SSH Quick Start Configuration Guide

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The information in this document is subject to change without notice.

Contents

Configuring the device as an SSH server 1

Introduction· 1

Network configuration· 1

Procedure· 1

Verifying the configuration· 2

Configuration files· 4

Related documentation· 5

Configuring the device as an SSH client 6

Introduction· 6

Network configuration· 6

Procedure· 6

Verifying the configuration· 6

Configuration files· 7

Related documentation· 7

 

Configuring the device as an SSH server

Introduction

The following information uses an example to describe the basis procedure for configuring the device as an SSH server.

Network configuration

As shown in Figure 1, configure the switch to meet the following requirements:

·     The switch acts as the SSH server and uses password authentication to authenticate the SSH client locally.

·     Set the username of the client to client001 and password to hello12345 for login. After the user logs in to the switch from the host, the user can use all commands to configure the switch.

Figure 1 Network diagram

 

Procedure

# Generate RSA key pairs.

<Switch> system-view

[Switch] public-key local create rsa

The range of public key modulus is (512 ~ 4096).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

..

Create the key pair successfully.

# Generate a DSA key pair.

[Switch] public-key local create dsa

The range of public key modulus is (512 ~ 2048).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

......

Create the key pair successfully.

# Generate an ECDSA key pair.

[Switch] public-key local create ecdsa secp256r1

Generating Keys...

.

Create the key pair successfully.

# Enable the SSH server.

[Switch] ssh server enable

# Create VLAN 2 and assign Ten-GigabitEthernet 1/0/2 to VLAN 2.

[Switch] vlan 2

[Switch-vlan2] port ten-gigabitethernet 1/0/2

[Switch-vlan2] quit

# Assign an IP address to VLAN-interface 2. The SSH client uses this address as the destination for SSH connection.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0

[Switch-Vlan-interface2] quit

# Enable the login authentication mode to scheme for user lines VTY 0 through VTY 63.

[Switch] line vty 0 63

[Switch-line-vty0-63] authentication-mode scheme

[Switch-line-vty0-63] quit

# Create a local device management user named client001.

[Switch] local-user client001 class manage

New local user added.

# Set the password to hello12345 in plain text for local user client001.

[Switch-luser-manage-client001] password simple hello12345

# Authorize local user client001 to use the SSH service.

[Switch-luser-manage-client001] service-type ssh

# Assign the network-admin user role to local user client001.

[Switch-luser-manage-client001] authorization-attribute user-role network-admin

[Switch-luser-manage-client001] quit

Verifying the configuration

There are different types of SSH client software. This example uses an SSH client that runs PuTTY version 0.60 to verify the SSH login.

# Install PuTTY version 0.60 on the host.

# Launch PuTTY.exe. The PuTTY Configuration window opens. Click Session.

·     In the Host Name (or IP address) field, enter IP address 192.168.1.40 of the SSH server.

·     In the Port field, enter 22.

·     Select SSH as the connection type.

Figure 2 Configuring the SSH client

 

# Click Open. The PuTTY Security Alert dialog box opens.

Figure 3 PuTTY Security Alert

 

# Click Yes. Enter username client001 and password hello12345 (not shown on the interface) to log in to the SSH server.

Figure 4 Logging in to the SSH server

 

The output shows that you have successfully log in to the switch and can use all commands available on the switch.

Configuration files

#

vlan 2

#

interface Vlan-interface2

 ip address 192.168.1.40 255.255.255.0

#

interface Ten-GigabitEthernet1/0/2

 port access vlan 2

#

line vty 0 63

 authentication-mode scheme

#

ssh server enable

#

local-user client001 class manage

 password hash $h$6$CqMnWdX6LIW/hz2Z$4+0Pumk+A98VlGVgqN3n/mEi7hJka9fEZpRZIpSNi9b

cBEXhpvIqaYTvIVBf7ZUNGnovFsqW7nYxjoToRDvYBg==

 service-type ssh

 authorization-attribute user-role network-admin

 authorization-attribute user-role network-operator

#

Related documentation

·     SSH configuration in the security configuration guide for the device.

·     SSH commands in the security command reference for the device.

 

Configuring the device as an SSH client

Introduction

The following information uses an example to describe the basis procedure for configuring the device as an SSH client.

Network configuration

As shown in Figure 5, configure the switches to meet the following requirements:

·     Switch A acts as the SSH client.

·     Switch B acts as the SSH server and uses password authentication to authenticate the SSH client locally.

·     Set the username of the client to client001 and password to hello12345 for login. After the user logs in to Switch B from Switch A, the user can use all commands to configure Switch B.

Figure 5 Network diagram

 

Procedure

1.     Configure Switch A:

# Create VLAN 2 and assign Ten-GigabitEthernet 1/0/2 to VLAN 2.

<SwitchA> system-view

[SwitchA] vlan 2

[SwitchA-vlan2] port ten-gigabitethernet 1/0/2

[SwitchA-vlan2] quit

# Assign an IP address to VLAN-interface 2.

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0

[SwitchA-Vlan-interface2] quit

2.     Configure Switch B:

# Configure Switch B as the SSH server. For more information, see "Configuring the device as an SSH server."

Verifying the configuration

Verify that you can successfully log in to Switch B as a network administrator:

# On Switch A, establish an SSH connection to the SSH server (Switch B) at 192.168.1.40.

# Enter username client001 and enter Y to continue accessing the server without authenticating the server.

# Enter N to not save the server public key.

 

NOTE: If you enter Y to save the server public key, when the server public key changes, execute the delete SSH client server public key command in the system view of Switch A to delete the saved public key, so that you can establish a connection to the server again.

 

# Enter password hello12345 (not shown on the interface) to log in to the SSH server.

<SwitchA> ssh2 192.168.1.40

Username: client001

Press CTRL+C to abort.

Connecting to 192.168.1.40 port 22.

The server is not authenticated. Continue? [Y/N]:Y

Do you want to save the server public key? [Y/N]:N

Enter password:

 

******************************************************************************

* Copyright (c) 2004-2021 New H3C Technologies Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

******************************************************************************

 

<SwitchB>

Configuration files

·     Switch A

#

vlan 2

#

interface Vlan-interface2

ip address 192.168.1.56 255.255.255.0

#

interface Ten-GigabitEthernet1/0/2

 port link-mode bridge

 port access vlan 2

#

·     Switch B

See "Configuration files."

Related documentation

·     SSH configuration in the security configuration guide for the device.

·     SSH commands in the security command reference for the device.