SSH client and secure sessions

SSH Client provides a method for establishing a secure session from one HP switch to another. In addition to providing secure sessions, SFTP is enhanced to allow bidirectional secure copying of files between a switch and an SFTP server, initiated from the switch with the copy command. The SFTP server can be another switch or a workstation/server with a running SSH server that supports SFTP.

Each switch with the SSH Client feature will have a known hosts file that can contain the public key from switches and servers that have been determined to be genuine. New public keys can be added to the known hosts file when new SSH servers are contacted, up to a maximum of 10 entries (if memory allows). The known hosts file can also be copied to another switch or to a server where it can be edited.


	NOTE: You must be in manager context to use this SSH and SFTP feature.

Opening a secure session to an HP switch

To initiate an SSH client session to another network device, use the following command, executed in the manager context.

Syntax:

ssh [user <username|username@>] <hostname|IPv4|IPv6> [port <1-65535>]

Enables an SSH client to open a secure session to an HP switch. Opening secure sessions to devices other than HP switches is not supported.

[user <username|username@>]

Optional, the username on the destination (remote) system. Usernames for operator and manager must be configured.

If <username@> is specified, enter the remote system information of either hostname,IPv4 or IPv6 address.

If no username is configured, the username of the current login is used. There will be a prompt for a password if needed.

hostname: Hostname of the remote system.

IPv4: IPv4 address of the remote system.

IPv6: IPv6 address of the remote system.

[port <1-65535>]: The TCP port running the SSH server on the remote system. If no port number is specified, the default port 22 is used.

Default: Port 22

General operating rules and notes

The SSH server may challenge the client to authenticate itself depending on the authentication methods configured on the destination SSH server. The client first tries the "none" method of authentication; if that is unsuccessful, it examines the list of supported authentication methods from the server, if provided. If the server does not provide such a list, all methods of authentication will be tried in the following order until the session is successfully opened or rejected by the server:
- Authentication method "publickey", if a private key has been loaded onto the switch.
- Authentication method "password".
During "public-key" authentication, the client must use its private key to authenticate itself to the server. There can be only one key pair on the switch for the manager.
The private key should be passphrase protected for highest security; the user is prompted to enter the passphrase.
The private key can be configured by copying it to the SSH client switch, using the copy command.
If the public-key authentication fails or the client has not been configured with a key pair, the "password" method of authentication is used and the user is prompted for a password.
Successful TACACS or RADIUS logins will give the user either operator or manager privileges. This is important if there are chained SSH sessions.

Copying client key files

Only one ssh client key for authenticating the manager is allowed on a switch. The copy command allows you to copy the client key files using sftp, tftp, or xmodem, allowing encryption and authentication through SSH. There is no way to generate the private key on the switch; it must be copied onto the switch.

To load the client's private key onto the switch, use one of the following commands:

Syntax:

copy sftp ssh-client-key [user <username>|<username@>] <hostname|IPv4|IPv6> <private-key-filename> [port|<tcp-port-num>]

copy tftp ssh-client-key <hostname|IPv4|IPv6> <private-key-filename>

copy xmodem ssh-client-key

Copies the client key file <private-key-filename>onto the switch.

ssh-client-key: The client key file being copied to the switch. The file must contain an RSA or DSA key.

[user <username|username@>]: Optional, there must be configured usernames for operator and manager.

If no username is specified, the client's current username is used. There will be a prompt for a password if needed.

hostname: Specifies the hostname of the SFTP or TFTP server.

IPv4: Specifies the SFTP or TFTP server's IPv4 address.

IPv6: Specifies the SFTP or TFTP server's IPv6 address.

<private-key-filename>: The remote filename containing the key.

[port <tcp-port-num>]: TCP port of the SSH server on the remote system.

The copied private key is stored in the ssh directory of the switch file system and is persistent across switch reboots. After the initial copying is complete, the client key can be overwritten by repeating the copy command. No verification of the validity of the key is done when executing the copy command.

Copying the ssh-client-known-hosts file

Replacing or appending the ssh-client-known-hosts file

There is one SSH client known hosts file per switch, stored in the ssh directory of the switch file system. The SSH client known hosts file can be overwritten or appended using the commands below. If the file already exists at that location, you are prompted for confirmation before overwriting the existing file:

Warning: The existing known hosts file will be
overwritten, continue [y/n] ?

Syntax:

copy sftp ssh-client-known-hosts [user <username|username@>] <hostname|IPv4|IPv6> <filename> [append]

copy tftp ssh-client-known-hosts <hostname|IPv4|IPv6> <filename> [append]

copy xmodem ssh-client-known-hosts [append]

Copies the SSH client known hosts file to the switch.

ssh-client-known-hosts: The known hosts file.

[user <username|username@>]: Optional, there must be configured usernames for operator and manager.

If no username is specified, the client's current username is used. There will be a prompt for a password if needed.

hostname: Specifies the hostname of the TFTP server.

IPv4: Specifies the TFTP server's IPv4 address.

IPv6: Specifies the TFTP server's IPv6 address.

<filename>: The remote filename containing the key.

[append]: Append hosts to the existing ssh-client-known hosts file.

Default: Replace the existing known hosts file.

Copying the SSH client known hosts file to another location

The SSH client known hosts file can be copied to a location on a remote device using the commands below. If the file already exists on the remote device, you are prompted for confirmation before overwriting the file:

Warning: The remote file will be overwritten, 
continue [y/n] ?

Syntax:

copy ssh-client-known-hosts sftp [user <username|username@>] <hostname|IPv4|IPv6> <filename>

copy ssh-client-known-hosts tftp <hostname|IPv4|IPv6> <filename>

copy ssh-client-known-hosts xmodem

Copies the SSH client known hosts file to another location.

ssh-client-known-hosts: The known hosts file.

[user <username|username@>]: Optional, there must be configured usernames for operator and manager.

If no username is specified, the client's current username is used. There will be a prompt for a password if needed.

hostname: Specifies the hostname of the TFTP server.

IPv4: Specifies the TFTP server's IPv4 address.

IPv6: Specifies the TFTP server's IPv6 address.

<filename>: The remote filename containing the key.

Copying the host public key

The following copy commands can be used to manage public keys in a known hosts file. The public key can only be coped from the switch to a server or other media, not to another switch.

Syntax:

copy ssh-server-pub-key sftp [user <username|username@>] <hostname|IPv4|IPv6> <filename>

copy ssh-server-pub-key tftp <hostname|IPv4|IPv6> <filename>

copy ssh-server-pub-key xmodem

Copies the switch SSH server public key to a server or other media.

[user <username|username@>]: Optional, there must be configured usernames for operator and manager.

If no username is specified, the client's current username is used. There will be a prompt for a password if needed.

hostname: Specifies the hostname of the TFTP server.

IPv4: Specifies the TFTP server's IPv4 address.

IPv6: Specifies the TFTP server's IPv6 address.

<filename>: The name of the file to be copied.

Removing the SSH client key pair

To remove the SSH client key pair file, use this command.

Syntax:

crypto key zeroize ssh-client-key

Deletes the SSH client key pair.

You are prompted with the message:
Warning: The manager key pair will be deleted,
continue [y/n] ?

Removing the SSH client known hosts file

To remove the SSH client known hosts file, use this command.

Syntax:

crypto key zeroize ssh-client-known-hosts

Deletes the SSH client known hosts file.

You are prompted with the message:
Warning: The SSH client known hosts file
will be deleted, continue [y/n] ?

Displaying open sessions

Syntax:

show session-list

Displays the active incoming and outgoing sessions.

Open sessions listing

HP Switch(config)# show session-list

Session Information

Source IP Selection: Outgoing Interface
--------------------------------------------------------
Session  : 1
Privilege: Superuser
From     : Console
To       :
--------------------------------------------------------
Session  : 2
Privilege: manager
From     : 172.22.16.3
To       : 10.1.248.198
---------------------------------------------------------
Session  : ** 3
Privilege: manager
From     : 10.1.248.179
To       :

prev	up	next
SSH client public-key authentication notes	home	Messages related to SSH operation