SSH Client provides a method for establishing a secure session from one HP switch to another. In addition to providing secure sessions, SFTP is enhanced to allow bidirectional secure copying of files between a switch and an SFTP server, initiated from the switch with the copy command. The SFTP server can be another switch or a workstation/server with a running SSH server that supports SFTP.
Each switch with the SSH Client feature will have a known hosts file that can contain the public key from switches and servers that have been determined to be genuine. New public keys can be added to the known hosts file when new SSH servers are contacted, up to a maximum of 10 entries (if memory allows). The known hosts file can also be copied to another switch or to a server where it can be edited.
|
|
NOTE: You must be in manager context to use this SSH and SFTP feature. |
|
|
To initiate an SSH client session to another network device, use the following command, executed in the manager context.
Syntax:
Enables an SSH client to open a secure session to an HP switch. Opening secure sessions to devices other than HP switches is not supported.
Optional, the username on the destination (remote) system. Usernames for operator and manager must be configured.
If
<username@>
is specified, enter the remote system information of eitherhostname,
IPv4 or IPv6 address.If no
username
is configured, theusername
of the current login is used. There will be a prompt for a password if needed.
hostname
: Hostname of the remote system.
IPv4
: IPv4 address of the remote system.
IPv6
: IPv6 address of the remote system.
[port <1-65535>]
: The TCP port running the SSH server on the remote system. If no port number is specified, the default port 22 is used.
-
The SSH server may challenge the client to authenticate itself depending on the authentication methods configured on the destination SSH server. The client first tries the "none" method of authentication; if that is unsuccessful, it examines the list of supported authentication methods from the server, if provided. If the server does not provide such a list, all methods of authentication will be tried in the following order until the session is successfully opened or rejected by the server:
-
During "public-key" authentication, the client must use its private key to authenticate itself to the server. There can be only one key pair on the switch for the manager.
-
The private key should be passphrase protected for highest security; the user is prompted to enter the passphrase.
-
The private key can be configured by copying it to the SSH client switch, using the
copy
command. -
If the public-key authentication fails or the client has not been configured with a key pair, the "password" method of authentication is used and the user is prompted for a password.
-
Successful TACACS or RADIUS logins will give the user either operator or manager privileges. This is important if there are chained SSH sessions.
Only one ssh client key for authenticating the manager is allowed on a switch. The copy
command allows you to copy the client key files using sftp
, tftp
, and usb
or xmodem
, allowing encryption and authentication through SSH. There is no way to generate the private key on the switch; it must be copied onto the switch.
To load the client's private key onto the switch, use one of the following commands:
Syntax:
copy sftp ssh-client-key [user <username>|<username@>] <hostname|IPv4|IPv6> <
private-key-filename
> [port|<tcp-port-num
>]Copies the client key file <private-key-filename>onto the switch.
ssh-client-key
: The client key file being copied to the switch. The file must contain an RSA or DSA key.
[user <username|username@>]
: Optional, there must be configured usernames for operator and manager.If no
username
is specified, the client's currentusername
is used. There will be a prompt for a password if needed.
hostname
: Specifies the hostname of the SFTP or TFTP server.
IPv4
: Specifies the SFTP or TFTP server's IPv4 address.
IPv6
: Specifies the SFTP or TFTP server's IPv6 address.
<
: The remote filename containing the key.private-key-filename
>
[port <
: TCP port of the SSH server on the remote system.tcp-port-num
>]
The copied private key is stored in the ssh directory of the switch file system and is persistent across switch reboots. After the initial copying is complete, the client key can be overwritten by repeating the copy
command. No verification of the validity of the key is done when executing the copy
command.
There is one SSH client known hosts file per switch, stored in the ssh directory of the switch file system. The SSH client known hosts file can be overwritten or appended using the commands below. If the file already exists at that location, you are prompted for confirmation before overwriting the existing file:
Syntax:
copy sftp ssh-client-known-hosts [user <username|username@>] <hostname|IPv4|IPv6> <
filename
> [append]Copies the SSH client known hosts file to the switch.
ssh-client-known-hosts
: The known hosts file.
[user <username|username@>]
: Optional, there must be configured usernames for operator and manager.If no
username
is specified, the client's currentusername
is used. There will be a prompt for a password if needed.
hostname
: Specifies the hostname of the TFTP server.
IPv4
: Specifies the TFTP server's IPv4 address.
IPv6
: Specifies the TFTP server's IPv6 address.
<
: The remote filename containing the key.filename
>
[append]
: Append hosts to the existingssh-client-known hosts
file.
The SSH client known hosts file can be copied to a location on a remote device using the commands below. If the file already exists on the remote device, you are prompted for confirmation before overwriting the file:
Syntax:
Copies the SSH client known hosts file to another location.
ssh-client-known-hosts
: The known hosts file.
[user <username|username@>]
: Optional, there must be configured usernames for operator and manager.If no
username
is specified, the client's currentusername
is used. There will be a prompt for a password if needed.
hostname
: Specifies the hostname of the TFTP server.
IPv4
: Specifies the TFTP server's IPv4 address.
The following copy
commands can be used to manage public keys in a known hosts file. The public key can only be coped from the switch to a server or other media, not to another switch.
Syntax:
Copies the switch SSH server public key to a server or other media.
[user <username|username@>]
: Optional, there must be configured usernames for operator and manager.If no
username
is specified, the client's currentusername
is used. There will be a prompt for a password if needed.
hostname
: Specifies the hostname of the TFTP server.
IPv4
: Specifies the TFTP server's IPv4 address.
Syntax:
Open sessions listing
HP Switch(config)# show session-list Session Information Source IP Selection: Outgoing Interface -------------------------------------------------------- Session : 1 Privilege: Superuser From : Console To : -------------------------------------------------------- Session : 2 Privilege: manager From : 172.22.16.3 To : 10.1.248.198 --------------------------------------------------------- Session : ** 3 Privilege: manager From : 10.1.248.179 To :