Configuring Secure Shell (SSH)
Configuring the Switch for SSH Operation
hosts file, note that the formatting and comments need not match. For version
1 keys, the three numeric values bit size, exponent <e>, and modulus <n> must
match; for PEM keys, only the PEM-encoded string itself must match.
Notes "Zeroizing" the switch’s key automatically disables SSH (sets ip ssh to no).
Thus, if you zeroize the key and then generate a new key, you must also re-
enable SSH with the ip ssh command before the switch can resume SSH
operation.
Configuring Key Lengths
The crypto key generate ssh command allows you to specify the type and length
of the generated host key. The size of the host key is platform-dependent as
different switches have different amounts of processing power. The size is
represented by the <keysize> parameter and has the values shown in
Table 7-2. The default value is used if keysize is not specified.
Table 7-2. RSA/DSA Values for Various ProCurve Switches
Platform Maximum RSA Key Size (in bits) DSA Key Size (in bits)
5400/3500/6200/8200/2910 1024, 2048, 3072 1024
Default: 2048
4200/2900/2810/2610/2510 1024, 2048 1024
Default: 2048
5300/2800/3400/2600 896 512
3. Providing the Switch’s Public Key to Clients
When an SSH client contacts the switch for the first time, the client will
challenge the connection unless you have already copied the key into the
client’s "known host" file. Copying the switch’s key in this way reduces the
chance that an unauthorized device can pose as the switch to learn your access
passwords. The most secure way to acquire the switch’s public key for
distribution to clients is to use a direct, serial connection between the switch
and a management device (laptop, PC, or UNIX workstation), as described
below.
7-12
