Public key only ssh access to procurve 2510G (tested on 2510G-24, software Y.11.12, rom N.10.02)
21 07 2011It appears that procedures described in the Access Security Guide for the HP ProCurve 2510G-24 (J9279A) are misleading. I found several requests for help online on this topic regarding HP ProCurve devices with similar documentation.
Furthermore, while testing, I discovered that step-by-step following the procedure actually allows password access when selecting ‘none’ as the secondary login authentication method, possibly leading you to a security breach. Thus, one should test:
- that one gets access with a legitimate key,
- that one does not get access if he owns only illegitimate keys,
- that one does not get access if he owns no key.
In cases 2. and 3., you should definitely get no password prompt.
I had the following requirements (among others not mentioned here):
– ssh clients get access only through public keys,
– managers get access directly as managers (and do not need to explicitly move to enable level),
– operators get access directly as operators (and cannot move to enable level).
The following configuration tested successfully on default config:
crypto key generate ssh rsa copy tftp pub-key-file <IP_of_your_TFTP_server> <Path_of_the_managers_public_keys_file> manager copy tftp pub-key-file <IP_of_your_TFTP_server> <Path_of_the_operators_public_keys_file> operator ip ssh aaa authentication ssh login public-key none aaa authentication ssh enable public-key none