Enable SSH Access on HP Procurve Switches

Why Enable SSH?

ssh-promptSSH on network switches is really just a replacement for telnet.  SSH stands for “secure shell” and is a way of accessing the command line interface on numerous devices, including network switches, routers, firewalls, servers, and so on.  Most managed network devices have a command line interface that is accessible through telnet or ssh because it is powerful, flexible, and minimizes the resources required for administration of the device.

SSH is very similar to telnet in its use, but it provides two key security features that telnet lacks: encryption and host verification.  These two features that go a long way in improving security.

Encryption

The encryption feature of ssh means that the traffic going to and from your switch is encrypted and is difficult to eavesdrop on.  Even if an attacker was able to see the traffic, the data would be a meaningless jumble without the encryption key to decode it.

Verification

The host verification feature in ssh allows your computer to know that the switch you are trying to ssh into really is the switch you think it is and not some attacker pretending to be the switch.  Any system running ssh will sign packets using its private key to prove it really is the device you think it is.  When packets aren’t correctly signed your computer will throw an error warning you that it couldn’t verify the source.

A common attack against computer networks are “man in the middle” attacks.  This attack is when an attacker pretends to be the device you are trying to connect to so it can intercept your traffic.  When you talk to the attacker, thinking it is your switch, the attacker can save the conversation while still forwarding on your traffic to the correct destination.  By playing middle man in this way an attacker is able to capture your traffic, even if its encrypted traffic.

Quick Note on Verification

While we are on the topic of verification I want to make a quick note.  The instructions below show you how to create a “self-signed” certificate on your switch.  When you use a self-signed certificate you will get a warning the first time you log into the switch saying that the source can not be verified.  Tell your ssh application to remember this host and go ahead and connect to the switch.

Every time from that point on your application should know that it is your switch if it is signed in the same way.  If you get that warning again either the ssh key on the switch has changed or there is an attacker doing a “man in the middle” attack.  So just note that you can ignore the warning the first time when you are setting ssh up on your switch, but pay attention to the warning if you ever get it again!

HP SSH Configuration Outline

To enable ssh on HP procurve switches you will need to do the following.

  1. Console or telnet to switch
  2. Generate an ssh key
  3. Enable ssh access
  4. Verify ssh is working
  5. Turn off telnet access (Optional but recommended)

Console or Telnet to Switch

Since SSH isn’t enabled on your switch yet you will need to access it using either telnet or console directly into the switch.  If your switch isn’t connected to the network at all yet, then you will need to plug a serial port on your computer into the console port on your switch.  If your switch is on the network then access it through telnet.

Generate an ssh Key

Once you are connected to your switch you will need to generate an ssh key that will be used to verify you are talking the switch you think you are as well as encrypt the traffic going to and from your switch.  To generate an ssh key on an HP Procurve switch you have to go into global configuration mode and issue the generate key command.

Enable ssh Access

Now that your switch has an encryption key it can use to identify itself and encrypt ssh traffic with, you can now turn ssh on.  Issue the following commands to turn ssh on.

Verify ssh is Working

Before you disconnect your current session or save the changes you have made, I recommend using another application or terminal window to verify that you can actually connect to the switch using ssh.  On Windows computers you will need a 3rd party application like putty to connect to the switches using ssh.  On Apple, Unix, or Linux computers you can use the built in terminal to remotely access your switches through ssh.  If you are new to ssh don’t worry, it isn’t very hard to use.  It is similar to using telnet except rather then typing “telnet <switch IP here>” you type “ssh <username>@<switch IP here>”.  Once you have verified that you can login using ssh, then turn off telnet and save your work.

If the switch gave you access and you can issue commands like “show run”, then you can turn off telnet access and save your changes.

Turn off Telnet Access

Now that you know ssh is working and know how to use it to access your switch you should turn off telnet.  There is no reason to keep the insecure protocol running since ssh will replace telnet as your method of accessing the switch.

Conclusion

Ssh is a much better solution then telnet for accessing your network equipment.  Once it is set up you won’t notice a difference in your user experience and your network infrastructure will have an extra layer of security.  So, if you haven’t already, go enable ssh on your network equipment right away.

Over the years I found ssh to reliable, simple, and effective on all kinds of equipment.  I’ve used it on all kinds of devices including servers, switches, routers, firewalls, UPS’s, and more.

What other equipment do you have on your network that could be moved to ssh?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">