HP A 5120 Manual

Download as PDF Print this page Share this page

Have a look at the manual HP A 5120 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

View all the pages

Add page 221 to Favourites

image text

Enable zoom

							 
211 
Task Remarks 
Generating a DSA or RSA key pair Required 
Enabling the SSH server function Required 
Configuring the user interfaces for SSH clients Required 
Configuring a client public key Required for publickey authentication users and 
optional for password authentication users 
Configuring an SSH user Optional 
Setting the SSH management parameters Optional 
 
Generating a DSA or RSA key pair 
In  the  key and algorithm  negotiation stage,  the DSA  or RSA key  pair is  required to  generate  the  session 
ID and for the client to authenticate the server. 
Follow these steps to generate a DSA or RSA key pair on the SSH server: 
To do… Use the command… Remarks 
Enter system view system-view — 
Generate a DSA or RSA key pair public-key local create { dsa | rsa 
} 
Required 
By default, neither DSA key pair 
nor RSA key pair exists. 
 
 NOTE: 
 For more information about the public-key local create command, see the Security Command Reference. 
 To support SSH clients using different types of key pairs, generate both DSA and RSA key pairs on the SSH 
server. 
 The public-key local create rsa command generates a server key pair and a host key pair. Each of the key pairs 
consists of a public key and a private key. The public key in the server key pair of the SSH server is used in SSH1 
to encrypt the session key for secure transmission of the key. As SSH2.0 uses the DH algorithm to generate the 
session key on the SSH server and client respectively, no session key transmission is required in SSH2.0 and the 
server key pair is not used. 
 The length of the modulus of RSA server keys and host keys must be in the range 512 to 2048 bits. Some SSH2.0 
clients require that the length of the key modulus be at least 768 bits on the SSH server side. 
 The public-key local create dsa command generates only the host key pair. SSH1 does not support the DSA 
algorithm. 
 The length of the modulus of DSA host keys must be in the range 512 to 2048 bits. Some SSH2.0 clients require 
that the length of the key modulus be at least 768 bits on the SSH server side.  
Enabling the SSH server function 
Follow these steps to enable the SSH server function: 
To do… Use the command… Remarks 
Enter system view system-view —

Add page 222 to Favourites

image text

Enable zoom

							 
212 
To do… Use the command… Remarks 
Enable the SSH server function ssh server enable Required 
Disabled by default 
 
Configuring the user interfaces for SSH clients 
An SSH client accesses the device through a VTY user interface. You must configure the user interfaces for 
SSH  clients  to  allow  SSH  login. The  configuration  takes  effect only for  clients  logging  in  after  the 
configuration. 
Follow these steps to configure the protocols for the current user interface to support: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter user interface view of one or 
more user interfaces 
user-interface vty number [ 
ending-number ] — 
Set the login authentication mode 
to scheme authentication-mode scheme 
Required 
By default, the authentication 
mode is password.  
Configure the user interface(s) to 
support SSH login protocol inbound { all | ssh } 
Optional 
All protocols are supported by 
default. 
 
 CAUTION: 
 For more information about the authentication-mode and protocol inbound commands, see the Fundamentals 
Command Reference. 
 If you configure a user interface to support SSH, be sure to configure the corresponding authentication mode 
with the authentication-mode scheme command.  
 For a user interface configured to support SSH, you cannot change the authentication mode. To change the 
authentication mode, undo the SSH support configuration first.  
Configuring a client public key  
 NOTE: 
This configuration task is only necessary for SSH users using publickey authentication.   
For each SSH user that uses publickey authentication to login, you must configure the client’s DSA or RSA 
host public key on the server, and configure the client to use the corresponding host private key. 
To  configure  the  public  key  of an  SSH  client,  you  can configure  it  manually  or  import  it  from  the  public 
key file: 
 Configure it manually—You can input or copy the public key to the SSH  server.  The public key must 
be in the distinguished encoding rules (DER) encoding format and have not been converted. 
 Import  it  from  the  public  key  file—During  the  import  process,  the  system will automatically  convert 
the  public  key  to  a string  coded  using  the  Public  Key  Cryptography  Standards (PKCS).  Before

Add page 223 to Favourites

image text

Enable zoom

							 
213 
importing the public key, you must upload the public key file (in binary) to the local host through FTP 
or TFTP.  
 CAUTION: 
 HP recommends you to configure a client public key by importing it from a public key file.  
 You can configure up to 20 client public keys on an SSH server.  
Configuring a client public key manually 
Follow these steps to configure the client public key manually: 
To do… Use the command… Remarks 
Enter system view system-view — 
Enter public key view public-key peer keyname — 
Enter public key code view public-key-code begin — 
Configure a client public key Enter the content of the public key 
Required 
Spaces and carriage returns are 
allowed between characters. 
Return from public key code view 
to public key view public-key-code end 
— 
When you exit public key code 
view, the system automatically 
saves the public key. 
Return from public key view to 
system view peer-public-key end — 
 
Importing a client public key from a public key file 
Follow these steps to import a public key from a public key file: 
To do… Use the command… Remarks 
Enter system view system-view — 
Import the public key from a 
public key file 
public-key peer keyname import 
sshkey filename Required 
 
 NOTE: 
For more information about client side public key configuration and the relevant commands, see the 
Security Configuration Guide.  
Configuring an SSH user 
This  configuration  allows  you  to  create  an  SSH  user  and  specify  the  service  type  and  authentication 
method. An  SSH  user’s service  type  can  be Secure  Telnet (Stelnet) or Secure  FTP (SFTP). For more 
information about Stelnet, see ―SSH2.0 overview.‖ For more  information about SFTP, see the  chapter 
―SFTP configuration.‖ 
To use publickey authentication, you must configure the user account and the user’s public key on the SSH 
server. To  use password  authentication,  you can  configure  the user account  on either the  device or  the 
remote authentication server, such as a RADIUS authentication server.

Add page 224 to Favourites

image text

Enable zoom

							 
214 
Follow these steps to configure an SSH user and specify the service type and authentication mode: 
To do… Use the command… Remarks 
Enter system view system-view — 
Create an SSH 
user, and 
specify the 
service type 
and 
authentication 
mode 
For Stelnet 
users 
ssh user username service-type 
stelnet authentication-type { 
password | { any | password-
publickey | publickey } assign 
publickey keyname } Required 
Use either command. 
For all users or 
SFTP users 
ssh user username service-type { 
all | sftp } authentication-type { 
password | { any | password-
publickey | publickey } assign 
publickey keyname work-
directory directory-name } 
 
 CAUTION: 
 A user without an SSH account can still pass password authentication and log in to the server through Stelnet or 
SFTP, as long as the user can pass AAA authentication and the service type is SSH. 
 An SSH server supports up to 1024 SSH users. 
 For successful login through SFTP, you must set the user service type to sftp or all.  
 SSH1 does not support the service type sftp. If the client uses SSH1 to log in to the server, you must set the 
service type to stelnet or all on the server. 
 An SFTP user’s working folder depends on the authentication method. For a user using only password 
authentication, the working folder is the AAA authorized one. For a user using only publickey authentication or 
using both the publickey and password authentication methods, the working folder is the one set by using the 
ssh user command. 
 You can change the authentication method and public key of an SSH user when the user is communicating with 
the SSH server, but your changes take effect only after the user logs out and logs in again.  
 NOTE: 
 With publickey authentication, which commands a user can use after login depends on the user privilege level, 
which is configured with the user privilege level command on the user interface. 
 With password authentication, which commands a user can use after login depends on AAA authorization.  
Setting the SSH management parameters 
SSH management includes:  
 Enabling the SSH server to be compatible with SSH1 client 
 Setting the RSA server key pair update interval, applicable to users using SSH1 client 
 Setting the SSH user authentication timeout period  
 Setting the maximum number of SSH authentication attempts  
Setting the  parameters  can  help  avoid  malicious  guessing at  and  cracking  of  the  keys  and  usernames, 
securing your SSH connections. 
Follow these steps to set the SSH management parameters:

Add page 225 to Favourites

image text

Enable zoom

							 
215 
To do… Use the command… Remarks 
Enter system view system-view — 
Enable the SSH server to support 
SSH1 clients 
ssh server compatible-ssh1x 
enable 
Optional 
By default, the SSH server 
supports SSH1 clients. 
Set the RSA server key pair 
update interval ssh server rekey-interval hours 
Optional 
By default, the interval is 0, and 
the RSA server key pair is not 
updated. 
Set the SSH user authentication 
timeout period 
ssh server authentication-timeout 
time-out-value 
Optional 
60 seconds by default 
Set the maximum number of SSH 
authentication attempts 
ssh server authentication-retries 
times 
Optional 
3 by default 
 
 NOTE: 
Authentication will fail if the number of authentication attempts—including both publickey and 
password authentication—exceeds that specified in the ssh server authentication-retries command.  
Configuring the device as an SSH client 
SSH client configuration task list 
Complete the following tasks to configure an SSH client: 
Task Remarks 
Specifying a source IP address/interface for the SSH 
client Optional 
Configuring whether first-time authentication is 
supported Optional 
Establishing a connection between the SSH client 
and server Required 
 
Specifying a source IP address/interface for the SSH client 
This  configuration  task  allows  you  to  specify  a  source  IP  address  or  interface  for  the  client  to  access the 
SSH server, improving service manageability. 
To do… Use the command… Remarks 
Enter system view system-view — 
Specify a 
source IP 
address or 
interface for 
the SSH client 
Specify a 
source IPv4 
address or 
interface for 
the SSH client 
ssh client source { ip ip-address | interface 
interface-type interface-number } 
Required 
Select either 
approach 
By default, an SSH

Add page 226 to Favourites

image text

Enable zoom

							 
216 
To do… Use the command… Remarks 
Specify a 
source IPv6 
address or 
interface for 
the SSH client 
ssh client ipv6 source { ipv6 ipv6-address | 
interface interface-type interface-number } 
client uses the IP 
address of the 
interface specified 
by the route of the 
device to access 
the SSH server. 
 
Configuring whether first-time authentication is supported 
When  the  device  connects  to  the SSH server  as  an  SSH  client,  you  can  configure whether  the  device 
supports first-time authentication. 
 With  first-time  authentication, when an SSH  client  not  configured  with  the  server  host  public  key 
accesses  the  server for the  first  time, the  user  can  continue  accessing  the  server, and  save  the  host 
public  key on the  client.  When  accessing  the  server  again,  the  client  will  use  the  saved  server  host 
public key to authenticate the server.  
 Without first-time  authentication, a client  not configured with  the  server  host  public  key will refuse to 
access the server. To enable the client to access the server, you must configure the server host public 
key and specify the public key name for authentication on the client in advance. 
Enable the device to support first-time authentication 
Follow these steps to enable the device to support first-time authentication: 
To do... Use the command… Remarks 
Enter system view system-view — 
Enable the device to support first-
time authentication ssh client first-time enable 
Optional 
By default, first-time authentication 
is supported on a client. 
 
Disable first-time authentication 
For  successful  authentication  of  an SSH  client  not  supporting first-time  authentication, the  server host 
public key must be configured on the client and the public key name must be specified. 
Follow these steps to disable first-time authentication: 
To do... Use the command… Remarks 
Enter system view system-view — 
Disable first-time authentication 
support undo ssh client first-time 
Required 
By default, first-time authentication 
is supported on a client. 
Configure the server host public 
key 
See ―Configuring a client public 
key.‖ 
Required 
The method for configuring the 
server host public key on the client 
is similar to that for configuring 
client public key on the server. 
Specify the host public key name 
of the server 
ssh client authentication server 
server assign publickey keyname Required

Add page 227 to Favourites

image text

Enable zoom

							 
217 
Establishing a connection between the SSH client and server 
Follow these steps to establish the connection between the SSH client and the server: 
To do... Use the command… Remarks 
Establish a 
connection 
between the 
SSH client and 
the server, and 
specify the 
public key 
algorithm, 
preferred 
encryption 
algorithm, 
preferred 
HMAC 
algorithm and 
preferred key 
exchange 
algorithm 
For an IPv4 
server 
ssh2 server [ port-number ] [identity-key 
{ dsa | rsa } | prefer-ctos-cipher { 3des 
| aes128 | des } | prefer-ctos-hmac { 
md5 | md5-96 | sha1 | sha1-96 } | 
prefer-kex { dh-group-exchange | dh-
group1 | dh-group14 } | prefer-stoc-
cipher { 3des | aes128 | des } | prefer-
stoc-hmac { md5 | md5-96 | sha1 | 
sha1-96 } ] * Required 
Use either command in 
user view. 
For an IPv6 
server 
ssh2 ipv6 server [ port-number ] [ 
identity-key { dsa | rsa } | prefer-ctos-
cipher { 3des | aes128 | des } | prefer-
ctos-hmac { md5 | md5-96 | sha1 | 
sha1-96 } | prefer-kex { dh-group-
exchange | dh-group1 | dh-group14 } 
| prefer-stoc-cipher { 3des | aes128 | 
des } | prefer-stoc-hmac { md5 | md5-
96 | sha1 | sha1-96 } ] * 
 
Displaying and maintaining SSH 
To do… Use the command… Remarks 
Display the source IP address or 
interface currently set for the SFTP 
client 
display sftp client source [ | { 
begin | exclude | include } 
regular-expression ] 
Available in any view 
Display the source IP address or 
interface currently set for the SSH 
client 
display ssh client source [ | { 
begin | exclude | include } 
regular-expression ] 
Available in any view 
Display SSH server status 
information or session information 
on an SSH server 
display ssh server { status | 
session } [ | { begin | exclude | 
include } regular-expression ] 
Available in any view 
Display the mappings between 
SSH servers and their host public 
keys saved on an SSH client 
display ssh server-info [ | { begin 
| exclude | include } regular-
expression ] 
Available in any view 
Display information about a 
specified or all SSH users on the 
SSH server 
display ssh user-information [ 
username ] [ | { begin | exclude 
| include } regular-expression ] 
Available in any view 
Display the public keys of the 
local key pairs 
display public-key local { dsa | 
rsa } public [ | { begin | exclude 
| include } regular-expression ] 
Available in any view 
Display the public keys of the SSH 
peers 
display public-key peer [ brief | 
name publickey-name ] [ | { begin 
| exclude | include } regular-
expression ] 
Available in any view

Add page 228 to Favourites

image text

Enable zoom

							 
218 
 NOTE: 
For more information about the display public-key local and display public-key peer commands, see 
the Security Command Reference.  
SSH server configuration examples 
When switch acts as server for password authentication 
Network requirements 
As  shown  in Figure  58,  an SSH connection  is required between  the host and  the switch for secure data 
exchange. Use  password  authentication  and  configure  a  username  and  password for  the  host on  the 
switch. 
Figure 58 Switch acts as server for password authentication 
 
 
Configuration procedure 
1. Configure the SSH server 
# Generate the RSA key pairs. 
 system-view 
[Switch] public-key local create rsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++++ 
++++++++++++++ 
+++++ 
++++++++ 
# Generate a DSA key pair. 
[Switch] public-key local create dsa 
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
It will take a few minutes. 
Press CTRL+C to abort. 
Input the bits of the modulus[default = 1024]: 
Generating Keys... 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 
+++++++++++++++++++++++++++++++++++ SSH clientSSH server
HostSwitch
192.168.0.2/24Vlan-int1192.168.0.1/24

Add page 229 to Favourites

image text

Enable zoom

							 
219 
# Enable the SSH server. 
[Switch] ssh server enable 
#  Configure  an  IP  address  for VLAN-interface 1.  This  address  will  serve  as  the destination of  the  SSH 
connection. 
[Switch] interface vlan-interface 1 
[Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0 
[Switch-Vlan-interface1] quit 
# Set the authentication mode for the user interfaces to AAA. 
[Switch] user-interface vty 0 4 
[Switch-ui-vty0-4] authentication-mode scheme 
# Enable the user interfaces to support SSH. 
[Switch-ui-vty0-4] protocol inbound ssh 
[Switch-ui-vty0-4] quit 
# Create local user client001, and set the user command privilege level to 3 
[Switch] local-user client001 
[Switch-luser-client001] password simple aabbcc 
[Switch-luser-client001] service-type ssh 
[Switch-luser-client001] authorization-attribute level 3 
[Switch-luser-client001] quit 
#  Specify  the  service  type for user client001 as stelnet, and the authentication method as password.  This 
step is optional. 
[Switch] ssh user client001 service-type stelnet authentication-type password 
2. Establish a connection between the SSH client and the SSH server  
 NOTE: 
The device supports many types of SSH client software, such as PuTTY, and OpenSSH. The following is 
an example of configuring SSH client using PuTTY Version 0.58.  
# Establish a connection to the SSH server. 
Launch  PuTTY.exe to  enter  the  following  interface. In the Host  Name  or  IP  address text box,  enter the IP 
address of the server—192.168.1.40.

Add page 230 to Favourites

image text

Enable zoom

							 
220 
Figure 59 SSH client configuration interface 
 
 
Click Open to  connect to  the server.  If  the  connection  is  normal,  you  will  be  prompted  to enter  the 
username and password. After entering the username client001 and password aabbcc, you can enter the 
configuration interface of the server.  
When switch acts as server for publickey authentication 
Network requirements 
As  shown  in Figure  60,  an SSH connection  is required between  the host and  the switch for secure data 
exchange. Use publickey authentication and the RSA public key algorithm. 
Figure 60 Switch acts as server for publickey authentication 
 
 
Configuration procedure 
 
 NOTE: 
During SSH server configuration, the client public key is required. Use the client software to generate 
RSA key pairs on the client before configuring the SSH server. SSH clientSSH server
HostSwitch
192.168.1.56/24Vlan-int1192.168.1.40/24

All HP manuals Comments (0)

Related Manuals for HP A 5120 Manual

HP 18108 Instruction Manual
71 pages | HP Switch
HP A 5120 Manual
1464 pages | HP Switch