Switches, Hubs, and Modems
1748127 Members
3639 Online
108758 Solutions
New Discussion юеВ

ssh on 5304xl switch

 
SOLVED
Go to solution
Igoris_1
Frequent Advisor

ssh on 5304xl switch

I'm configuring SSH feature on HP ProCurve Switch 5304XL Version: E.10.04, ROM E.05.04.
I need to enable client key authentification only, so I configure: HP ProCurve Switch 5304XL(config)#aaa authentication ssh login public-key none.
However, if I don't provide my key I can still get access to the switch through SSH by entering manager's password. That configuration works fine on my HP Procurve 2524, but not on 5304xl
7 REPLIES 7
Ardon
Trusted Contributor
Solution

Re: ssh on 5304xl switch

Hi Igoris,

You also logged the case via EMEA Support Center right? 1208976505

I am currently working on the issue and get back to you on Monday. I could reproduce the behavior you were seeing on the 5304 but not with all SSH Clients. When using SecureCRT from vandycke (www.vandycke.com) version 4.0.7 all worked as expected. So no key specified means no access. When using Putty Verion 0.58 I was granted access by specifying Username/Password.
I will keep you posted.

Regards, Ardon
ProCurve Networking Engineer
Igoris_1
Frequent Advisor

Re: ssh on 5304xl switch

Yes, it's my case logged. I was using Putty v0.56.
Thanks for your reply and waiting for further news.
Jeff Brownell
Valued Contributor

Re: ssh on 5304xl switch

Steps to allow client public key authentication only

1) generate the switches pub/private key
# crypto key generate ssh rsa
# sh crypto host-public-key

2) generate client public/private key pairs


3) enable ssh on switch
# ip ssh

4) copy client public keys to switch
5300# copy tftp public-key-file 15.55.24.52 hpux.pub manager append
5300# copy tftp public-key-file 15.55.24.52 linux.pub manager append
5300# copy tftp public-key-file 15.55.24.52 putty.pub manager append
# sh crypto client-public-key manager

5) get switches public key on clients
client learns key on first connect, or
copy/paste key from display into known_hosts file on client

6) configure the switch for client public-key ssh auth only.
5300# aaa auth ssh login public-key none
5300# aaa auth ssh enable public-key none


Let me know if this works for you...
Igoris_1
Frequent Advisor

Re: ssh on 5304xl switch

If I configure this way-
5300# aaa auth ssh login public-key none
5300# aaa auth ssh enable public-key none
then I cannot access manager level:
HP ProCurve Switch 5304XL> enable
HP ProCurve Switch 5304XL>
The switch does not prompt me for user and passw
Jeff Brownell
Valued Contributor

Re: ssh on 5304xl switch

You need to ensure that you copy the public keys to the manager public-key file

5300# copy tftp public-key-file 15.55.24.52 hpux.pub manager append
^^^^^^^
note the "manager" key word
.
.

To see if the keys made it to the manager public-key file, use this command:
5300# sh crypto client-public-key manager

Igoris_1
Frequent Advisor

Re: ssh on 5304xl switch

I tested configuration, it's working.
The documentation for the 5304 switches is not correct, there is no word that public keys must be also loaded to manager file and 'aaa auth ssh enable public none' must be added to achieve desired restriction to login only clients having correct key.
Igoris_1
Frequent Advisor

Re: ssh on 5304xl switch

Documentation for the 5304 switches must be updated, it is not the same SSH configuration as for the 25xx series switches.