HP uses OpenSSH to provide secure access to their ProCurve switches. Unfortunately they removed support for usernames and broke support for key comments.

The ProCurve has a couple user accounts: operator and manager. When logged into the ProCurve as manager, the CLI runs in 'enabled' mode; when logged in as operator it runs in 'login' mode, with a subset of the 'enabled' commands, plus the 'enable' command to switch modes. I'm sure for ProCurve/Cisco people this is the way things should be, but it wasn't obvious to me that 'login' means 'not-enabled' means 'operator'. Additionally, the user can assign their own username for each account.

In the default mode, the switch doesn't perform authentication -- anyone connecting via serial port or network connection has full access. If the user enables password authentication, logins prompt for username and password. However, in public-key mode (when the username is automatically supplied by the ssh client), the username is ignored. If the user can authenticate against a key in the manager keyring, their session is enabled. Otherwise, if the user can authenticate against an operator key, they get login mode. If the user cannot authenticate against either keyring, the ProCurve drops the connection.

Complicating matters, before disconnecting the user the switch spits out a generic banner:

We'd like to keep you up to date about:
  * Software feature updates
  * New product announcements
  * Special events

Please register your products now at:  www.ProCurve.com

I'm sure someone considers this a serious information leak, but I object because it's non-standard and confusing -- failed connections should not emit the same banners as successful logins. This cost me wasted time, as I incorrectly thought authentication had been successful.

Additionally, sshd supports arbitrary comments appended to public keys -- I typically use my username and when the key was created, such as "pepper 2009/09", which makes multi-user management and key expiration much easier. Our switches happily accepted such keys and reformatted them into HP's ProCurve format, but the keys didn't actually work. I later discovered that the switches silently fail on unquoted spaces in comments. Lame!