Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-SSH configuration | 363.64 KB |
Contents
Configuring the device as an SSH server
SSH server configuration task list
Generating local DSA or RSA key pairs
Enabling the SSH server function
Enabling the SFTP server function
Configuring the user interfaces for SSH clients
Configuring a client's host public key
Setting the SSH management parameters
Configuring the device as an Stelnet client
Stelnet client configuration task list
Specifying a source IP address or source interface for the Stelnet client
Establishing a connection to an Stelnet server
Configuring the device as an SFTP client
SFTP client configuration task list
Specifying a source IP address or source interface for the SFTP client
Establishing a connection to an SFTP server
Terminating the connection with the SFTP server
Configuring the device as an SCP client
Displaying and maintaining SSH
Stelnet configuration examples
Password authentication enabled Stelnet server configuration example
Publickey authentication enabled Stelnet server configuration example
Password authentication enabled Stelnet client configuration example
Publickey authentication enabled Stelnet client configuration example
Password authentication enabled SFTP server configuration example
Publickey authentication enabled SFTP client configuration example
SCP file transfer with password authentication
Overview
Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. Adopting the typical client/server model, SSH can establish a channel to protect data transfer based on TCP. SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security. The device can work as an SSH server to provide services to SSH clients, and can work as an SSH client to allow users to establish SSH connections with a remote SSH server. When acting as an SSH server, the device supports SSH2 and SSH1. When acting as an SSH client, the device supports SSH2 only.
The device supports the following SSH applications:
· Secure Telnet—Stelnet provides secure and reliable network terminal access services. Through Stelnet, a user can securely log in to a remote server. Stelnet can protect devices against attacks, such as IP spoofing and plain text password interception. The device can act as an Stelnet server or an Stelnet client.
· Secure File Transfer Protocol—SFTP, based on SSH2, uses SSH connections to provide secure file transfer. The device can serve as an SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The device can also serve as an SFTP client, enabling a user to log in from the device to a remote device for secure file transfer.
· SCP—Based on SSH2, SCP offers a secure approach to copying files. The device can act as an SCP server, allowing a user to log in to the device for file upload and download. The device can also act as an SCP client, enabling a user to log in from the device to a remote server for secure file transfer.
How SSH works
This section uses SSH2 as an example to list the stages involved in secure session establishment between an SSH client and an SSH server. For more information about these stages, see SSH Technology White Paper.
Table 1 Stages involved in secure session establishment
|
Stages |
Description |
|
Connection establishment |
The SSH server listens to the connection requests on port 22. After a client initiates a connection request, the server and the client establish a TCP connection. |
|
Version negotiation |
The two parties determine a version to use after negotiation. |
|
Algorithm negotiation |
SSH supports multiple algorithms. Based on the local algorithms, the two parties determine the key exchange algorithm for generating session keys, the encryption algorithm for encrypting data, the public key algorithm for digital signature and authentication, and the HMAC algorithm for protecting data integrity. |
|
Key exchange |
The two parties use the DH exchange algorithm to dynamically generate the session key for protecting data transfer and the session ID for identifying the SSH connection. In this stage, the client authenticates the server as well. |
|
Authentication |
The SSH server authenticates the client in response to the client's authentication request. |
|
Session request |
After passing the authentication, the client sends a session request to the server to request the establishment of a session (or request the Stelnet, SFTP, or SCP service). |
|
Interaction |
After the server grants the request, the client and the server start to communicate with each other in the session. In this stage, you can paste commands in text format and execute them at the CLI. The text pasted at one time must be no more than 2000 bytes. H3C recommends that you paste commands in the same view. Otherwise, the server might not be able to correctly execute the commands. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload it to the server through SFTP, and use it to restart the server. |
SSH authentication methods
When the device acts as an SSH server, it supports the following authentication methods:
· Password authentication—The SSH server authenticates a client through the AAA mechanism. In a password authentication, an SSH client encrypts and encapsulates its username and password into an authentication request, and sends the request to the server. After receiving the request, the SSH server decrypts the request to get the username and password in plain text, examines the validity of the username and password locally or by a remote AAA server, and then informs the client of the authentication result.
If the remote AAA server requires the user to enter a password for secondary authentication, it send the SSH server an authentication response carrying a prompt. The prompt is transparently transmitted to the client to notify the user to enter a specified password. After the user enters the correct password and passes validity check by the remote AAA server, the SSH server returns an authentication success message to the client.
For more information about AAA, see "Configuring AAA."
|
|
NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. |
· Publickey authentication—The server authenticates a client by the digital signature. In a publickey authentication, a client sends the server a publickey authentication request that contains its username, public key, and publickey algorithm information. The server checks whether the public key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates the client by the digital signature. Finally, the server informs the client of the authentication result. The device supports using the public key algorithms RSA and DSA for digital signature.
For more information about public key configuration, see "Managing public keys."
· Password-publickey authentication—The server requires SSH2 clients to pass both password authentication and publickey authentication. However, an SSH1 client only needs to pass either authentication, regardless of the requirement of the server.
· Any authentication—The server requires clients to pass either password authentication or publickey authentication.
Configuring the device as an SSH server
You can configure the device as an Stelnet, SFTP, or SCP server. Because the configuration procedures are similar, the SSH server represents the Stelnet, SFTP, or SCP server unless otherwise specified.
SSH server configuration task list
|
Tasks at a glance |
Remarks |
|
(Required.) Generating local DSA or RSA key pairs |
N/A |
|
(Required.) Enabling the SSH server function |
Required for Stelnet, SFTP, and SCP servers. |
|
(Required.) Enabling the SFTP server function |
Required for SFTP server. |
|
(Required.) Configuring the user interfaces for SSH clients |
N/A |
|
(Required.) Configuring a client's host public key |
Required for users that use publickey authentication, whether together with password authentication or not. |
|
(Required/optional.) Configuring an SSH user |
Required for users that use publickey authentication, whether together with password authentication or not. Optional for users that use only password authentication. |
|
(Optional.) Setting the SSH management parameters |
N/A |
Generating local DSA or RSA key pairs
The DSA or RSA key pairs are required for generating the session key and session ID in the key exchange stage, and can also be used by a client to authenticate the server. When a client tries to authenticate the server, it compares the public key that it receives from the server with the server public key that it saved locally. If the keys are consistent, the client uses the public key to authenticate the digital signature that receives from the server. If the digital signatures are consistent, the authentication succeeds.
To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the SSH server.
Configuration guidelines
· Key pairs used in SSH are defaulted. For more information about the commands that are used to generate keys, see Security Command Reference.
· The public-key local create rsa command generates a server key pair and a host key pair for RSA. SSH1 uses the public key in the server key pair of the SSH server to encrypt the session key before transmitting the session key. Because SSH2 uses the DH algorithm to separately generate the session key on the SSH server and the client, no session key transmission is required and thus the server key pair is not used in SSH2.
· The public-key local create dsa command generates only a host key pair. SSH1 does not support the DSA algorithm.
· The key modulus length must be less than 2048 bits when you use the public-key local create dsa command to generate the DSA key pair on the SSH server.
Configuration procedure
To generate local DSA or RSA key pairs on the SSH server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Generate local DSA or RSA key pairs. |
public-key local create { dsa | rsa } |
By default, no key pairs exist. |
Enabling the SSH server function
The SSH server function on the device allows clients to communicate with the device through SSH.
The device that acts as an SSH server does not support SFTP or SCP connection initiated by an SSH1 client.
To enable the SSH server function:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the SSH server function. |
ssh server enable |
By default, the SSH server function is disabled. |
Enabling the SFTP server function
This SFTP server function enables clients to log in to the device through SFTP.
To enable the SFTP server function:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the SFTP server function. |
sftp server enable |
By default, the SFTP server function is disabled. |
Configuring the user interfaces for SSH clients
An SSH client accesses the device through a virtual type terminal (VTY) user interface. You must configure the user interfaces for SSH clients to allow SSH login. The configuration takes effect only for the clients at next login.
To configure the user interfaces for SSH clients:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VTY user interface view. |
user-interface vty number [ ending-number ] |
N/A |
|
3. Set the login authentication mode to scheme. |
authentication-mode scheme |
By default, the authentication mode is password. For more information about this command, see Fundamentals Command Reference. |
Configuring a client's host public key
If the server uses publickey authentication to authentication a client, it compares the SSH username and host public key that it receives from the client with those locally saved. If the information is consistent, it checks the digital signature that the client sends. The digital signature is calculated by the client according to the private key that corresponds to the host public key.
For SSH servers that use publickey authentication, password-publickey authentication, or any authentication, you must configure the client's DSA or RSA host public key on the server, and specify the corresponding host private key on the client to generate the digital signature, so that the client can pass publickey authentication with correct digital signature. If the device serves as a client, corresponding host private key is specified by the specified public key algorithm.
You can manually configure the host public key of an SSH client on the server, or import it from the public key file:
· Manually configuring the host public key—You can type or copy the client's host public key from the client to the SSH server. The host public key must be in the DER encoding format without being converted.
If you use the device to act as the client, you can use the display public-key local public command to display the host public key and copy its contents to the server. A host public key obtained in other ways might be in incorrect format and cannot be saved on the server. H3C recommends you import a client's host public key from the public key file of the client.
· Importing the host public key—You can upload the client's public key file (in binary) to the server, for example, through FTP or TFTP, and import the host public key from the public key file. During the import process, the server automatically converts the host public key in the public key file to a string in PKCS format.
H3C recommends that you configure no more than 20 SSH client host public keys on an SSH server.
To manually configure a client's host public key:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter public key view. |
public-key peer keyname |
N/A |
|
3. Configure a client's host public key. |
Enter the content of the host public key |
When you enter the contents for a host public key, you can use spaces and carriage returns between characters. When you save the host public key, spaces and carriage returns are removed automatically. For more information, see "Managing public keys." |
|
4. Return to system view. |
peer-public-key end |
N/A |
To import a client's host public key from a public key file:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Import a client's public key from a public key file. |
public-key peer keyname import sshkey filename |
Configuring an SSH user
To configure an SSH user that uses publickey authentication, perform the procedure in this section.
To configure an SSH user that uses publickey authentication, you must create a local user that has the same username as the SSH user to assign the working directory and user role.
To configure an SSH user that uses password authentication, whether together with publickey authentication or not, you must configure a local user account by using the local-user command for local authentication, or configure an SSH user account on an authentication server, for example, a RADIUS server, for remote authentication. In either case, the local user or the SSH user configured for remote authentication must have the same username as the SSH user.
For password-only SSH users, you do not need to perform the procedure in this section to configure them unless you want to use the display ssh user-information command to display all SSH users, including the password-only SSH users, for centralized management. If such an SSH user has been created, make sure you have specified the correct service type and authentication method.
Configuration guidelines
When you perform the procedure in this section to configure an SSH user, follow these guidelines:
· An SSH server supports up to 1024 SSH users.
· For an SFTP or SCP user, the working directory depends on the authentication method:
¡ If only password authentication is used, the working directory is authorized by AAA.
¡ If publickey authentication, whether with password authentication or not, is used, the working folder is specified by the authorization-attribute command in the associated local user view.
· For an SFTP or Stelnet user, the user role also depends on the authentication method:
¡ If only password authentication is used, the user role is authorized by the remote AAA server or the local device.
¡ If publickey authentication, whether with password authentication or not, is used, the user role is specified by the authorization-attribute command in the associated local user view.
· If you change the authentication method or public key for an SSH user that has been logged in, the change can take effect only at the next login of the user.
· Except password authentication, the other authentication methods require a client's host public key to be specified. For more information about host public keys, see "Configuring a client's host public key."
For how to configure local users and remote authentication, see "Configuring AAA."
Configuration procedure
To configure an SSH user, and specify the service type and authentication method:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Create an SSH user, and specify the service type and authentication method. |
ssh user username service-type { all | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname } |
Setting the SSH management parameters
Setting the SSH management parameters can improve the security of SSH connections. The SSH management parameters include:
· Whether the SSH server is compatible with SSH1 clients.
· RSA server key pair update interval, applicable to users using SSH1 clients.
· SSH user authentication timeout period. You can set this parameter to reject a connection if the authentication for the connection has not been finished when the timeout period expires.
· Maximum number of SSH authentication attempts. You can set this parameter to prevent malicious password cracking. If any authentication is used, the total number of both publickey and password authentication attempts cannot exceed the configured upper limit.
· ACL for SSH clients. You can configure an ACL to filter SSH clients which initiate connections with the SSH server.
· SFTP connection idle timeout period. When the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down.
To set the SSH management parameters:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the SSH server to support SSH1 clients. |
ssh server compatible-ssh1x enable |
By default, the SSH server supports SSH1 clients. |
|
3. Set the RSA server key pair update interval. |
ssh server rekey-interval hours |
By default, the RSA server key pair is not updated. |
|
4. Set the SSH user authentication timeout period. |
ssh server authentication-timeout time-out-value |
The default setting is 60 seconds. |
|
5. Set the maximum number of SSH authentication attempts. |
ssh server authentication-retries times |
The default setting is 3. |
|
6. Configure an ACL for IPv4 SSH clients. |
ssh server acl acl-number |
By default, all IPv4 SSH users are allowed to initiate connections with the SSH server. |
|
7. Configure an ACL for IPv6 SSH clients. |
ssh server ipv6 acl [ ipv6 ] acl-number |
By default, all IPv6 SSH users are allowed to initiate connections with the SSH server. |
|
8. Configure the SFTP connection idle timeout period. |
sftp server idle-timeout time-out-value |
The default setting is 10 minutes. |
Configuring the device as an Stelnet client
Stelnet client configuration task list
|
Tasks at a glance |
|
(Optional.) Specifying a source IP address or source interface for the Stelnet client |
|
(Required.) Establishing a connection to an Stelnet server |
Specifying a source IP address or source interface for the Stelnet client
By default, an Stelnet client uses the IP address of the outbound interface specified by the route to the Stelnet server when communicating with the Stelnet server. You can specify a source IP address or source interface for the client to communicate with the server. To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, H3C recommends you to specify a loopback interface as the source interface.
To specify a source IP address or source interface for the Stelnet client:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify a source address or source interface for the Stelnet client. |
· Specify a source IPv4 address or source interface for the Stelnet client: ·
Specify a source IPv6 address or source interface
for the Stelnet client: |
Use either command. By default, an Stelnet client uses the IP address of the outbound interface specified by the route to the Stelnet server when communicating with the Stelnet server. |
Establishing a connection to an Stelnet server
You can start the Stelnet client to establish a connection to an Stelnet server, and specify the public key algorithm, the preferred encryption algorithm, the preferred HMAC algorithm, and the preferred key exchange algorithm.
When an Stelnet client accesses an Stelnet server, it uses the locally saved host public key of the server to authenticate the server. When acting as an Stelnet client, the device supports the first authentication by default. When the device accesses an Stelnet server for the first time but it is not configured with the host public key of the SSH server, it can access the server and locally save the server's host public key for future use. In a secure network, the first authentication can simplify the configuration on the SSH client, but it is not reliable.
To establish a connection to an Stelnet server:
|
Task |
Command |
Remarks |
|
Establish a connection to an Stelnet server. |
·
Establish a connection to an IPv4 Stelnet server: ·
Establish a connection to an IPv6 Stelnet server: |
Use either command. Available in user view. |
Configuring the device as an SFTP client
SFTP client configuration task list
|
Tasks at a glance |
|
(Optional.) Specifying a source IP address or source interface for the SFTP client |
|
(Required.) Establishing a connection to an SFTP server |
|
(Optional.) Working with SFTP directories |
|
(Optional.) Working with SFTP files |
|
(Optional.) Displaying help information |
|
(Optional.) Terminating the connection with the SFTP server |
Specifying a source IP address or source interface for the SFTP client
By default, an SFTP client uses the IP address of the outbound interface specified by the route to the SFTP server when communicating with the SFTP server. You can specify a source IP address or source interface for the client to communicate with the server. To make sure that the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, H3C recommends you to specify a loopback interface as the source interface.
To specify a source IP address or source interface for the SFTP client:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify a source address or interface for the SFTP client. |
·
Specify a source IPv4 address or interface for
the SFTP client: ·
Specify a source IPv6 address or interface for
the SFTP client: |
Use either command. By default, an SFTP client uses the IP address of the outbound interface specified by the route to the SFTP server when communicating with the SFTP server. |
Establishing a connection to an SFTP server
You can start the SFTP client to establish a connection to an SFTP server, and specify the public key algorithm, the preferred encryption algorithm, the preferred HMAC algorithm, and the preferred key exchange algorithm. After the connection is established, you can directly enter SFTP client view on the server to perform operations, such as working with directories or files.
When an SFTP client accesses an SFTP server, it uses the locally saved host public key of the server to authenticate the server. When acting as an SFTP client, the device supports the first authentication by default. When the device accesses an SFTP server for the first time but it is not configured with the host public key of the SFTP server, it can access the server and locally save the server's host public key for future use. In a secure network, the first authentication can simplify the configuration on the SFTP client, but it is not reliable.
To establish a connection to an SFTP server:
|
Task |
Command |
Remarks |
|
Establish a connection to an SFTP server. |
·
Establish a connection to an IPv4 SFTP server: ·
Establish a connection to an IPv6 SFTP server: |
Use either command. Available in user view. |
Working with SFTP directories
|
Task |
Command |
Remarks |
|
Change the working directory on the SFTP server. |
cd [ remote-path ] |
Available in SFTP client view. |
|
Return to the upper-level directory. |
cdup |
Available in SFTP client view. |
|
Display the current working directory on the SFTP server. |
pwd |
Available in SFTP client view. |
|
Display files under a specified directory. |
· dir [ -a | -l ] [ remote-path ] · ls [ -a | -l ] [ remote-path ] |
Available in SFTP client view. The dir command functions as the ls command. |
|
Change the name of a specified directory on the SFTP server. |
rename oldname newname |
Available in SFTP client view. |
|
Create a new directory on the SFTP server. |
mkdir remote-path |
Available in SFTP client view. |
|
Delete one or more directories from the SFTP server. |
rmdir remote-path |
Available in SFTP client view. |
Working with SFTP files
|
Task |
Command |
Remarks |
|
Change the name of a specified file on the SFTP server. |
rename old-name new-name |
Available in SFTP client view. |
|
Download a file from the remote server and save it locally. |
get remote-file [ local-file ] |
Available in SFTP client view. |
|
Upload a local file to the SFTP server. |
put local-file [ remote-file ] |
Available in SFTP client view. |
|
Display the files under a specified directory. |
· dir [ -a | -l ] [ remote-path ] · ls [ -a | -l ] [ remote-path ] |
Available in SFTP client view. The dir command functions as the ls command. |
|
Delete one or more directories from the SFTP server. |
· delete remote-file · remove remote-file |
Available in SFTP client view. The delete command functions as the remove command. |
Displaying help information
This configuration task displays the help information of an SFTP client command, such as the command format and parameters.
To display the help information:
|
Task |
Command |
Remarks |
|
Display the help information of an SFTP client command. |
· help · ? |
Use either command. Available in SFTP client view. These two commands function in the same way. |
Terminating the connection with the SFTP server
|
Task |
Command |
Remarks |
|
Terminate the connection with the SFTP server and return to user view. |
· bye · exit · quit |
Use one of the commands. Available in SFTP client view. These three commands function in the same way. |
Configuring the device as an SCP client
This section describes how to configure the device as an SCP client and transfer files with an SCP server.
When an SCP client accesses an SCP server, it uses the locally saved host public key of the server to authenticate the server. When acting as an SCP client, the device supports the first authentication by default. When the device accesses an SCP server for the first time but it is not configured with the host public key of the SCP server, it can access the server and locally save the server's host public key for future use. In a secure network, the first authentication can simplify the configuration on the SFTP client, but it is not reliable.
To transfer files with an SCP server:
|
Task |
Command |
Remarks |
|
Connect to the SCP server, and transfer files with the server. |
·
Connect to the IPv4 SCP server, and transfer files with this server: ·
Connect to the IPv6 SCP server, and transfer files with this
server: |
Use either command. Available in user view. |
Displaying and maintaining SSH
Execute display commands in any view.
|
Task |
Command |
|
Display the source IP address or source interface information configured for the SFTP client. |
display sftp client source |
|
Display the source IP address or source interface information configured for the Stelnet client. |
display ssh client source |
|
Display SSH server status information or session information on an SSH server. |
display ssh server { session | status } |
|
Display SSH user information on the SSH server. |
display ssh user-information [ username ] |
|
Display the public keys of the local key pairs. |
display public-key local { dsa | rsa } public [ name publickey-name ] |
|
Display the public keys of the SSH peers. |
display public-key peer [ brief | name publickey-name ] |
Stelnet configuration examples
This section provides examples of configuring Stelnet on switches.
|
|
IMPORTANT: By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in the state of DOWN. To configure such an interface, use the undo shutdown command to bring it up first. |
Password authentication enabled Stelnet server configuration example
Network requirements
As shown in Figure 1, you can log in to Switch through the Stelnet client that runs on the host and are assigned the user role network-admin for configuration management. Switch acts as the Stelnet server and uses password authentication. The username and password of Switch are saved on the switch.
Configuration procedure
1. Configure the Stelnet server:
# Generate the RSA key pairs.
<Switch> system-view
[Switch] public-key local create rsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
# Generate a DSA key pair.
[Switch] public-key local create dsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+.
# Enable the SSH server function.
[Switch] ssh server enable
# Assign an IP address to VLAN-interface 2, which the Stelnet client will use as the destination for SSH connection.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[Switch-Vlan-interface2] quit
# Set the authentication mode for the user interfaces to AAA.
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] quit
# Create a local device management user client001 with the plaintext password as aabbcc, the service type as ssh, and the user role as network-admin
[Switch] local-user client001 class manage
[Switch-luser-manage-client001] password simple aabbcc
[Switch-luser-manage-client001] service-type ssh
[Switch-luser-manage-client001] authorization-attribute user-role network-admin
[Switch-luser-manage-client001] quit
# (Optional.) Create the SSH user client001 with the service type as stelnet, and the authentication method as password.
[Switch] ssh user client001 service-type stelnet authentication-type password
2. Establish a connection to the Stelnet server:
There are a variety of Stelnet client software, such as PuTTY, and OpenSSH. This example uses an Stelnet client that runs PuTTY Version 0.58.
To establish a connection to the Stelnet server:
a. Launch PuTTY.exe to enter the interface as shown in Figure 2.
b. In the Host Name (or IP address) field, enter the IP address (192.168.1.40) of the Stelnet server.
Figure 2 Specifying the host name (or IP address)
c. Click Open to connect to the server.
If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001 in this case) and password (aabbcc in this case), you can enter the command-line interface of the server.
Publickey authentication enabled Stelnet server configuration example
Network requirements
As shown in Figure 3, you can log in to the switch through the Stelnet client (SSH2) that runs on the host and are assigned the user role network-admin for configuration management. The switch acts as the Stelnet server and uses publickey authentication and the RSA public key algorithm.
Configuration procedure
In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server.
There are a variety of Stelnet client software, such as PuTTY, and OpenSSH. This example uses an Stelnet client that runs PuTTY Version 0.58.
The configuration procedure is as follows:
1. Generate the RSA key pairs on the Stelnet client:
a. Run PuTTYGen.exe on the client, select SSH-2 RSA and click Generate.
Figure 4 Generating a key pair on the client
When the generator is generating the key pair, you must continuously move the mouse and keep the mouse off the green progress bar shown in Figure 5. Otherwise, the progress bar stops moving and the key pair generating progress stops.
b. After the key pair is generated, click Save public key, enter a file name (key.pub in this case), and click Save.
Figure 6 Saving a key pair on the client
c. Click Save private key to save the private key.
A warning window pops up to prompt you whether to save the private key without any protection.
d. Click Yes, enter a file name (private.ppk in this case), and click Save.
e. Transmit the public key file to the server through FTP or TFTP. (Details not shown.)
2. Configure the Stelnet server:
# Generate the RSA key pairs.
<Switch> system-view
[Switch] public-key local create rsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
# Generate a DSA key pair.
[Switch] public-key local create dsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
# Enable the SSH server function.
[Switch] ssh server enable
# Assign an IP address to VLAN-interface 2, which the Stelnet client will use as the destination for SSH connection.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[Switch-Vlan-interface2] quit
# Set the authentication mode for the user interfaces to AAA.
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] quit
# Import the client's public key from file key.pub and name it switchkey.
[Switch] public-key peer switchkey import sshkey key.pub
# Create SSH user client002 with the authentication method as publickey, and assign the public key switchkey to the user.
[Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey
# Create a local device management user client002 with the service type as ssh and the user role as network-admin.
[Switch] local-user client002 class manage
[Switch-luser-manage-client002] service-type ssh
[Switch-luser-manage-client002] authorization-attribute user-role network-admin
[Switch-luser-manage-client002] quit
3. Specify the private key file and establish a connection to the Stelnet server:
a. Launch PuTTY.exe on the Stelnet client to enter the interface as shown in Figure 7.
b. In the Host Name (or IP address) field, enter the IP address of the Stelnet server (192.168.1.40).
Figure 7 Specifying the host name (or IP address)
c. Select Connection > SSH > Auth from the navigation tree.
The window as show in Figure 8 appears.
d. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk in this case) and click OK.
Figure 8 Specifying the private key file
e. Click Open to connect to the server.
If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the command-line interface of the server.
Password authentication enabled Stelnet client configuration example
Network requirements
As shown in Figure 9, you can log in to Switch B through the Stelnet client that runs on Switch A and are assigned the user role network-admin for configuration management. Switch B acts as the Stelnet server and uses password authentication. The username and password of the client are saved on Switch B.
Configuration procedure
1. Configure the Stelnet server:
# Generate the RSA key pairs.
<SwitchB> system-view
[SwitchB] public-key local create rsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
# Generate a DSA key pair.
[SwitchB] public-key local create dsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
# Enable the SSH server function.
[SwitchB] ssh server enable
# Assign an IP address to VLAN-interface 2, which the Stelnet client will use as the destination address of the SSH connection.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[SwitchB-Vlan-interface2] quit
# Set the authentication mode for the user interfaces to AAA.
[SwitchB] user-interface vty 0 15
[SwitchB-ui-vty0-15] authentication-mode scheme
[SwitchB-ui-vty0-15] quit
# Create a local device management userclient001 with the plaintext password as aabbcc, the service type as ssh, and the user role as network-admin.
[SwitchB] local-user client001 class manage
[SwitchB-luser-manage-client001] password simple aabbcc
[SwitchB-luser-manage-client001] service-type ssh
[SwitchB-luser-manage-client001] authorization-attribute user-role network-admin
[SwitchB-luser-manage-client001] quit
# (Optional.) Create the SSH user client001 with the service type as stelnet and the authentication method as password.
[SwitchB] ssh user client001 service-type stelnet authentication-type password
2. Establish a connection to the Stelnet server:
# Assign an IP address to VLAN-interface 2.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0
[SwitchA-Vlan-interface2] quit
[SwitchA] quit
You can determine whether to configure the host public key of the server on the client before establishing a connection to the server.
¡ If you do not configure the host public key of the server on the client, establish an SSH connection to the Stelnet server (192.168.1.40). Select Yes to access the server without authenticating the server, and locally save the host public key of the server.
<SwitchA> ssh2 192.168.1.40
Username: client001
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:y
[email protected]'s password:
After you enter the correct password, you can successfully log in to Switch B. Because the host public key of the server is saved locally, you can successfully log in to Switch B after entering the correct password.
¡ If you configure the host public key of the server on the client, in public key code view, enter the host public key of server, which is displayed by using the display public-key local dsa public command on the server.
[SwitchA] public-key peer key1
Enter public key view. Return to system view with "peer-public-key end" command.
[SwitchA-pkey-public-key-key1]308201B73082012C06072A8648CE3804013082011F0281810
0D757262C4584C44C211F18BD96E5F0
[SwitchA-pkey-public-key-key1]61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE
65BE6C265854889DC1EDBD13EC8B274
[SwitchA-pkey-public-key-key1]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B0
6FD60FE01941DDD77FE6B12893DA76E
[SwitchA-pkey-public-key-key1]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B3
68950387811C7DA33021500C773218C
[SwitchA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009E
14EC474BAF2932E69D3B1F18517AD95
[SwitchA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02
492B3959EC6499625BC4FA5082E22C5
[SwitchA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E
88317C1BD8171D41ECB83E210C03CC9
[SwitchA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC
9B09EEF0381840002818000AF995917
[SwitchA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D
F257523777D033BEE77FC378145F2AD
[SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71
01F7C62621216D5A572C379A32AC290
[SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E
8716261214A5A3B493E866991113B2D
[SwitchA-pkey-public-key-key1]485348
[SwitchA-pkey-public-key-key1] peer-public-key end
[SwitchA] quit
# Establish an SSH connection to the server 192.168.1.40 and specify the host public key of the server.
<SwitchA> ssh2 192.168.1.40 publickey key1
Username: client001
[email protected]'s password:
After you enter the correct password, you successfully log in to Switch B.
Publickey authentication enabled Stelnet client configuration example
Network requirements
As shown in Figure 10, you can log in to Switch B through the Stelnet client that runs on Switch A and are assigned the user role network-admin for configuration management. Switch B acts as the Stelnet server and uses publickey authentication and the DSA public key algorithm.
Configuration procedure
In the server configuration, the client public key is required. Use the client software to generate a DSA key pair on the client before configuring the Stelnet server.
1. Configure the Stelnet client:
# Assign an IP address to VLAN-interface 2.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0
[SwitchA-Vlan-interface2] quit
# Generate a DSA key pair.
[SwitchA] public-key local create dsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
# Export the DSA host public key to file key.pub.
[SwitchA] public-key local export dsa ssh2 key.pub
[SwitchA] quit
Then, transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.)
2. Configure the Stelnet server:
# Generate the RSA key pairs.
<SwitchB> system-view
[SwitchB] public-key local create rsa
The range of public key size is (512 ~ 2048)
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
# Generate a DSA key pair.
[SwitchB] public-key local create dsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
# Enable SSH server function.
[SwitchB] ssh server enable
# Assign an IP address to VLAN-interface 2, which the Stelnet client will use as the destination address of the SSH connection.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
[SwitchB-Vlan-interface2] quit
# Set the authentication mode for the user interfaces to AAA.
[SwitchB] user-interface vty 0 15
[SwitchB-ui-vty0-15] authentication-mode scheme
[SwitchB-ui-vty0-15] quit
# Import the peer public key from the file key.pub, and name it switchkey.
[SwitchB] public-key peer switchkey import sshkey key.pub
# Create the SSH user client002 with the authentication method as publickey, and assign the public key switchkey to the user.
[SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey
# Create a local device management user client002 with the service type as ssh and the user role as network-admin.
[SwitchB] local-user client002 class manage
[SwitchB-luser-manage-client002] service-type ssh
[SwitchB-luser-manage-client002] authorization-attribute user-role network-admin
[SwitchB-luser-manage-client002] quit
3. Establish an SSH connection to the Stelnet server (192.168.1.40).
<SwitchA> ssh2 192.168.1.40
Username: client002
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
You can log in to Switch B successfully for the first time without configuring its host public key, because the client supports the first authentication by default.
SFTP configuration examples
This section provides examples of configuring SFTP on switches.
|
|
IMPORTANT: By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in the state of DOWN. To configure such an interface, use the undo shutdown command to bring it up first. |
Password authentication enabled SFTP server configuration example
Network requirements
As shown in Figure 11, you can log in to the switch through the SFTP client that runs on the host and are assigned the user role network-admin to execute file management and transfer operations. The switch acts as the SFTP server and uses password authentication. The username and password of the client are saved on the switch.
Configuration procedure
1. Configure the SFTP server:
# Generate the RSA key pairs.
<Switch> system-view
[Switch] public-key local create rsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
# Generate a DSA key pair.
[Switch] public-key local create dsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
# Enable the SSH server function.
[Switch] ssh server enable
# Enable the SFTP server.
[Switch] sftp server enable
# Assign an IP address to VLAN-interface 2, which the client will use as the destination for SSH connection.
[Switch] interface vlan-interface 2
[Switch-Vlan-interface2] ip address 192.168.1.45 255.255.255.0
[Switch-Vlan-interface2] quit
# Set the authentication mode of the user interfaces to AAA.
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] quit
# Create a local device management user named client002 with the plaintext password as aabbcc, the service type as ssh, the user role as network-admin, and the working directory as flash:/.
[Switch] local-user client002 class manage
[Switch-luser-manage-client002] password simple aabbcc
[Switch-luser-manage-client002] service-type ssh
[Switch-luser-manage-client002] authorization-attribute user-role network-admin work-directory flash:/
[Switch-luser-manage-client002] quit
# Create the SSH user client002 with the authentication method as password and service type as sftp.
[Switch] ssh user client002 service-type sftp authentication-type password
2. Establish a connection between the SFTP client and the SFTP server:
The device supports a variety of SFTP client software. This example uses an SFTP client that runs PSFTP of PuTTy Version 0.58.
|
|
NOTE: PSFTP supports only password authentication. |
To establish a connection to the SFTP server:
a. Run the psftp.exe to launch the client interface as shown in Figure 12, and enter the following command:
open 192.168.1.45
b. Enter username client002 and password aabbcc as prompted to log in to the SFTP server.
Figure 12 SFTP client interface
Publickey authentication enabled SFTP client configuration example
Network requirements
As shown in Figure 13, you can log in to Switch B through the SFTP client that runs on Switch A and are assigned the user role network-admin to execute file management and transfer operations. Switch B acts as the SFTP server and uses publickey authentication and the RSA public key algorithm.
Configuration procedure
In the server configuration, the client's host public key is required. Use the client software to generate the RSA key pairs on the client before configuring the SFTP server.
1. Configure the SFTP client:
# Assign an IP address to VLAN-interface 2.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0
[SwitchA-Vlan-interface2] quit
# Generate the RSA key pairs.
[SwitchA] public-key local create rsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
# Export the host public key to the file pubkey.
[SwitchA] public-key local export rsa ssh2 pubkey
[SwitchA] quit
# Transmit the public key file pubkey to the server through FTP or TFTP. (Details not shown.)
2. Configure the SFTP server:
# Generate the RSA key pairs.
<SwitchB> system-view
[SwitchB] public-key local create rsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
# Generate a DSA key pair.
[SwitchB] public-key local create dsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
# Enable the SSH server function.
[SwitchB] ssh server enable
# Enable the SFTP server function.
[SwitchB] sftp server enable
# Assign an IP address to VLAN-interface 2, which the SSH client will use as the destination for SSH connection.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0
[SwitchB-Vlan-interface2] quit
# Set the authentication mode on the user interfaces to AAA.
[SwitchB] user-interface vty 0 15
[SwitchB-ui-vty0-15] authentication-mode scheme
[SwitchB-ui-vty0-15] quit
# Import the peer public key from the file pubkey, and name it switchkey.
[SwitchB] public-key peer switchkey import sshkey pubkey
# Create the SSH user client001 with the service type as sftp, authentication method as publickey, and public key as switchkey.
[SwitchB] ssh user client001 service-type sftp authentication-type publickey assign publickey switchkey
# Create a local device management user client001 with the service type ssh, the user role as network-admin, and the working directory as flash:/.
[SwitchB] local-user client001 class manage
[SwitchB-luser-manage-client001] service-type ssh
[SwitchB-luser-manage-client001] authorization-attribute user-role network-admin work-directory flash:/
[SwitchB-luser-manage-client001] quit
3. Establish a connection to the SFTP server:
# Establish a connection to the SFTP server and enter SFTP client view.
<SwitchA> sftp 192.168.0.1 identity-key rsa
Username: client001
Connecting to 192.168.0.1 port 22.
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
sftp>
# Display files under the current directory of the server, delete the file named z, and check if the file has been successfully deleted.
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
-rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z
sftp> delete z
Removing /z
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
# Add a directory named new1 and check if it has been successfully created.
sftp> mkdir new1
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1
# Rename directory new1 to new2 and check if the directory has been successfully renamed .
sftp> rename new1 new2
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2
# Download the file pubkey2 from the server and save it as a local file public.
sftp> get pubkey2 public
Fetching / pubkey2 to public
/pubkey2 100% 225 1.4KB/s 00:00
# Upload the local file pu to the server, save it as puk, and check if the file has been successfully uploaded .
sftp> put pu puk
Uploading pu to / puk
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2
-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub
-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk
sftp>
# Exit SFTP client view.
sftp> quit
<SwitchA>
SCP file transfer with password authentication
|
|
IMPORTANT: By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in the state of DOWN. To configure such an interface, use the undo shutdown command to bring it up first. |
Network requirements
As shown in Figure 14, Switch A acts as the SCP client, and Switch B acts as the SCP server. A user can securely transfer files with Switch B through Switch A. Switch B uses the password authentication method and the client 's username and password are saved on Switch B.
Configuration procedure
1. Configure the SCP server:
# Generate the RSA key pairs.
<SwitchB> system-view
[SwitchB] public-key local create rsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
# Generate a DSA key pair.
[SwitchB] public-key local create dsa
The range of public key size is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+.
# Enable the SSH server function.
[SwitchB] ssh server enable
# Configure an IP address for VLAN-interface 2, which the client will use as the destination for SCP connection.
[SwitchB] interface vlan-interface 2
[SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0
[SwitchB-Vlan-interface2] quit
# Set the authentication mode of the user interface to AAA.
[SwitchB] user-interface vty 0 15
[SwitchB-ui-vty0-15] authentication-mode scheme
[SwitchB-ui-vty0-15] quit
# Create a local device management user named client001 with the plaintext password as aabbcc and service type as ssh.
[SwitchB] local-user client001 class manage
[SwitchB-luser-manage-client001] password simple aabbcc
[SwitchB-luser-manage-client001] service-type ssh
[SwitchB-luser-manage-client001] quit
# (Optional.) Configure the SSH user client001 with service type as scp and authentication method as password.
[SwitchB] ssh user client001 service-type scp authentication-type password
2. Configure an IP address for VLAN-interface 2 on the SCP client.
<SwitchA> system-view
[SwitchA] interface vlan-interface 2
[SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0
[SwitchA-Vlan-interface2] quit
[SwitchA] quit
3. Connect to the SCP server, download the file remote.bin from the server, and save it locally with the name local.bin.
<SwitchA> scp 192.168.0.1 get remote.bin local.bin
Username: client001
Connected to 192.168.0.1 ...
The Server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
Enter password:
18471 bytes transfered in 0.001 seconds.
