Configuring Secure Shell (SSH)


The HP switches covered in this guide use Secure Shell version 2 (SSHv2) to provide remote access to management functions on the switches via encrypted paths between the switch and management station clients capable of SSH operation.

SSH provides Telnet-like functions but, unlike Telnet, SSH provides encrypted, authenticated transactions. The authentication types include:

  • Client public-key authentication

  • Switch SSH and user password authentication

[NOTE: ]

NOTE: SSH in HP switches is based on the OpenSSH software toolkit. For more information on OpenSSH, visit

Client public-key authentication (login/operator level) with user password authentication (enable/manager level)

This option uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a stored public key can gain access to the switch, and the same private key can be stored on one or more clients.

Client public-key authentication model

Client public-key authentication model

Switch SSH and user password authentication

This option is a subset of full certificate authentication of the client public-key authentication shown in Client public-key authentication model. It occurs if the switch has SSH enabled but does not have login access (login public-key) configured to authenticate the client’s key. As in Client public-key authentication model, the switch authenticates itself to SSH clients. Users on SSH browser then authenticate themselves to the switch (login and/or enable levels) by providing passwords stored locally on the switch or on a TACACS+ or RADIUS server. However, the client does not use a certificate to authenticate itself to the switch.

Switch/user authentication

Switch/user authentication