Table of Contents

Related Documents

04-MSR Routers SSH Client Configuration Examples

Title	Size	Download
04-MSR Routers SSH Client Configuration Examples	81.34 KB

MSR Routers

SSH Client Configuration Examples

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.

Contents

Introduction· 1

Prerequisites· 1

Example: Configuring the device as an Stelnet client (password authentication) 1

Network configuration· 1

Analysis· 2

Software versions used· 2

Procedures· 2

Configuring the Stelnet server 2

Configuring the Stelnet client 4

Verifying the configuration· 4

Configuration files· 5

Introduction

The following information provides an example for using SSH to implement secure remote access or file management on MSR router series.

Prerequisites

The following information applies to Comware 7-based MSR router series. Procedures and information in the examples might be slightly different depending on the software or hardware version of the routers.

The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.

The following information is provided based on the assumption that you have basic knowledge of SSH.

Example: Configuring the device as an Stelnet client (password authentication)

Network configuration

As shown in Figure 1, Device A acts as an Stelnet client and logs in to Device B, the Stelnet server. Configure the entities in the network to meet the following requirements:

· Device B uses local password authentication.

· The login username and password are client001 and 123456TESTplat&!, respectively. Allow the user to use all commands after successful login to the server.

· To ensure communication security, configure Device A to use the host public key of Device B to authenticate Device B.

Figure 1 Network diagram

Analysis

To meet the network requirements, you must perform the following tasks:

· To ensure correct SSH version negotiation and algorithm negotiation, and to ensure that the server can pass the client's authentication, generate DSA and RSA key pairs on the server.

· Because the Stelnet client accesses the device through VTY user lines, the authentication mode for Stelnet user lines must be AAA (scheme).

· To perform local authentication, create a local user and configure a password for the local user on the Stelnet server.

· To enable an SSH user to use all commands after login, set the user role of the local user to network-admin. By default, the user role of a local user is network-operator.

· Because the Stelnet client uses the host public key of the server to authenticate the server, you must configure the host public key of the server on the client.

Software versions used

This document applies to Comware 7-based MSR router series. This configuration example was created and verified on R6749P14 of the MSR3610-X1 router.

Procedures

Configuring the Stelnet server

# Generate a RSA key pair.

<DeviceB> system-view

[DeviceB] public-key local create rsa

The range of public key size is (512 ~ 2048).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

........................++++++

...................++++++

..++++++++

............++++++++

Create the key pair successfully.

# Generate a DSA key pair.

[DeviceB] public-key local create dsa

The range of public key size is (512 ~ 2048).

If the key modulus is greater than 512, it will take a few minutes.

Press CTRL+C to abort.

Input the modulus length [default = 1024]:

Generating Keys...

.++++++++++++++++++++++++++++++++++++++++++++++++++*

........+......+.....+......................................+

...+.................+..........+...+

Create the key pair successfully.

# Enable the SSH server.

[DeviceB] ssh server enable

# Assign an IP address to GigabitEthernet 1/0/1. The Stelnet client uses this IP address to connect to the Stelnet server.

[DeviceB] interface GigabitEthernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 192.168.1.40 255.255.255.0

[DeviceB-GigabitEthernet1/0/1] quit

# Set the authentication mode to AAA (scheme) for the user lines.

[DeviceB] line vty 0 63

[DeviceB-line-vty0-63] authentication-mode scheme

[DeviceB-line-vty0-63] quit

# Create a local user client001, set the password to 123456TESTplat&! in plain text, authorize the user to use the SSH service, and assign user role network-admin to the user.

[DeviceB]local-user client001 class manage

New local user added.

[DeviceB-luser-manage-client001] password simple 123456TESTplat&!

[DeviceB-luser-manage-client001]service-type ssh

[DeviceB-luser-manage-client001] authorization-attribute user-role network-admin

[DeviceB-luser-manage-client001]quit

# Display the DSA key pair of the server.

[DeviceB] display public-key local dsa public

=====================================================

Key name: dsakey(default)

Key type: DSA

Key length: 1024

Time when key pair created: 11:02:10 2014/08/07

Key code:

308201B73082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD

96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1E

DBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941D

DD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B36895038

7811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E1

4EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD

35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B6123

91C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1

585DA7F42519718CC9B09EEF03818400028180077F06B3E343CAE9988F4BE3F76FACBAB565

AB73D4BA295C52BA92428B1F2DA1E6DD652413DD3AFE0C5A4FCF365100CBE34CECA55A2C30

A2A9FF7E899628557E39CE8FC615F53193A7E200B4B1CB21E3F1091D595716D229DDED6872

061F9B4B08301ADC81F7EC1501FFB863C0009536596CCB508596C3325892DC6D8C5C35B5

Configuring the Stelnet client

# Assign an IP address to GigabitEthernet 1/0/1. The Stelnet client uses this IP address to connect to the Stelnet server.

[DeviceA] interface GigabitEthernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 192.168.1.56 255.255.255.0

[DeviceA-GigabitEthernet1/0/1] quit

# Specify the name of the server's host public key as key1 and enter public key view.

[DeviceA] public-key peer key1

Enter public key view. Return to system view with "peer-public-key end" command.

# Configure the host public key of the Stelnet server by entering the public key displayed by the display public-key local dsa public command. By default, the client authenticates the server by using the DSA host public key of the server.

[DeviceA-pkey-public-key-key1]308201B73082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1EDBD13EC8B274DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941DDD77FE6B12893DA76EEBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B368950387811C7DA33021500C773218C737EC8EE993B4F2DED30F48EDACE915F0281810082269009E14EC474BAF2932E69D3B1F18517AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02492B3959EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B612391C76C1FB2E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC9B09EEF03818400028180077F06B3E343CAE9988F4BE3F76FACBAB565AB73D4BA295C52BA92428B1F2DA1E6DD652413DD3AFE0C5A4FCF365100CBE34CECA55A2C30A2A9FF7E899628557E39CE8FC615F53193A7E200B4B1CB21E3F1091D595716D229DDED6872061F9B4B08301ADC81F7EC1501FFB863C0009536596CCB508596C3325892DC6D8C5C35B5

# Exit public key view.

[DeviceA-pkey-public-key-key1] peer-public-key end

[DeviceA] return

Verifying the configuration

# Establish an SSH connection to the server at 192.168.1.40. Specify the host public key of the server as key1. After you enter the username and password, you can log in to the Stelnet server successfully.

<DeviceA> ssh2 192.168.1.40 publickey key1

client001@192.168.1.40's password:

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

Configuration files

· Device A

interface GigabitEthernet1/0/1

port link-mode route

ip address 192.168.1.56 255.255.255.0

public-key peer key1

public-key-code begin