Public key only ssh access to procurve 2510G (tested on 2510G-24, software Y.11.12, rom N.10.02)

21 07 2011

It appears that procedures described in the Access Security Guide for the HP ProCurve 2510G-24 (J9279A) are misleading. I found several requests for help online on this topic regarding HP ProCurve devices with similar documentation.

Furthermore, while testing, I discovered that step-by-step following the procedure actually allows password access when selecting ‘none’ as the secondary login authentication method, possibly leading you to a security breach. Thus, one should test:

  1. that one gets access with a legitimate key,
  2. that one does not get access if he owns only illegitimate keys,
  3. that one does not get access if he owns no key.

In cases 2. and 3., you should definitely get no password prompt.

I had the following requirements (among others not mentioned here):

– ssh clients get access only through public keys,

– managers get access directly as managers (and do not need to explicitly move to enable level),

– operators get access directly as operators (and cannot move to enable level).

The following configuration tested successfully on default config:

crypto key generate ssh rsa
copy tftp pub-key-file <IP_of_your_TFTP_server> <Path_of_the_managers_public_keys_file> manager
copy tftp pub-key-file <IP_of_your_TFTP_server> <Path_of_the_operators_public_keys_file> operator
ip ssh
aaa authentication ssh login public-key none
aaa authentication ssh enable public-key none