Home » HP Manuals » Servers » HP 6125XLG » Manual Viewer

HP 6125XLG R2306-HP 6125XLG Blade Switch Security Command Reference - Page 195

diffie-hellman-group1-sha1

Add to My Manuals
Save this manual to your list of manuals

Page 195 highlights

prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1. Algorithm sha1 features stronger security but costs more time in calculation than md5. • md5: Specifies the HMAC algorithm hmac-md5. • md5-96: Specifies the HMAC algorithm hmac-md5-96. • sha1: Specifies the HMAC algorithm hmac-sha1. • sha1-96: Specifies the HMAC algorithm hmac-sha1-96. prefer-kex: Specifies the preferred key exchange algorithm. The default algorithm is dh-group-exchange in non-FIPS mode and is dh-group14 in FIPS mode. Algorithm dh-group14 features stronger security but costs more time in calculation than dh-group1. • dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. • dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. • dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1. prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128. prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1. publickey keyname: Specifies the host public key of the sever, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters. source: Specifies a source IP address or source interface to connect to the server. By default, the packet to send gets the primary IP address of its outbound interface from the routing table and uses it as the source IP address. To avoid the communication failure between the client and the server due to interface faults, use the specified loopback interface as the source interface, and either IP address of the two interfaces as the source IP address. interface interface-type interface-number: Specifies a source interface by its type and number. The primary IPv4 address of this interface is the source IP address to send packets. ip ip-address: Specifies a source IPv4 address. Usage guidelines When the server adopts publickey authentication to authenticate a client, the client must get the local private key for digital signature. Because publickey authentication uses RSA or DSA algorithm, you must specify a public key algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. Examples # Connect an SFTP client to the IPv4 SFTP server 10.1.1.2 and specify the public key of the server as svkey. The SFTP client uses publickey authentication. Use the following algorithms: • Preferred key exchange algorithm: dh-group14. • Preferred server-to-client encryption algorithm: aes128. • Preferred client-to-server HMAC algorithm: sha1. • Preferred server-to-client HMAC algorithm: sha1-96. • Preferred compression algorithm between the server and client: zlib. sftp 10.1.1.2 prefer-kex dh-group14 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey 186

Section	Page
Title Page	1
Contents	3
AAA commands	10
General AAA commands	10
accounting command	10
accounting default	11
accounting lan-access	12
accounting login	13
authentication default	14
authentication lan-access	16
authentication login	17
authentication super	18
authorization command	19
authorization default	20
authorization lan-access	22
authorization login	23
display domain	24
domain	26
domain default enable	27
state (ISP domain view)	27
Local user commands	28
authorization-attribute	28
bind-attribute	30
display local-user	31
display user-group	33
group	34
local-user	34
password	36
service-type	37
state (local user view)	38
user-group	39
RADIUS commands	39
accounting-on enable	39
data-flow-format (RADIUS scheme view)	40
display radius scheme	41
display radius statistics	43
key (RADIUS scheme view)	44
nas-ip (RADIUS scheme view)	46
primary accounting (RADIUS scheme view)	47
primary authentication (RADIUS scheme view)	48
radius nas-ip	50
radius scheme	51
radius session-control enable	51
reset radius statistics	52
retry	52
retry realtime-accounting	53
secondary accounting (RADIUS scheme view)	54
secondary authentication (RADIUS scheme view)	56
security-policy-server	57
state primary	58
state secondary	59
timer quiet (RADIUS scheme view)	60
timer realtime-accounting (RADIUS scheme view)	61
timer response-timeout (RADIUS scheme view)	62
user-name-format (RADIUS scheme view)	63
vpn-instance (RADIUS scheme view)	64
HWTACACS commands	64
data-flow-format (HWTACACS scheme view)	64
display hwtacacs scheme	65
hwtacacs nas-ip	67
hwtacacs scheme	68
key (HWTACACS scheme view)	69
nas-ip (HWTACACS scheme view)	70
primary accounting (HWTACACS scheme view)	71
primary authentication (HWTACACS scheme view)	72
primary authorization	73
reset hwtacacs statistics	75
secondary accounting (HWTACACS scheme view)	75
secondary authentication (HWTACACS scheme view)	77
secondary authorization	78
timer quiet (HWTACACS scheme view)	80
timer realtime-accounting (HWTACACS scheme view)	81
timer response-timeout (HWTACACS scheme view)	82
user-name-format (HWTACACS scheme view)	82
vpn-instance (HWTACACS scheme view)	83
LDAP commands	84
authentication-server	84
display ldap scheme	85
ip	86
ipv6	87
ldap scheme	88
ldap server	88
login-dn	89
login-password	90
protocol-version	91
search-base-dn	91
search-scope	92
server-timeout	93
user-parameters	93
802.1X commands	95
display dot1x	95
dot1x	97
dot1x authentication-method	98
dot1x handshake	99
dot1x mandatory-domain	100
dot1x max-user	100
dot1x multicast-trigger	101
dot1x port-control	102
dot1x port-method	103
dot1x quiet-period	103
dot1x re-authenticate	104
dot1x retry	105
dot1x timer	106
dot1x unicast-trigger	107
reset dot1x statistics	108
MAC authentication commands	109
display mac-authentication	109
mac-authentication	111
mac-authentication domain	111
mac-authentication max-user	112
mac-authentication timer	113
mac-authentication user-name-format	114
reset mac-authentication statistics	115
Port security commands	117
display port-security	117
display port-security mac-address block	119
display port-security mac-address security	121
port-security authorization ignore	123
port-security enable	124
port-security intrusion-mode	124
port-security mac-address security	125
port-security max-mac-count	127
port-security ntk-mode	128
port-security oui	128
port-security port-mode	129
port-security timer autolearn aging	132
port-security timer disableport	132
Password control commands	134
display password-control	134
display password-control blacklist	135
password-control { aging \| composition \| history \| length } enable	136
password-control aging	137
password-control alert-before-expire	138
password-control complexity	139
password-control composition	140
password-control enable	142
password-control expired-user-login	142
password-control history	143
password-control length	144
password-control login idle-time	145
password-control login-attempt	146
password-control super aging	147
password-control super composition	148
password-control super length	149
password-control update-interval	150
reset password-control blacklist	150
reset password-control history-record	151
Public key management commands	152
display public-key local public	152
display public-key peer	156
peer-public-key end	157
public-key local create	158
public-key local destroy	161
public-key local export dsa	163
public-key local export rsa	165
public-key peer	167
public-key peer import sshkey	168
SSH commands	169
SSH server commands	169
display ssh server	169
display ssh user-information	170
sftp server enable	171
sftp server idle-timeout	172
ssh server acl	172
ssh server authentication-retries	173
ssh server authentication-timeout	174
ssh server compatible-ssh1x enable	175
ssh server enable	175
ssh server ipv6 acl	176
ssh server rekey-interval	177
ssh user	178
SSH client commands	180
bye	180
cd	180
cdup	181
delete	181
dir	182
display sftp client source	183
display ssh client source	183
exit	184
get	184
help	184
ls	185
mkdir	186
put	187
pwd	187
quit	188
remove	188
rename	188
rmdir	189
scp	189
scp ipv6	191
sftp	194
sftp client ipv6 source	196
sftp client source	196
sftp ipv6	197
ssh client ipv6 source	199
ssh client source	200
ssh2	201
ssh2 ipv6	203
IP source guard commands	206
display ip source binding	206
display ipv6 source binding static	207
ip source binding	208
ip verify source	209
ipv6 source binding	211
ipv6 verify source	212
reset ip source binding	212
reset ipv6 source binding	213
ARP attack protection commands	215
Unresolvable IP attack protection commands	215
arp resolving-route enable	215
arp source-suppression enable	215
arp source-suppression limit	216
display arp source-suppression	217
ARP packet rate limit commands	217
arp rate-limit	217
Source MAC-based ARP attack detection commands	218
arp source-mac	218
arp source-mac aging-time	219
arp source-mac exclude-mac	219
arp source-mac threshold	220
display arp source-mac	220
ARP packet source MAC consistency check commands	221
arp valid-check enable	221
ARP active acknowledgement commands	222
arp active-ack enable	222
ARP detection commands	223
arp detection enable	223
arp detection trust	223
arp detection validate	224
arp restricted-forwarding enable	224
display arp detection	225
display arp detection statistics	225
reset arp detection statistics	226
ARP automatic scanning and fixed ARP commands	227
arp fixup	227
arp scan	228
ARP gateway protection commands	229
arp filter source	229
ARP filtering commands	229
arp filter binding	229
uRPF commands	231
ip urpf	231
display ip urpf	232
FIPS commands	233
display fips status	233
fips mode enable	233
fips self-test	235
IPsec commands	237
ah authentication-algorithm	237
description	238
display ipsec { ipv6-policy \| policy }	238
display ipsec { ipv6-policy-template \| policy-template }	242
display ipsec profile	244
display ipsec sa	245
display ipsec statistics	249
display ipsec transform-set	251
display ipsec tunnel	252
encapsulation-mode	254
esp authentication-algorithm	256
esp encryption-algorithm	257
ike-profile	258
ipsec anti-replay check	258
ipsec anti-replay window	259
ipsec decrypt-check enable	260
ipsec logging packet enable	260
ipsec df-bit	261
ipsec global-df-bit	262
ipsec { ipv6-policy \| policy } (interface view)	263
ipsec { ipv6-policy \| policy } (system view)	263
ipsec { ipv6-policy \| policy } isakmp template	265
ipsec { ipv6-policy \| policy } local-address	266
ipsec { ipv6-policy-template \| policy-template } policy-template	267
ipsec profile	268
ipsec sa global-duration	268
ipsec sa idle-time	269
ipsec transform-set	270
local-address	271
pfs	271
protocol	272
qos pre-classify	273
remote-address	274
reset ipsec sa	275
reset ipsec statistics	276
sa duration	277
sa hex-key authentication	278
sa hex-key encryption	279
sa idle-time	280
sa spi	281
sa string-key	282
security acl	283
transform-set	284
IKE commands	286
authentication-algorithm	286
authentication-method	286
dh	287
display ike proposal	288
display ike sa	289
dpd	292
encryption-algorithm	293
exchange-mode	294
ike dpd	295
ike identity	296
ike invalid-spi-recovery enable	297
ike keepalive interval	298
ike keepalive timeout	298
ike keychain	299
ike limit	300
ike nat-keepalive	301
ike profile	301
ike proposal	302
ike signature-identity from-certificate	303
inside-vpn	304
keychain	304
local-identity	305
match local address (IKE keychain view)	306
match local address (IKE profile view)	307
match remote	308
pre-shared-key	310
priority (IKE keychain view)	311
priority (IKE profile view)	312
proposal	312
reset ike sa	313
sa duration	314
Support and other resources	315
Contacting HP	315
Subscription service	315
Related information	315
Documents	315
Websites	315
Conventions	316
Command conventions	316
GUI conventions	316
Symbols	316
Network topology icons	317
Port numbering in examples	317

Match case Limit results 1 per page

186

prefer-ctos-hmac

: Specifies the preferred client-to-server HMAC algorithm. The default is

sha1

Algorithm

sha1

features stronger security but costs more time in calculation than

md5.

•

md5

: Specifies the HMAC algorithm

hmac-md5

•

md5-96

: Specifies the HMAC algorithm

hmac-md5-96

•

sha1

: Specifies the HMAC algorithm

hmac-sha1

•

sha1-96

: Specifies the HMAC algorithm

hmac-sha1-96

prefer-kex

: Specifies the preferred key exchange algorithm. The default algorithm is

dh-group-exchange

in non-FIPS mode and is

dh-group14

in FIPS mode. Algorithm

dh-group14

features stronger security but

costs more time in calculation than

dh-group1

•

dh-group-exchange

: Specifies the key exchange algorithm

diffie-hellman-group-exchange-sha1

•

dh-group1

: Specifies the key exchange algorithm

diffie-hellman-group1-sha1

•

dh-group14

: Specifies the key exchange algorithm

diffie-hellman-group14-sha1

prefer-stoc-cipher

: Specifies the preferred server-to-client encryption algorithm. The default is

aes128

prefer-stoc-hmac

: Specifies the preferred server-to-client HMAC algorithm. The default is

sha1

publickey

keyname

: Specifies the host public key of the sever, which is used to authenticate the server.

The

keyname

argument is a case-insensitive string of 1 to 64 characters.

source:

Specifies a source IP address or source interface to connect to the server. By default, the packet

to send gets the primary IP address of its outbound interface from the routing table and uses it as the

source IP address. To avoid the communication failure between the client and the server due to interface

faults, use the specified loopback interface as the source interface, and either IP address of the two

interfaces as the source IP address.

interface

interface-type interface-number

: Specifies a source interface by its type and number. The

primary IPv4 address of this interface is the source IP address to send packets.

ip-address

: Specifies a source IPv4 address.

Usage guidelines

When the server adopts publickey authentication to authenticate a client, the client must get the local

private key for digital signature. Because publickey authentication uses RSA or DSA algorithm, you must

specify a public key algorithm (by using the

identity-key

keyword) in order to get the correct data for the

local private key.

Examples

# Connect an SFTP client to the IPv4 SFTP server

10.1.1.2

and specify the public key of the server as

svkey

The SFTP client uses publickey authentication. Use the following algorithms:

•

Preferred key exchange algorithm:

dh-group14

•

Preferred server-to-client encryption algorithm:

aes128

•

Preferred client-to-server HMAC algorithm:

sha1

•

Preferred server-to-client HMAC algorithm:

sha1-96

•

Preferred compression algorithm between the server and client:

zlib.

<Sysname> sftp 10.1.1.2 prefer-kex dh-group14 prefer-stoc-cipher aes128 prefer-ctos-hmac

sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey