Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 10-SSH configuration | 485.02 KB |
Contents
Configuring the device as an SSH server
SSH server configuration task list
Specifying the SSH service port
Configuring the user lines for SSH login
Configuring a client's host public key
Configuring the SSH management parameters
Configuring the device as an Stelnet client
Stelnet client configuration task list
Specifying the source IP address for SSH packets
Establishing a connection to an Stelnet server
Configuring the device as an SFTP client
SFTP client configuration task list
Specifying the source IP address for SFTP packets
Establishing a connection to an SFTP server
Terminating the connection with the SFTP server
Configuring the device as an SCP client
SCP client configuration task list
Establishing a connection to an SCP server
Specifying algorithms for SSH2
Specifying key exchange algorithms for SSH2
Specifying public key algorithms for SSH2
Specifying encryption algorithms for SSH2
Specifying MAC algorithms for SSH2
Displaying and maintaining SSH
Stelnet configuration examples
Configuring the device as an Stelnet server (password authentication)
Configuring the device as an Stelnet server (publickey authentication)
Configuring the device as an Stelnet client (password authentication)
Configuring the device as an Stelnet client (publickey authentication)
Configuring the device as an SFTP server (password authentication)
Configuring the device as an SFTP client (publickey authentication)
Configuring SCP with password authentication
Configuring NETCONF over SSH with password authentication
Configuring SSH
Overview
Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network.
SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.
SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.
The device supports the following SSH applications:
· Secure Telnet—Stelnet provides secure and reliable network terminal access services. Through Stelnet, a user can securely log in to a remote server. Stelnet can protect devices against attacks, such as IP spoofing and plain text password interception. The device can act as an Stelnet server or an Stelnet client.
· Secure File Transfer Protocol—Based on SSH2, SFTP uses SSH connections to provide secure file transfer. The device can act as an SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The device can also act as an SFTP client, enabling a user to log in from the device to a remote device for secure file transfer.
· Secure Copy—Based on SSH2, SCP offers a secure method to copy files. The device can act as an SCP server, allowing a user to log in to the device for file upload and download. The device can also act as an SCP client, enabling a user to log in from the device to a remote device for secure file transfer.
· NETCONF over SSH—Based on SSH2, it enables users to securely log in to the device through SSH and perform NETCONF operations on the device through the NETCONF-over-SSH connections. The device can act only as a NETCONF-over-SSH server. For more information about NETCONF, see Network Management and Monitoring Configuration Guide.
When acting as an SSH client or server, the device supports the following SSH versions:
· When acting as an SSH client, the device supports only SSH2.
· When acting as an Stelnet, SFTP, or SCP server, the device supports both SSH2 and SSH1 in non-FIPS mode and only SSH2 in FIPS mode.
· When acting as a NETCONF-over-SSH server, the device supports only SSH2.
How SSH works
This section uses SSH2 as an example to describe the stages to establish an SSH session. For more information about these stages, see SSH Technology White Paper.
Table 1 Stages to establish an SSH session
|
Stages |
Description |
|
Connection establishment |
The SSH server listens to connection requests on port 22. After a client initiates a connection request, the server and the client establish a TCP connection. |
|
Version negotiation |
The two parties determine a version to use. |
|
Algorithm negotiation |
SSH supports multiple algorithms. Based on the local algorithms, the two parties negotiate the following algorithms: · Key exchange algorithm for generating session keys. · Encryption algorithm for encrypting data. · Public key algorithm for the digital signature and authentication. · HMAC algorithm for protecting data integrity. |
|
Key exchange |
The two parties use the DH exchange algorithm to dynamically generate the session keys and session ID. · The session keys are used for protecting data transfer. · The session ID is used for identifying the SSH connection. In this stage, the client also authenticates the server. |
|
Authentication |
The SSH server authenticates the client in response to the client's authentication request. |
|
Session request |
After passing the authentication, the client sends a session request to the server to request the establishment of a session (or request the Stelnet, SFTP, NETCONF, or SCP service). |
|
Interaction |
After the server grants the request, the client and the server start to communicate with each other in the session. In this stage, you can paste commands in text format and execute them at the CLI. The text pasted at one time must be no more than 2000 bytes. As a best practice to ensure correct command execution, paste commands that are in the same view. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload the file to the server through SFTP, and use it to restart the server. |
SSH authentication methods
This section describes authentication methods that are supported by the device when it acts as an SSH server.
Password authentication
The SSH server authenticates a client through the AAA mechanism. The password authentication process is as follows:
1. The client sends the server an authentication request that includes the encrypted username and password.
2. The server performs the following operations:
a. Decrypts the request to get the username and password in plain text.
b. Verifies the username and password locally or through remote AAA authentication.
c. Informs the client of the authentication result.
If the remote AAA server requires the user to enter a password for secondary authentication, it send the SSH server an authentication response carrying a prompt. The prompt is transparently transmitted to the client to notify the user to enter a specific password. When the user enters the correct password, the AAA server examines the password validity. If the password is valid, the SSH server returns an authentication success message to the client.
For more information about AAA, see "Configuring AAA."
|
|
NOTE: SSH1 clients do not support secondary password authentication that is initiated by the AAA server. |
Publickey authentication
The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows:
1. The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.
If the digital certificate of the client is required in authentication, the client also encapsulates the digital certificate in the authentication request. The digital certificate carries the public key information of the client.
2. The server verifies the client's public key.
¡ If the public key is invalid, the server informs the client of the authentication failure.
¡ If the public key is valid, the server requests the digital signature of the client. After receiving the signature, the server uses the public key to verify the signature and informs the client of the authentication result.
When acting as an SSH server, the device supports using the public key algorithms DSA, ECDSA, and RSA to verify digital signatures.
When acting as an SSH client, the device supports using the public key algorithms DSA, ECDSA, and RSA to generate digital signatures.
For more information about public key configuration, see "Managing public keys."
Password-publickey authentication
The server requires SSH2 clients to pass both password authentication and publickey authentication. However, an SSH1 client only needs to pass either authentication.
Any authentication
The server requires clients to pass password authentication or publickey authentication.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see "Configuring FIPS."
Configuring the device as an SSH server
SSH server configuration task list
|
Tasks at a glance |
Remarks |
|
(Required.) Generating local key pairs |
N/A |
|
(Optional.) Specifying the SSH service port |
N/A |
|
(Required.) Enabling the Stelnet server |
Required only for Stelnet servers. |
|
(Required.) Enabling the SFTP server |
Required only for SFTP servers. |
|
(Required.) Enabling the SCP server |
Required only for SCP servers. |
|
(Required.) Enabling NETCONF over SSH |
Required only for NETCONF-over-SSH servers. |
|
(Required.) Configuring the user lines for SSH login |
Required only for Stelnet and NETCONF-over-SSH servers. |
|
(Required.) Configuring a client's host public key |
Required if the authentication method is publickey, password-publickey, or any. |
|
Configuring the PKI domain for verifying the client's digital certificate |
See "Configuring PKI." Required if the following conditions exist: · The authentication method is publickey. · The client sends its public key to the server through a digital certificate for validity check. The PKI domain must have the CA certificate to verify the client's digital certificate. |
|
(Required/optional.) Configuring an SSH user |
Required if the authentication method is publickey, password-publickey, or any. Optional if the authentication method is password. |
|
(Optional.) Configuring the SSH management parameters |
N/A |
Generating local key pairs
The DSA, ECDSA, or RSA key pairs on the SSH server are required for generating the session keys and session ID in the key exchange stage. They can also be used by a client to authenticate the server. When a client authenticates the server, it compares the public key received from the server with the server's public key that the client saved locally. If the keys are consistent, the client uses the locally saved server's public key to decrypt the digital signature received from the server. If the decryption succeeds, the server passes the authentication.
The SSH application starts when you execute an SSH server command on the device. If the device does not have RSA key pairs with default names, the device automatically generates one RSA server key pair and one RSA host key pair. Both key pairs use their default names. You can also use the public-key local create command to generate DSA, ECDSA, or RSA key pairs on the device.
Configuration restrictions and guidelines
When you generate local key pairs, follow these restrictions and guidelines:
· Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the key pairs.
· To support SSH clients that use different types of key pairs, generate DSA, ECDSA, and RSA key pairs on the SSH server.
· The SSH server operating in FIPS mode supports only ECDSA and RSA key pairs. Do not generate a DSA key pair on the SSH server.
· The public-key local create rsa command generates a server key pair and a host key pair for RSA. The RSA server key pair is only used in SSH1 to encrypt the session key for secure transmission of the session key. It is not used in SSH2, because no session key transmission is required in SSH2.
· The public-key local create dsa command generates only one DSA host key pair. The key modulus length must be less than 2048 bits when you generate the DSA key pair on the SSH server. SSH1 does not support the DSA algorithm.
· The public-key local create ecdsa secp256r1 command generates only one ECDSA host key pair.
Configuration procedure
To generate local key pairs on the SSH server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Generate local key pairs. |
public-key local create { dsa | ecdsa secp256r1 | rsa } |
By default, no local key pairs exist on the server. |
Specifying the SSH service port
The default port of SSH service is 22. You can specify another port for the SSH service to improve security of SSH connections.
If you modify the SSH port number when the SSH service is enabled, the SSH service is restarted and all SSH connections are terminated after the modification. SSH users must reconnect to the SSH server to access the server.
If you set the SSH service port to a well-known port number, the service that uses the well-known port number might fail to start. Well-known port numbers are in the range of 1 to 1024.
To specify the SSH service port:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify a port for the SSH service. |
ssh server port port-number |
By default, the SSH service port is 22. |
Enabling the Stelnet server
After you enable the Stelnet server on the device, a client can log in to the device through Stelnet.
To enable the Stelnet server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the Stelnet server. |
ssh server enable |
By default, the Stelnet server is disabled. |
Enabling the SFTP server
After you enable the SFTP server on the device, a client can log in to the device through SFTP.
When acting as an SFTP server, the device does not support SFTP connections initiated by SSH1 clients.
To enable the SFTP server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the SFTP server. |
sftp server enable |
By default, the SFTP server is disabled. |
Enabling the SCP server
After you enable the SCP server on the device, a client can log in to the device through SCP.
When acting as an SCP server, the device does not support SCP connections initiated by SSH1 clients.
To enable the SCP server:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the SCP server. |
By default, the SCP server is disabled. |
Enabling NETCONF over SSH
After you enable NETCONF over SSH on the device, a client can perform NETCONF operations on the device through a NETCONF-over-SSH connection.
When acting as a server in the NETCONF-over-SSH connection, the device does not support connection requests initiated by SSH1 clients.
To enable NETCONF over SSH:
|
Step |
Command |
Remark |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable NETCONF over SSH. |
By default, NETCONF over SSH is disabled. For more information about NETCONF over SSH commands, see Network Management and Monitoring Command Reference. |
Configuring the user lines for SSH login
Depending on the SSH application, an SSH client can be an Stelnet client, SFTP client, NETCONF-over-SSH client, or SCP client.
Only Stelnet and NETCONF-over-SSH clients require the user line configuration. The user line configuration takes effect on the clients at the next login.
To configure the user lines for Stelnet and NETCONF-over-SSH clients:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter VTY user line view. |
line vty number [ ending-number ] |
N/A |
|
3. Set the login authentication mode to scheme. |
authentication-mode scheme |
By default, the authentication mode is password. For more information about this command, see Fundamentals Command Reference. |
Configuring a client's host public key
In publickey authentication, the server compares the SSH username and the client's host public key received from the client with the locally saved SSH username and the client's host public key. If they are the same, the server checks the digital signature that the client sends. The client generates the digital signature by using the private key that is paired with the client's host public key.
For publickey authentication, password-publickey authentication, or any authentication, you must perform the following tasks:
1. Configure the client's DSA, ECDSA, or RSA host public key on the server.
As a best practice, configure no more than 20 SSH client's host public keys on an SSH server.
2. Specify the associated host private key on the client to generate the digital signature.
If the device acts as an SSH client, specify the public key algorithm on the client. The algorithm determines the associated host private key for generating the digital signature.
You can enter the content of a client's host public key or import the client's host public key from the public key file. As a best practice, import the client's host public key.
Entering a client's host public key
Before you enter the client's host public key, you must use the display public-key local public command on the client to obtain the client's host public key.
To enter a client's host public key:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter public key view. |
public-key peer keyname |
N/A |
|
3. Configure a client's host public key. |
Enter the content of the client's host public key |
The host public key must be in the DER encoding format without being converted. When you enter the content of a client's host public key, you can use spaces and carriage returns between characters. When you save the host public key, spaces and carriage returns are removed automatically. For more information, see "Managing public keys." |
|
4. Return to system view. |
peer-public-key end |
N/A |
Importing a client's host public key from the public key file
Before you import the host public key, upload the client's public key file (in binary) to the server, for example, through FTP or TFTP. During the import process, the server automatically converts the host public key in the public key file to a string in PKCS format.
To import a client's host public key from the public key file:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Import a client's public key from the public key file. |
public-key peer keyname import sshkey filename |
Configuring an SSH user
Configure an SSH user and a local user depending on the authentication method.
· If the authentication method is publickey, you must create an SSH user and a local user on the SSH server. The two users must have the same username, so that the SSH user can be assigned the correct working directory and user role.
· If the authentication method is password, you must perform one of the following tasks:
¡ For local authentication, configure a local user on the SSH server.
¡ For remote authentication, configure an SSH user on a remote authentication server, for example, a RADIUS server.
You do not need to create an SSH user by using the ssh user command. However, if you want to display all SSH users, including the password-only SSH users, for centralized management, you can use this command to create them. If such an SSH user has been created, make sure you have specified the correct service type and authentication method.
· If the authentication method is password-publickey or any, you must create an SSH user on the SSH server and perform one of the following tasks:
¡ For local authentication, configure a local user on the SSH server.
¡ For remote authentication, configure an SSH user on a remote authentication server, for example, a RADIUS server.
In either case, the local user or the SSH user configured on the remote authentication server must have the same username as the SSH user.
For information about configuring local users and remote authentication, see "Configuring AAA."
Configuration restrictions and guidelines
When you configure an SSH user, follow these restrictions and guidelines:
· An SSH server supports up to 1024 SSH users.
· For an SFTP or SCP user, the working directory depends on the authentication method.
¡ If the authentication method is password, the working directory is authorized by AAA.
¡ If the authentication method is publickey or password-publickey, the working folder is specified by the authorization-attribute command in the associated local user view.
· For an SSH user, the user role also depends on the authentication method.
¡ If the authentication method is password, the user role is authorized by the remote AAA server or the local device.
¡ If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view.
· If you change the authentication parameters for a logged-in SSH user, the change takes effect on the user at the next login.
· For all authentication methods except password authentication, you must specify a client's host public key or digital certificate.
¡ For a client that sends the user's public key information directly to the server, specify the client's host public key on the server. The specified public key must already exist. For more information about public keys, see "Configuring a client's host public key."
¡ For a client that sends the user's public key information to the server through a digital certificate, specify the PKI domain on the server. This PKI domain verifies the client's digital certificate. For successful verification, the specified PKI domain must have the correct CA certificate. For more information about configuring a PKI domain, see "Configuring PKI."
· When the device operates as an SSH server in FIPS mode, the device does not support the authentication method of any or publickey.
Configuration procedure
To configure an SSH user, and specify the service type and authentication method:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Create an SSH user, and specify the service type and authentication method. |
· In non-FIPS mode: · In FIPS mode: |
Configuring the SSH management parameters
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the SSH server to support SSH1 clients. |
ssh server compatible-ssh1x enable |
By default, the SSH server does not support SSH1 clients. This command is not available in FIPS mode. |
|
3. Set the minimum interval for updating the RSA server key pair. |
ssh server rekey-interval interval |
By default, the RSA server key pair is not updated. This command takes effect only on SSH1 users. This command is not available in FIPS mode. |
|
4. Set the SSH user authentication timeout timer. |
ssh server authentication-timeout time-out-value |
The default setting is 60 seconds. If a user does not finish the authentication when the timeout timer expires, the connection cannot be established. |
|
5. Set the maximum number of SSH authentication attempts. |
ssh server authentication-retries retries |
The default setting is 3. If the authentication method is any, the total number of publickey authentication attempts and password authentication attempts cannot exceed the upper limit. |
|
6. Specify an ACL to control SSH user connections. |
· Control IPv4 SSH user connections: · Control IPv6 SSH user connections: |
By default, no ACLs are specified and all SSH users can initiate SSH connections to the server. |
|
7. Set the DSCP value in the packets that the SSH server sends to the SSH clients. |
· Set the DSCP value in IPv4 packets: · Set the DSCP value in IPv6 packets: |
The default setting is 48. The DSCP value of a packet defines the priority of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority. |
|
8. Set the SFTP connection idle timeout timer. |
sftp server idle-timeout time-out-value |
The default setting is 10 minutes. When the idle timeout timer expires, the system automatically tears the connection down. |
|
9. Set the maximum number of concurrent online SSH users. |
aaa session-limit ssh max-sessions |
The default setting is 32. When the number of online SSH users reaches the upper limit, the system denies new SSH connection requests. Changing the upper limit does not affect online SSH users. |
Configuring the device as an Stelnet client
Stelnet client configuration task list
|
Tasks at a glance |
Remarks |
|
(Required.) Generating local key pairs |
Only required when the Stelnet server uses the authentication method publickey, password-publickey, or any. |
|
(Optional.) Specifying the source IP address for SSH packets |
N/A |
|
(Required.) Establishing a connection to an Stelnet server |
N/A |
Generating local key pairs
Generate local key pairs on the Stelnet client when the Stelnet server uses the authentication method publickey, password-publickey, or any.
Configuration restrictions and guidelines
When you generate local key pairs on an Stelnet client, follow these restrictions and guidelines:
· The Stelnet client operating in FIPS mode supports only ECDSA and RSA key pairs.
· Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the key pairs.
· The key modulus length must be less than 2048 bits when you generate a DSA key pair.
Configuration procedure
To generate local key pairs on the Stelnet client:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Generate local key pairs. |
public-key local create { dsa | ecdsa secp256r1 | rsa } |
By default, no local key pairs exist on an Stelnet client. |
Specifying the source IP address for SSH packets
As a best practice, specify the IP address of the loopback interface as the source IP address of SSH packets for the following purposes:
· Ensuring the communication between the Stelnet client and the Stelnet server.
· Improving the manageability of Stelnet clients in authentication service.
To specify the source IP address for SSH packets:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the source address for SSH packets. |
· Specify the source IPv4 address for SSH
packets: · Specify the source IPv6 address for SSH
packets: |
By default, the source IP address for SSH packets is not configured. For IPv4 SSH packets, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of the packets. For IPv6 SSH packets, the device automatically selects a source IPv6 address for the packets in compliance with RFC 3484. |
Establishing a connection to an Stelnet server
When you try to access an Stelnet server, the device must use the server's host public key to authenticate the server. If the server's host public key is not configured on the device, the device will notify you to confirm whether to continue with the access.
· If you choose to continue, the device accesses the server and downloads the server's host public key.
· If you choose to not continue, the connection cannot be established.
As a best practice, configure the server's host public key on the device in an insecure network.
The client cannot establish connections to both IPv4 and IPv6 Stelnet servers.
To establish a connection to an IPv4 Stelnet server:
|
Task |
Command |
Remarks |
|
Establish a connection to an IPv4 Stelnet server. |
· In non-FIPS mode: |
Available in user view. |
To establish a connection to an IPv6 Stelnet server:
|
Task |
Command |
Remarks |
|
Establish a connection to an IPv6 Stelnet server. |
Available in user view. |
Configuring the device as an SFTP client
SFTP client configuration task list
|
Tasks at a glance |
Remarks |
|
(Required.) Generating local key pairs |
Only required when the SFTP server uses the authentication method publickey, password-publickey, or any. |
|
(Optional.) Specifying the source IP address for SFTP packets |
N/A |
|
(Required.) Establishing a connection to an SFTP server |
N/A |
|
(Optional.) Working with SFTP directories |
N/A |
|
(Optional.) Working with SFTP files |
N/A |
|
(Optional.) Displaying help information |
N/A |
|
(Optional.) Terminating the connection with the SFTP server |
N/A |
Generating local key pairs
Generate local key pairs on the SFTP client when the SFTP server uses the authentication method publickey, password-publickey, or any.
Configuration restrictions and guidelines
When you generate local key pairs on an SFTP client, follow these restrictions and guidelines:
· Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the key pairs.
· The SFTP client operating in FIPS mode supports only ECDSA and RSA key pairs.
· The key modulus length must be less than 2048 bits when you generate a DSA key pair.
Configuration procedure
To generate local key pairs on the SFTP client:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Generate local key pairs. |
public-key local create { dsa | ecdsa secp256r1 | rsa } |
By default, no local key pairs exist on an SFTP client. |
Specifying the source IP address for SFTP packets
As a best practice, specify the IP address of the loopback interface as the source IP address of SFTP packets for the following purposes:
· Ensuring the communication between the SFTP client and the SFTP server.
· Improving the manageability of SFTP clients in authentication service.
To specify the source IP address for SFTP packets:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the source address for SFTP packets. |
· Specify the source IPv4 address for SFTP packets: · Specify the source IPv6 address for SFTP packets: |
By default, the source IP address for SFTP packets is not configured. For IPv4 SFTP packets, the device uses the primary IPv4 address of the output interface in the routing entry as the source address of the packets. For IPv6 SFTP packets, the device automatically selects a source IPv6 address for the packets in compliance with RFC 3484. |
Establishing a connection to an SFTP server
When you try to access an SFTP server, the device must use the server's host public key to authenticate the server. If the server's host public key is not configured on the device, the device will notify you to confirm whether to continue with the access.
· If you choose to continue, the device accesses the server and downloads the server's host public key.
· If you choose to not continue, the connection cannot be established.
As a best practice, configure the server's host public key on the device in an insecure network.
After the connection is established, you can directly enter SFTP client view on the server to perform file or directory operations.
The client cannot establish connections to both IPv4 and IPv6 SFTP servers.
To establish a connection to an IPv4 SFTP server:
|
Task |
Command |
Remarks |
|
Establish a connection to an IPv4 SFTP server. |
Available in user view. |
To establish a connection to an IPv6 SFTP server:
|
Task |
Command |
Remarks |
|
Establish a connection to an IPv6 SFTP server. |
Available in user view. |
Working with SFTP directories
|
Task |
Command |
Remarks |
|
Change the working directory on the SFTP server. |
cd [ remote-path ] |
Available in SFTP client view. |
|
Return to the upper-level directory. |
cdup |
Available in SFTP client view. |
|
Display the current working directory on the SFTP server. |
pwd |
Available in SFTP client view. |
|
Display files under a directory. |
· dir [ -a | -l ] [ remote-path ] · ls [ -a | -l ] [ remote-path ] |
Available in SFTP client view. The dir command has the same function as the ls command. |
|
Change the name of a directory on the SFTP server. |
rename oldname newname |
Available in SFTP client view. |
|
Create a new directory on the SFTP server. |
mkdir remote-path |
Available in SFTP client view. |
|
Delete one or more directories from the SFTP server. |
rmdir remote-path |
Available in SFTP client view. |
Working with SFTP files
|
Task |
Command |
Remarks |
|
Change the name of a file on the SFTP server. |
rename old-name new-name |
Available in SFTP client view. |
|
Download a file from the SFTP server and save it locally. |
get remote-file [ local-file ] |
Available in SFTP client view. |
|
Upload a local file to the SFTP server. |
put local-file [ remote-file ] |
Available in SFTP client view. |
|
Display files under a directory. |
· dir [ -a | -l ] [ remote-path ] · ls [ -a | -l ] [ remote-path ] |
Available in SFTP client view. The dir command has the same function as the ls command. |
|
Delete one or more directories from the SFTP server. |
· delete remote-file · remove remote-file |
Available in SFTP client view. The delete command has the same function as the remove command. |
Displaying help information
|
Task |
Command |
Remarks |
|
Display the help information of SFTP client commands. |
· help · ? |
Available in SFTP client view. |
Terminating the connection with the SFTP server
|
Task |
Command |
Remarks |
|
Terminate the connection with the SFTP server and return to user view. |
· bye · exit · quit |
Available in SFTP client view. These three commands have the same function. |
Configuring the device as an SCP client
SCP client configuration task list
|
Tasks at a glance |
Remarks |
|
(Required.) Generating local key pairs |
Only required when the SCP server uses the authentication method publickey, password-publickey, or any. |
|
(Required.) Establishing a connection to an SCP server |
N/A |
Generating local key pairs
Generate local key pairs on the SCP client when the SCP server uses the authentication method publickey, password-publickey, or any.
Configuration restrictions and guidelines
When you generate local key pairs on an SCP client, follow these restrictions and guidelines:
· Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the key pairs.
· The SCP client operating in FIPS mode supports only ECDSA and RSA key pairs.
· The key modulus length must be less than 2048 bits when you generate a DSA key pair.
Configuration procedure
To generate local key pairs on the SCP client:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Generate local key pairs. |
public-key local create { dsa | ecdsa secp256r1 | rsa } |
By default, no local key pairs exist on an SCP client. |
Establishing a connection to an SCP server
When you try to access an SCP server, the device must use the server's host public key to authenticate the server. If the server's host public key is not configured on the device, the device will notify you to confirm whether to continue with the access.
· If you choose to continue, the device accesses the server and downloads the server's host public key.
· If you choose to not continue, the connection cannot be established.
As a best practice, configure the server's host public key on the device in an insecure network.
The client cannot establish connections to both IPv4 and IPv6 SCP servers.
To establish a connection to an IPv4 SCP server:
To establish a connection to an IPv6 SCP server:
|
Task |
Command |
Remarks |
|
Connect to an IPv6 SCP server, and transfer files with the server. |
Available in user view. |
Specifying algorithms for SSH2
Perform this task to specify the following types of algorithms that the SSH2 client and server use for algorithm negotiation during the Stelnet, SFTP, or SCP session establishment:
· Key exchange algorithms.
· Public key algorithms.
· Encryption algorithms.
· MAC algorithms.
If you specify algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The client uses the specified algorithms to initiate the negotiation, and the server uses the matching algorithms to negotiate with the client.
If multiple algorithms of the same type are specified, the algorithm specified earlier has a higher priority during negotiation. The specified SSH2 algorithms do not affect SSH1 sessions.
Specifying key exchange algorithms for SSH2
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify key exchange algorithms for SSH2. |
· In non-FIPS mode: · In FIPS mode: |
· In non-FIPS mode: · In FIPS mode: |
Specifying public key algorithms for SSH2
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify public key algorithms for SSH2. |
· In non-FIPS mode: · In FIPS mode: |
· In non-FIPS mode: · In FIPS mode: |
Specifying encryption algorithms for SSH2
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify encryption algorithms for SSH2. |
· In non-FIPS mode: · In FIPS mode: |
· In non-FIPS mode: · In FIPS mode: |
Specifying MAC algorithms for SSH2
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify MAC algorithms for SSH2. |
· In non-FIPS mode: · In FIPS mode: |
· In non-FIPS mode: · In FIPS mode: |
Displaying and maintaining SSH
Execute display commands in any view.
|
Task |
Command |
|
Display the source IP address configured for the SFTP client. |
display sftp client source |
|
Display the source IP address configured for the Stelnet client. |
display ssh client source |
|
Display SSH server status or sessions (in standalone mode). |
display ssh server { session [ slot slot-number ] | status } |
|
Display SSH server status or sessions (in IRF mode). |
display ssh server { session [ chassis chassis-number slot slot-number ] | status } |
|
Display SSH user information on the SSH server. |
display ssh user-information [ username ] |
|
Display the public keys of the local key pairs. |
display public-key local { dsa | ecdsa | rsa } public [ name publickey-name ] |
|
Display information about peer public keys. |
display public-key peer [ brief | name publickey-name ] |
|
Display algorithms used by SSH2 in the algorithm negotiation stage. |
display ssh2 algorithm |
Stelnet configuration examples
Devices in the configuration examples operate in non-FIPS mode.
When the device acts as an Stelnet server operating in FIPS mode, only ECDSA and RSA key pairs are supported. Do not generate a DSA key pair on the Stelnet server.
Configuring the device as an Stelnet server (password authentication)
Network requirements
As shown in Figure 1:
· The router acts as the Stelnet server and uses password authentication to authenticate the Stelnet client. The username and password of the client are saved on the router.
· The host acts as the Stelnet client, using Stelnet client software (SSH2). After the user on the host logs in to the router through Stelnet, the user can configure and manage the router as a network administrator.
Configuration procedure
1. Configure the Stelnet server:
# Generate RSA key pairs.
<Router> system-view
[Router] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[Router] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+.
Create the key pair successfully.
# Generate an ECDSA key pair.
[Router] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the Stelnet server.
[Router] ssh server enable
# Assign an IP address to interface GigabitEthernet 1/1/1. The Stelnet client uses this IP address as the destination for SSH connection.
[Router] interface gigabitethernet 1/1/1
[Router-GigabitEthernet1/1/1] ip address 192.168.1.40 255.255.255.0
[Router-GigabitEthernet1/1/1] quit
# Set the authentication mode to AAA for the user lines.
[Router] line vty 0 63
[Router-line-vty0-63] authentication-mode scheme
[Router-line-vty0-63] quit
# Create a local device management user named client001.
[Router] local-user client001 class manage
# Set the password to aabbcc in plain text for local user client001.
[Router-luser-manage-client001] password simple aabbcc
# Authorize local user client001 to use the SSH service.
[Router-luser-manage-client001] service-type ssh
# Assign the network-admin user role to local user client001.
[Router-luser-manage-client001] authorization-attribute user-role network-admin
[Router-luser-manage-client001] quit
# Create an SSH user named client001. Specify the service type as stelnet and the authentication method as password for the user.
[Router] ssh user client001 service-type stelnet authentication-type password
2. Establish a connection to the Stelnet server:
There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
To establish a connection to the Stelnet server:
a. Launch PuTTY.exe to enter the interface shown in Figure 2.
b. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server.
c. Click Open.
Figure 2 Specifying the host name (or IP address)
d. Enter username client001 and password aabbcc to log in to the Stelnet server.
Configuring the device as an Stelnet server (publickey authentication)
Network requirements
As shown in Figure 3:
· The router acts as the Stelnet server, and it uses publickey authentication and the RSA public key algorithm.
· The host acts as the Stelnet client, using Stelnet client software (SSH2). After the user on the host logs in to the router through Stelnet, the user can configure and manage the router as a network administrator.
Configuration procedure
In the server configuration, the client's host public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server.
There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs PuTTY version 0.58.
The configuration procedure is as follows:
1. Generate RSA key pairs on the Stelnet client:
a. Run PuTTYGen.exe, select SSH-2 RSA and click Generate.
Figure 4 Generating a key pair on the client
b. Continue moving the mouse during the key generating process, but do not place the mouse over the green progress bar shown in Figure 5. Otherwise, the progress bar stops moving and the key pair generating process stops.
c. After the key pair is generated, click Save public key to save the public key.
Figure 6 Saving a key pair on the client
d. Enter a file name (key.pub in this example), and click Save.
e. On the page as shown in Figure 6, click Save private key to save the private key.
A confirmation dialog box appears.
f. Click Yes.
A file saving window appears.
g. Enter a file name (private.ppk in this example), and click Save.
h. Transmit the public key file to the server through FTP or TFTP. (Details not shown.)
2. Configure the Stelnet server:
# Generate RSA key pairs.
<Router> system-view
[Router] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[Router] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Generate an ECDSA key pair.
[Router] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the Stelnet server.
[Router] ssh server enable
# Assign an IP address to interface GigabitEthernet 1/1/1. The Stelnet client uses this address as the destination for SSH connection.
[Router] interface gigabitethernet 1/1/1
[Router-GigabitEthernet1/1/1] ip address 192.168.1.40 255.255.255.0
[Router-GigabitEthernet1/1/1] quit
# Set the authentication mode to AAA for the user lines.
[Router] line vty 0 63
[Router-line-vty0-63] authentication-mode scheme
[Router-line-vty0-63] quit
# Import the peer public key from the public key file key.pub and name it clientkey.
[Router] public-key peer clientkey import sshkey key.pub
# Create an SSH user named client002. Specify the authentication method as publickey for the user, and assign the public key clientkey to the user.
[Router] ssh user client002 service-type stelnet authentication-type publickey assign publickey clientkey
# Create a local device management user named client002.
[Router] local-user client002 class manage
# Authorize local user client002 to use the SSH service.
[Router-luser-manage-client002] service-type ssh
# Assign the network-admin user role to local user client002.
[Router-luser-manage-client002] authorization-attribute user-role network-admin
[Router-luser-manage-client002] quit
3. Specify the private key file and establish a connection to the Stelnet server:
a. Launch PuTTY.exe on the Stelnet client to enter the interface shown in Figure 7.
b. In the Host Name (or IP address) field, enter IP address 192.168.1.40 of the Stelnet server.
Figure 7 Specifying the host name (or IP address)
c. From the navigation tree, select Connection > SSH.
The window shown in Figure 8 appears.
d. Set Preferred SSH protocol version to 2.
Figure 8 Setting the preferred SSH version
e. From the navigation tree, select Connection > SSH > Auth.
The window shown in Figure 9 appears.
f. Click Browse… to open the file selection window, and then select the private key file (private.ppk in this example).
g. Click Open.
Figure 9 Specifying the private key file
h. Enter username client002 to log in to the Stelnet server.
Configuring the device as an Stelnet client (password authentication)
Network requirements
As shown in Figure 10:
· Router B acts as the Stelnet server and uses password authentication to authenticate the Stelnet client. The username and password of the client are saved on Router B.
· Router A acts as the Stelnet client. After the user on Router A logs in to Router B through Stelnet, the user can configure and manage Router B as a network administrator.
Configuration procedure
1. Configure the Stelnet server:
# Generate RSA key pairs.
<RouterB> system-view
[RouterB] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[RouterB] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Generate an ECDSA key pair.
[RouterB] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the Stelnet server.
[RouterB] ssh server enable
# Assign an IP address to interface GigabitEthernet 1/1/1. The Stelnet client uses this address as the destination address for SSH connection.
[RouterB] interface gigabitethernet 1/1/1
[RouterB-GigabitEthernet1/1/1] ip address 192.168.1.40 255.255.255.0
[RouterB-GigabitEthernet1/1/1] quit
# Set the authentication mode to AAA for the user lines.
[RouterB] line vty 0 63
[RouterB-line-vty0-63] authentication-mode scheme
[RouterB-line-vty0-63] quit
# Create a local device management user named client001.
[RouterB] local-user client001 class manage
# Set the password to aabbcc in plain text for local user client001.
[RouterB-luser-manage-client001] password simple aabbcc
# Authorize local user client001 to use the SSH service.
[RouterB-luser-manage-client001] service-type ssh
# Assign the network-admin user role to local user client001.
[RouterB-luser-manage-client001] authorization-attribute user-role network-admin
[RouterB-luser-manage-client001] quit
# Create an SSH user named client001. Specify the service type as stelnet and the authentication method as password for the user.
[RouterB] ssh user client001 service-type stelnet authentication-type password
2. Establish a connection to the Stelnet server:
# Assign an IP address to interface GigabitEthernet 1/1/1.
<RouterA> system-views
[RouterA] interface gigabitethernet 1/1/1
[RouterA-GigabitEthernet1/1/1] ip address 192.168.1.56 255.255.255.0
[RouterA-GigabitEthernet1/1/1] quit
[RouterA] quit
Before establishing a connection to the server, you can configure the server's host public key on the client to authenticate the server.
¡ To configure the server's host public key on the client, perform the following tasks:
# Use the display public-key local dsa public command on the server to display the server's host public key. (Details not shown.)
# Enter public key view of the client and copy the host public key of the server to the client.
[RouterA] public-key peer key1
Enter public key view. Return to system view with "peer-public-key end" command.
[RouterA-pkey-public-key-key1] 308201B73082012C06072A8648CE3804013082011F0281810
0D757262C4584C44C211F18BD96E5F0
[RouterA-pkey-public-key-key1]61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE
65BE6C265854889DC1EDBD13EC8B274
[RouterA-pkey-public-key-key1]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B0
6FD60FE01941DDD77FE6B12893DA76E
[RouterA-pkey-public-key-key1]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B3
68950387811C7DA33021500C773218C
[RouterA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009E
14EC474BAF2932E69D3B1F18517AD95
[RouterA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02
492B3959EC6499625BC4FA5082E22C5
[RouterA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E
88317C1BD8171D41ECB83E210C03CC9
[RouterA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC
9B09EEF0381840002818000AF995917
[RouterA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D
F257523777D033BEE77FC378145F2AD
[RouterA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71
01F7C62621216D5A572C379A32AC290
[RouterA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E
8716261214A5A3B493E866991113B2D
[RouterA-pkey-public-key-key1]485348
[RouterA-pkey-public-key-key1] peer-public-key end
[RouterA] quit
# Establish an SSH connection to the server, and specify the host public key of the server as key1.
<RouterA> ssh2 192.168.1.40 public-key key1
Username: client001
Press CTRL+C to abort.
Connecting to 192.168.1.40 port 22.
client001@192.168.1.40's password:
Enter a character ~ and a dot to abort.
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<RouterB>
After you enter the correct password, you log in to Router B successfully.
¡ If the client does not have the server's host public key, enter username client001, and then enter y to access the server and download the server's host public key.
<RouterA> ssh2 192.168.1.40
Username: client001
Press CTRL+C to abort.
Connecting to 192.168.1.40 port 22.
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:y
client001@192.168.1.40's password:
Enter a character ~ and a dot to abort.
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<RouterB>
After you enter password aabbcc, you can access Router B successfully. At the next connection attempt, the client authenticates the server by using the server's host public key that is locally saved on the client.
Configuring the device as an Stelnet client (publickey authentication)
Network requirements
As shown in Figure 11:
· Router B acts as the Stelnet server, and it uses publickey authentication and the DSA public key algorithm.
· Router A acts as the Stelnet client. After the user on Router A logs in to Router B through Stelnet, the user can configure and manage Router B as a network administrator.
Configuration procedure
In the server configuration, the client's host public key is required. Generate a DSA key pair on the client before configuring the Stelnet server.
1. Configure the Stelnet client:
# Assign an IP address to interface GigabitEthernet 1/1/1.
<RouterA> system-view
[RouterA] interface gigabitethernet 1/1/1
[RouterA-GigabitEthernet1/1/1] ip address 192.168.1.56 255.255.255.0
[RouterA-GigabitEthernet1/1/1] quit
# Generate a DSA key pair.
[RouterA] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Export the DSA host public key to a public key file named key.pub.
[RouterA] public-key local export dsa ssh2 key.pub
[RouterA] quit
# Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.)
2. Configure the Stelnet server:
# Generate RSA key pairs.
<RouterB> system-view
[RouterB] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[RouterB] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Generate an ECDSA key pair.
[RouterB] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the Stelnet server.
[RouterB] ssh server enable
# Assign an IP address to interface GigabitEthernet 1/1/1. The Stelnet client uses this address as the destination address for SSH connection.
[RouterB] interface gigabitethernet 1/1/1
[RouterB-GigabitEthernet1/1/1] ip address 192.168.1.40 255.255.255.0
[RouterB-GigabitEthernet1/1/1] quit
# Set the authentication mode to AAA for the user lines.
[RouterB] line vty 0 63
[RouterB-line-vty0-63] authentication-mode scheme
[RouterB-line-vty0-63] quit
# Import the peer public key from the public key file key.pub, and name it clientkey.
[RouterB] public-key peer clientkey import sshkey key.pub
# Create an SSH user named client002. Specify the authentication method as publickey for the user, and assign the public key clientkey to the user.
[RouterB] ssh user client002 service-type stelnet authentication-type publickey assign publickey clientkey
# Create a local device management user named client002.
[RouterB] local-user client002 class manage
# Authorize local user client002 to use the SSH service.
[RouterB-luser-manage-client002] service-type ssh
# Assign the network-admin user role to local user client002.
[RouterB-luser-manage-client002] authorization-attribute user-role network-admin
[RouterB-luser-manage-client002] quit
3. Establish an SSH connection to the Stelnet server.
<RouterA> ssh2 192.168.1.40 identity-key dsa
Username: client002
Press CTRL+C to abort.
Connecting to 192.168.1.40 port 22.
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
Enter a character ~ and a dot to abort.
******************************************************************************
* Copyright (c) 2004-2016 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<RouterB>
After you enter username client002 and then enter y to continue accessing the server, you can log in to the server successfully.
SFTP configuration examples
Devices in the configuration examples operate in non-FIPS mode.
When the device acts as an SFTP server operating in FIPS mode, only ECDSA and RSA key pairs are supported. Do not generate a DSA key pair on the SFTP server.
Configuring the device as an SFTP server (password authentication)
Network requirements
As shown in Figure 12:
· The router acts as the SFTP server and uses password authentication to authenticate the SFTP client. The username and password of the client are saved on the router.
· The host acts as the SFTP client. After the user on the client logs in to the router through SFTP, the user can perform file management and transfer operations on the router as a network administrator.
Configuration procedure
# Generate RSA key pairs.
<Router> system-view
[Router] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[Router] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Generate an ECDSA key pair.
[Router] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the SFTP server.
[Router] sftp server enable
# Assign an IP address to interface GigabitEthernet 1/1/1. The client uses this address as the destination for SSH connection.
[Router] interface gigabitethernet 1/1/1
[Router-GigabitEthernet1/1/1] ip address 192.168.1.45 255.255.255.0
[Router-GigabitEthernet1/1/1] quit
# Create a local device management user named client002.
[Router] local-user client002 class manage
# Set the password to aabbcc in plain text for local user client002.
[Router-luser-manage-client002] password simple aabbcc
# Authorize local user client002 to use the SSH service.
[Router-luser-manage-client002] service-type ssh
# Assign the network-admin user role and the working directory flash:/ to local user client002.
[Router-luser-manage-client002] authorization-attribute user-role network-admin work-directory flash:/
[Router-luser-manage-client002] quit
# Create an SSH user named client002. Specify the authentication method as password and service type as sftp for the user.
[Router] ssh user client002 service-type sftp authentication-type password
2. Establish a connection to the SFTP server:
The device supports different types of SFTP client software. This example uses an SFTP client that runs PSFTP of PuTTY version 0.58.
|
|
NOTE: PSFTP supports only password authentication. |
To establish a connection to the SFTP server:
a. Run the psftp.exe to launch the client interface shown in Figure 13, and enter the following command:
open 192.168.1.45
b. Enter username client002 and password aabbcc as prompted to log in to the SFTP server.
Figure 13 SFTP client interface
Configuring the device as an SFTP client (publickey authentication)
Network requirements
As shown in Figure 14:
· Router B acts as the SFTP server, and it uses publickey authentication and the RSA public key algorithm.
· Router A acts as the SFTP client. After the user on Router A logs in to Router B through SFTP, the user can perform file management and transfer operations on Router B as a network administrator.
Configuration procedure
In the server configuration, the client's host public key is required. Generate RSA key pairs on the client before configuring the SFTP server.
1. Configure the SFTP client:
# Assign an IP address to interface GigabitEthernet 1/1/1.
<RouterA> system-view
[RouterA] interface gigabitethernet 1/1/1
[RouterA-GigabitEthernet1/1/1] ip address 192.168.0.2 255.255.255.0
[RouterA-GigabitEthernet1/1/1] quit
# Generate RSA key pairs.
[RouterA] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Export the host public key to a public key file named pubkey.
[RouterA] public-key local export rsa ssh2 pubkey
[RouterA] quit
# Transmit the public key file pubkey to the server through FTP or TFTP. (Details not shown.)
2. Configure the SFTP server:
# Generate RSA key pairs.
<RouterB> system-view
[RouterB] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[RouterB] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+
Create the key pair successfully.
# Generate an ECDSA key pair.
[RouterB] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the SFTP server.
[RouterB] sftp server enable
# Assign an IP address to interface GigabitEthernet 1/1/1. The client uses this address as the destination address for SSH connection.
[RouterB] interface gigabitethernet 1/1/1
[RouterB-GigabitEthernet1/1/1] ip address 192.168.0.1 255.255.255.0
[RouterB-GigabitEthernet1/1/1] quit
# Import the peer public key from the public key file pubkey, and name it routerkey.
[RouterB] public-key peer routerkey import sshkey pubkey
# Create an SSH user named client001. Specify the service type as sftp and the authentication method as publickey for the user. Assign the public key routerkey to the user.
[RouterB] ssh user client001 service-type sftp authentication-type publickey assign publickey routerkey
# Create a local device management user named client001.
[RouterB] local-user client001 class manage
# Authorize local user client001 to use the SSH service.
[RouterB-luser-manage-client001] service-type ssh
# Assign the network-admin user role and the working directory flash:/ to local user client001.
[RouterB-luser-manage-client001] authorization-attribute user-role network-admin work-directory flash:/
[RouterB-luser-manage-client001] quit
3. Establish a connection between the SFTP client and the SFTP server:
# Establish a connection to the SFTP server and enter SFTP client view.
<RouterA> sftp 192.168.0.1 identity-key rsa
Username: client001
Press CTRL+C to abort.
Connecting to 192.168.0.1 port 22.
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
sftp>
# Display files under the current directory of the server, delete the file z, and verify the result.
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
-rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z
sftp> delete z
Removing /z
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
# Add a directory new1 and verify the result.
sftp> mkdir new1
sftp> dir -l
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1
# Rename the directory new1 to new2 and verify the result.
sftp> rename new1 new2
sftp> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2
# Download the file pubkey2 from the server and save it as a local file named public.
sftp> get pubkey2 public
Fetching / pubkey2 to public
/pubkey2 100% 225 1.4KB/s 00:00
# Upload a local file pu to the server, save it as puk, and verify the result.
sftp> put pu puk
Uploading pu to / puk
sftp> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2
-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub
-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk
sftp>
# Exit SFTP client view.
sftp> quit
<RouterA>
Configuring SCP with password authentication
Devices in the configuration examples operate in non-FIPS mode.
When the device acts as an SCP server operating in FIPS mode, only ECDSA and RSA key pairs are supported. Do not generate a DSA key pair on the SCP server.
Network requirements
As shown in Figure 15:
· Router B acts as the SCP server and uses password authentication to authenticate the SCP client. The client's username and password are saved on Router B.
· Router A acts as the SCP client. After the user on Router A logs in to Router B through SCP, the user can transfer files between routers as a network administrator.
Configuration procedure
1. Configure the SCP server:
# Generate RSA key pairs.
<RouterB> system-view
[RouterB] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[RouterB] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+.
Create the key pair successfully.
# Generate an ECDSA key pair.
[RouterB] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable the SCP server.
[RouterB] scp server enable
# Configure an IP address for GigabitEthernet 1/1/1. The client uses this address as the destination for SCP connection.
[RouterB] interface gigabitethernet 1/1/1
[RouterB-GigabitEthernet1/1/1] ip address 192.168.0.1 255.255.255.0
[RouterB-GigabitEthernet1/1/1] quit
# Create a local device management user named client001.
[RouterB] local-user client001 class manage
# Set the password to aabbcc in plain text for local user client001.
[RouterB-luser-manage-client001] password simple aabbcc
# Authorize local user client001 to use the SSH service.
[RouterB-luser-manage-client001] service-type ssh
# Assign the network-admin user role to local user client001.
[RouterB-luser-manage-client001] authorization-attribute user-role network-admin
[RouterB-luser-manage-client001] quit
# Create an SSH user named client001. Specify the service type as scp and the authentication method password for the user.
[RouterB] ssh user client001 service-type scp authentication-type password
2. Configure an IP address for GigabitEthernet 1/1/1 on the SCP client.
<RouterA> system-view
[RouterA] interface gigabitethernet 1/1/1
[RouterA-GigabitEthernet1/1/1] ip address 192.168.0.2 255.255.255.0
[RouterA-GigabitEthernet1/1/1] quit
[RouterA] quit
3. Connect to the SCP server, download the file remote.bin from the server, and save it as a local file named local.bin.
<RouterA> scp 192.168.0.1 get remote.bin local.bin
Username: client001
Press CTRL+C to abort.
Connecting to 192.168.0.1 port 22.
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
client001@192.168.0.1’s password:
remote.bin 100% 2875 2.8KB/s 00:00
Configuring NETCONF over SSH with password authentication
The device in the configuration example is in non-FIPS mode.
When the device acts as a NETCONF-over-SSH server operating in FIPS mode, only ECDSA and RSA key pairs are supported. Do not generate a DSA key pair on the NETCONF-over-SSH server.
Network requirements
As shown in Figure 16:
· The router acts as the NETCONF-over-SSH server and uses password authentication to authenticate the client. The client's username and password are saved on the router. This example uses username client001 and password aabbcc.
· The host acts as the NETCONF-over-SSH client, using SSH2 client software. After the user on the host logs in to the router through NETCONF over SSH, the user can perform NETCONF operations on the router as a network administrator.
Configuration procedure
# Generate RSA key pairs.
[Router] public-key local create rsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
........................++++++
...................++++++
..++++++++
............++++++++
Create the key pair successfully.
# Generate a DSA key pair.
[Router] public-key local create dsa
The range of public key modulus is (512 ~ 2048).
If the key modulus is greater than 512, it will take a few minutes.
Press CTRL+C to abort.
Input the modulus length [default = 1024]:
Generating Keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+
...+.................+..........+...+.
Create the key pair successfully.
# Generate an ECDSA key pair.
[Router] public-key local create ecdsa secp256r1
Generating Keys...
.
Create the key pair successfully.
# Enable NETCONF over SSH.
[Router] netconf ssh server enable
# Configure an IP address for GigabitEthernet 1/1/1. The client uses this address as the destination for NETCONF-over-SSH connection.
[Router] interface gigabitethernet 1/1/1
[Router-GigabitEthernet1/1/1] ip address 192.168.100.49 255.255.255.0
[Router-GigabitEthernet1/1/1] quit
# Set the authentication mode to AAA for the user lines.
[Router-line-vty0-63] authentication-mode scheme
[Router-line-vty0-63] quit
# Create a local device management user named client001.
[Router] local-user client001 class manage
# Set the password to aabbcc in plain text for local user client001.
[Router-luser-manage-client001] password simple aabbcc
# Authorize local user client001 to use the SSH service.
[Router-luser-manage-client001] service-type ssh
# Assign the network-admin user role to local user client001.
[Router-luser-manage-client001] authorization-attribute user-role network-admin
[Router-luser-manage-client001] quit
# Create an SSH user named client001. Specify the service type as NETCONF and the authentication method as password for the user.
[Router] ssh user client001 service-type netconf authentication-type password
Verifying the configuration
1. Launch a client that supports NETCONF over SSH.
This example uses NetConf Browser 2015 (version 3.1).
2. Select File > Connect… from the menu.
The Connect page appears, as shown in Figure 17.
3. Configure connection parameters as follows:
a. Select a connection type from the Connection type list.
This example uses SSH2-ganymed.
b. Select 1.0 from the NETCONF version list.
c. Enter 192.168.100.49 in the Host field.
d. Enter 830 in the Port field.
e. Enter client001 in the Username field.
f. Use the default setting for the Public Key Authentication area.
4. Click Connect.
Figure 17 Connecting to the device
5. Enter password aabbcc, and then click OK, as shown in Figure 18.
Figure 18 Entering the password
The NETCONF configuration interface appears when the client successfully establishes an NETCONF-over-SSH connection to the device. The Log tab of the interface displays the connection information, as shown in Figure 19.
Figure 19 Logging in to the device
6. Verify that you have obtained the permissions of the network-admin user role:
In the Command XML area of the NETCONF configuration interface, enter <get-sessions/>, and then click Send.
The following message is displayed in the Output XML area.
<?xml version="1.0" encoding="utf-8"?>
<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="2">
<get-sessions>
<Session>
<SessionID>1</SessionID>
<Line>vty1</Line>
<UserName>client001</UserName>
<Since>2016-02-03T15:05:30</Since>
<LockHeld>false</LockHeld>
</Session>
</get-sessions>
</rpc-reply>
