  a n  H P  55 0 0  E I  sw i t c h  t h a t  a c t s  a s  a n  M C E  d e v i c e  i s  e n a b l e d  w i t h  
the SSH client...

 290 
To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the 
SSH ser ver. 
Generating procedure 
To generate DSA or RSA key pairs on the SSH server:  
Step Command Remarks 
1.   Enter system view. 
system-view  N/A 
2.  Generate DSA or RSA key 
pairs.  public-key local create 
{ dsa  | rsa  } By default, neither DSA nor RSA 
key pairs exist. 
 
Commands for generating DSA or RSA key pairs 
The public-key local create rsa  command generates a server RSA...

 291 
Configuration procedure 
To configure the protocols for a user interface to support:  
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Enter user interface view of 
one or more user interfaces.  user-interface 
vty number  
[ ending-number ]   N/A 
3.
  Set the login authentication 
mode to  scheme.  authentication-mode
 scheme   By default, the authentication 
mode is 
password .  
4.  Configure the user interface(s) 
to support SSH login.  protocol inbound 
{ all  | ssh }...

 292 
Step Command Remarks 
6.  Return to system view. 
peer-public-key end  N/A 
 
Importing a client public key from a public key file 
 
Step Command 
1.  Enter system view. 
system-view 
2.  Import the public key from a public key file. 
public-key peer keyname import sshkey  filename  
 
For more information about client public key configuration, see  Managing public keys.  
Configuring an SSH user 
To configure an SSH user that uses publickey authentication, you must perform the procedure in this...

 293 
•  If you change the authentication mode or public  key for an SSH user that has been logged in, the 
change can take effect only at the next login of the user. 
Configuration procedure 
To configure an SSH user and specify the  service type and authentication method:  
Step Command Remarks 
1.  Enter system view. 
system-view  N/A 
2.  Create an SSH user, and 
specify the service type and 
authentication method. 
• For Stelnet users: 
ssh user  username  service-type 
stelnet  authentication-type...

 294 
Step Command Remarks 
3.  Set the RSA server key pair 
update interval.  ssh server rekey-interval
 hours   Optional. 
By default, the interval is 0, and the 
RSA server key pair is not updated.
 
4.
  Set the SSH user 
authentication timeout period.  ssh server authentication-timeout 
time-out-value
  Optional. 
60 seconds by default.
 
5.  Set the maximum number of 
SSH authentication attempts.  ssh server authentication-retries
 
times   Optional. 
3 by default. 
 
Setting the DSCP value for...

 295 
Step Command  Remarks 
2.  Specify a source IP 
address or interface for 
the SSH client. 
• Specify a source IPv4 address or interface for the 
SSH client: 
ssh client source  { ip  ip-address  | interface 
interface-type interface-number  } 
• Specify a source IPv6 address or interface for the 
SSH client: 
ssh client ipv6 source  { ipv6  ipv6-address  | 
interface  interface-type interface-number  }  Select either approach.
 
B y  d e f a u l t ,  a n  S S H  c l i e n t  
uses the IP address of...