Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 03-HH3C-SSH-MIB | 91.89 KB |
Contents
HH3C-SSH-MIB
About this MIB
Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network.
SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.
SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.
Use this MIB to configure the SSH service.
MIB file name
hh3c-ssh.mib
Notifications
hh3cSSHUserAuthFailure
Basic information
|
OID |
Event |
Type |
Severity |
Recovery notification |
Default status |
|
1.3.6.1.4.1.25506.2.22.1.3.0.1 |
User authentication failure |
Informational |
Informational |
N/A |
ON |
Notification triggers
This notification is generated when the SSH user failed authentication.
This notification might be generated when the following events occur:
· The authentication configuration on the SSH server is incorrect.
· An unauthorized SSH client requests for authentication.
System impact
If this notification is generated frequently, illegal attacks might occur, which affects other users from coming online.
Status control
This notification cannot be disabled.
Objects
|
OID (object name) |
Description |
Index nodes |
Type |
Value range |
|
1.3.6.1.4.1.25506.2.22.1.2.1 (hh3cSSHAttemptUserName) |
Name of the user. |
N/A |
DisplayString |
OCTET STRING(SIZE (0..255)) |
|
1.3.6.1.4.1.25506.2.22.1.2.2 (hh3cSSHAttemptIpAddrType) |
Address type of the user. |
N/A |
InetAddressType |
INTEGER{, unknown(0),, ipv4(1), , ipv6(2), , dns(16), } |
|
1.3.6.1.4.1.25506.2.22.1.2.3 (hh3cSSHAttemptIpAddr) |
Address of the user. |
N/A |
InetAddress |
OCTET STRING(0..255) |
|
1.3.6.1.4.1.25506.2.22.1.2.4 (hh3cSSHUserAuthFailureReason) |
Reason for the authentication failure. |
N/A |
INTEGER |
exceedRetries(1), authTimeout(2), otherReason(3) |
Recommended action
To resolve this issue:
1. Verify whether the SSH client is an unauthorized client through the hh3cSSHAttemptIpAddr node:
¡ If the SSH client is an authorized client, go to step 2.
¡ If the SSH client is an unauthorized client, exclude the IP address of the client from the permit rule of the ACL.
2. Verify whether the authentication method specified on the device is consistent with that used by the SSH client:
¡ If the authentication methods are consistent, go to step 3 if password authentication is used, go to step 5 if publickey authentication is used, and go to step 7 if X.509v3 certificate authentication is used.
¡ If the authentication methods are inconsistent, use the ssh user command to configure the SSH user correctly.
3. Verify whether the user exists on the local or authentication server:
¡ If the user exists, go to step 4.
¡ If the user does not exist, add the user.
4. Verify whether the username and password of the user are correct:
¡ If they are correct, go to step 9.
¡ If they are incorrect, use the correct username and password for login.
5. Verify whether the client public key has been assigned to the user:
¡ If the public key has not been assigned, make sure the client public key has been imported to the device, and use the ssh user command to assign the key to the user.
¡ If the public key has been assigned, go to step 6.
6. Execute the display public-key peer command to verify whether the assigned public key is correct:
¡ If the public key is incorrect, use the public-key peer command to import the correct key.
¡ If the public key is correct, go to step 9.
7. Verify whether SSH certificate authentication has been configured:
¡ If SSH certificate authentication has not been configured, execute the ssh server pki-domain command on the device to specify a PKI domain for the SSH server, and execute the ssh user command to specify a PKI domain for the SSH client.
¡ If SSH certificate authentication has been configured, go to step 8.
8. Use the display pki certificate domain command to verify whether the CA certificates on the SSH server and SSH client are correct:
¡ If the certificates are incorrect, execute the pki import domain command on the device to import the correct certificate file, use the ssh server pki-domain command to specify a PKI domain for the SSH server, and use the ssh user command to specify a PKI domain for the SSH client.
¡ If the certificates are correct, go to step 9.
9. Collect alarm information and configuration data, and then contact H3C Support for help.
hh3cSSHVersionNegotiationFailure
Basic information
|
OID |
Event |
Type |
Severity |
Recovery notification |
Default status |
|
1.3.6.1.4.1.25506.2.22.1.3.0.2 |
SSH version negotiation failure |
Informational |
Informational |
N/A |
ON |
Notification triggers
This notification is generated when the SSH version on the SSH server is incompatible with that on the SSH client.
System impact
No negative impact on the system.
Status control
This notification cannot be disabled.
Objects
|
OID (object name) |
Description |
Index nodes |
Type |
Value range |
|
1.3.6.1.4.1.25506.2.22.1.2.2 (hh3cSSHAttemptIpAddrType) |
Address type of the SSH user. |
N/A |
InetAddressType |
INTEGER{, unknown(0),, ipv4(1), , ipv6(2), , dns(16), } |
|
1.3.6.1.4.1.25506.2.22.1.2.3 (hh3cSSHAttemptIpAddr) |
Address of the SSH user. |
N/A |
InetAddress |
OCTET STRING (0..255) |
Recommended action
To resolve this issue:
1. Execute the display ssh server status command on the device to view the SSH version of the SSH server:
¡ If the SSH version is 1.99, the device supports SSH1 clients. Go to step 2.
¡ If the SSH version is 2.0, execute the ssh server compatible-ssh1x enable command on the device to enable support for SSH1 clients.
2. Collect alarm information and configuration data, and then contact H3C Support for help.
hh3cSSHUserLogin
Basic information
|
OID |
Event |
Type |
Severity |
Recovery notification |
Default status |
|
1.3.6.1.4.1.25506.2.22.1.3.0.3 |
User login |
Informational |
Informational |
N/A |
ON |
Notification triggers
This notification is generated when a user successfully logs in.
Status control
No negative impact on the system.
System impact
This notification cannot be disabled.
Objects
|
OID (object name) |
Description |
Index nodes |
Type |
Value range |
|
1.3.6.1.4.1.25506.2.22.1.1.3.1.2 (hh3cSSHSessionUserName) |
User name of the SSH session. |
hh3cSSHSessionID |
DisplayString |
OCTET STRING (0..255) |
|
1.3.6.1.4.1.25506.2.22.1.1.3.1.3 (hh3cSSHSessionUserIpAddrType) |
User address type of the SSH session. |
hh3cSSHSessionID |
InetAddressType |
INTEGER{, unknown(0),, ipv4(1), , ipv6(2), , dns(16), } |
|
1.3.6.1.4.1.25506.2.22.1.1.3.1.4 (hh3cSSHSessionUserIpAddr) |
User address of the SSH session. |
hh3cSSHSessionID |
InetAddress |
OCTET STRING (0..255) |
Recommended action
No action is required.
hh3cSSHUserLogoff
Basic information
|
OID |
Event |
Type |
Severity |
Recovery notification |
Default status |
|
1.3.6.1.4.1.25506.2.22.1.3.0.4 |
User logout |
Informational |
Informational |
N/A |
ON |
Notification triggers
This notification is generated when a user logs out.
System impact
No negative impact on the system.
Status control
This notification cannot be disabled.
Objects
|
OID (object name) |
Description |
Index nodes |
Type |
Value range |
|
1.3.6.1.4.1.25506.2.22.1.1.3.1.2 (hh3cSSHSessionUserName) |
User name of the SSH session. |
hh3cSSHSessionID |
DisplayString |
OCTET STRING (0..255) |
|
1.3.6.1.4.1.25506.2.22.1.1.3.1.3 (hh3cSSHSessionUserIpAddrType) |
User address type of the SSH session. |
hh3cSSHSessionID |
InetAddressType |
INTEGER{, unknown(0),, ipv4(1), , ipv6(2), , dns(16), } |
|
1.3.6.1.4.1.25506.2.22.1.1.3.1.4 (hh3cSSHSessionUserIpAddr) |
User address of the SSH session. |
hh3cSSHSessionID |
InetAddress |
OCTET STRING (0..255) |
Recommended action
To resolve this issue, use the hh3cSSHSessionUserIpAddr node to verify whether the SSH client is authorized:
· If the SSH client is unauthorized, exclude the IP address of the client from the permit rule of the ACL, and edit the user authentication configuration of the client.
· If the SSH client is authorized, no action is required.
