Chapter 1 SSH
Terminal Service
1.1.1 Introduction to SSH
Secure shell (SSH) provides secure
communication and powerful authentication for remote user login to a switch
over an insecure network, thus preventing assaults such as IP address spoofing,
plain-text password interception.
Currently, the S3100-52P Ethernet Switches
support SSH2.0. Acting as an SSH server, a switch allows for the connections of
multiple SSH clients. Through SSH Client, a user can establish a connection to a
switch or UNIX host running SSH Server.
Figure 1-1 and Figure 1-2 shows two ways to establish SSH connection between client and server.
l
Establishing SSH connection through a LAN
Figure 1-1 Establish
SSH connection through a LAN
l
Establishing SSH connection through a WAN
Figure 1-2 Establish SSH connection through a WAN
The communication process between a SSH client
and server goes through the following five stages.
1)
Version negotiation stage:
l
The client sends a TCP connection request to the
server.
l
When a TCP connection is established, the two
ends begin to negotiate an SSH version.
l
If they get a successful negotiation, they go to
the key negotiation stage. Otherwise the server terminates the TCP connection.
2)
Key negotiation stage:
l
The server sends the public key in a randomly
generated RSA key pair to the client.
l
The client calculates a session key by using the
public key received from the server and a random number it generates randomly.
l
The client encrypts the random number with the
public key from the server and sends the result data to the server.
l
The server then decrypts the received data with
the private key in the RSA key pair to get the random number on the client.
l
The server calculates a session key by using the
public key and the random number through the same algorithm as the client.
Then, the server and the client get the
same session key, and use it for data encryption and decryption to secure their
subsequent communication.
3)
Authentication negotiation stage:
l
The client sends its username information to the
server.
l
The server starts to authenticate the user. If
the user is configured as having no authentication on the server, the following
step is skipped and the session request stage starts directly.
l
The server authenticates the user in some way
(see the following note), till the authentication succeeds or the connection is
terminated due to authentication timeout.
SSH provides two kinds
of authentication: password authentication and RSA authentication.
(1) Password authentication
works as follows:
l
The client sends the username and password to
the server.
l
The server compares the received username and
password against those configured locally. The user passes the authentication
if the server finds a match for both username and password.
(2) RSA
authentication works as follows:
l
Configure the RSA public key of the client at
the server.
l
The client sends the member module of its RSA
public key to the server.
l
The server checks the validity of the member
module. If it is valid, the server generates a random number, which is sent to
the client after being encrypted with RSA public key of the client.
l
Both the server and the client calculate
authentication data by using the random number and session ID.
l
The client sends the authentication data it calculates
to the server.
l
The server compares the received authentication
data with the authentication data on itself. If they are identical, the
authentication succeeds.
4)
Session request stage. The client sends a session
request to the server, which processes the request and establish a session.
5)
Interactive session stage. Both ends exchange
data till the session ends.
The following table describes SSH Server
configuration tasks.
Table 1-1 SSH2.0
Server configuration tasks
Table 1-2 Configure user interface(s) to support
specified protocol(s)
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter the view of one or multiple user
interfaces
|
user-interface [ type-keyword ] number [ ending-number
]
|
Required
|
|
Configure the user interface(s) to
support specified protocol(s)
|
protocol inbound { all
|ssh | telnet }
|
Optional
By default, both Telnet and SSH are
supported.
|
Caution:
l
If you have configured a user interface to
support SSH protocol, to ensure a successful login to the user interface, you
must configure AAA authentication for the user interface by using the authentication-mode
scheme command.
l
For a user interface, if you have executed the authentication-mode
password or authentication-mode none command, the protocol
inbound ssh command cannot be executed; if you have executed the protocol
inbound ssh command, neither of the authentication-mode password and
authentication-mode none commands can be executed.
This configuration task is used to generate
or destroy an RSA key pair on the server, which is named in the format of
switch name plus "_Host", for example, H3C_host.
After you issue the rsa local-key-pair create
command, the system prompts you to input a key length.
In SSH2.0, the key length is in the range
of 512 to 2,048 (bits).
Table 1-3 Generate or destroy local RSA key pair
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Generate local RSA key pair
|
rsa local-key-pair create
|
Required
|
|
Destroy local RSA key pair
|
rsa local-key-pair destroy
|
Optional
|
Caution:
l
For a successful SSH login, you must first generate
the RSA key pair of the server.
l
You just need to execute the rsa
local-key-pair create command once, and need not execute the command again
after the system is rebooted.
l
If you re-execute the rsa local-key-pair
create command, the system will ask whether you want to replace the original
key pair with a new one.
After the rsa local-key-pair create command
is executed, you can execute the display rsa local-key-pair public command
to display information about the public key (in H3C_host, for example).
For a new user, you must specify the authentication
type. Otherwise, the user cannot access the switch.
Table 1-4 Configure authentication type for a user
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Specify a default authentication type for
SSH users
|
ssh authentication-type default {
password | rsa | password-publickey | all }
|
At least one required;
By default, no authentication type is
specified for an SSH user, and the user can not access the switch.
|
|
Configure authentication type for an SSH
user
|
ssh user username authentication-type { password | password-publickey | rsa| all }
|
Note that:
l
The ssh authentication-type default command
is used to configure the default authentication type for all SSH users.
l
The ssh user username authentication-type
command is used to configure an authentication type for a specific SSH user.
l
When both commands are configured with different
authentication types, for the specific user (user specified by the username argument),
the authentication type specified by the ssh user username
authentication-type command will take effect instead of that specified for
all SSH users.
Caution:
l
If RSA authentication type is configured
for a user, the RSA public key of the client user must be configured on the
switch.
l
By default, no authentication type is specified
for a new user, and the new user cannot access the switch.
l
For the password-publickey authentication
type, users can access the switch only when they pass both kinds of authentications.
l
For the password authentication type, username
should be consistent with the valid user name defined in AAA; for the RSA
authentication type, username is the SSH local user name, so that there
is no need to configure a local user in AAA.
l
If the default authentication type for SSH users
is password and local AAA authentication is adopted, you need not use the ssh
user command to create an SSH user. Instead, you can use the local-user command
to create a user name and its password and then set the service type of the
user to SSH.
l
If the default authentication type for SSH users
is password and remote authentication (RADIUS authentication, for example) is
adopted, you need not use the ssh user command to create an SSH user,
because it is created on the remote server. And the user can use its username
and password configured on the remote server to access the network.
The configuration of SSH management
includes the setting of authentication timeout time, and authentication retry times.
After the configuration, the SSH management function is able to prevent illegal
activities such as malicious password guessing, thus ensure the security of SSH
connections.
Table 1-5 Configure SSH management
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Set SSH authentication timeout time
|
ssh server timeout seconds
|
Optional
By default, the timeout time is 60
seconds.
|
|
Set SSH authentication retry times
|
ssh server authentication-retries times
|
Optional
By default, the number of retry times is 3.
|
On the switch, you can configure a client public
key (generated randomly on a client) for a client user. This configuration is
not required for password authentication type.
There are two methods to configure a client
public key for a user.
1)
Manual configuration
First, perform the following operations on
a client:
l
Use the SSH2.0 client software to randomly
generate a RSA key pair.
l
Use the SSHKEY.exe program to transform the
public key in the RSA key pair to PKCS (public-key cryptography standards) format.
Then, perform the following operations on
the server:
Table 1-6 Configure
client public key for a user
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter public key view
|
rsa peer-public-key key-name
|
Required
|
|
Enter public key edit view to input a
client public key
|
public-key-code begin
|
When you input the key data, spaces are
allowed between the characters you input (because the system can remove the
spaces automatically); you can also press <Enter> to continue your
input at the next line. But the key you input should be a hexadecimal digit
string coded in the public key format.
|
|
Return to public key view from public key
edit view
|
public-key-code end
|
The system saves the public key data you
input when exiting public key edit view.
|
|
Return to system view from public key
view
|
peer-public-key end
|
—
|
|
Assign a client public key to an SSH user
|
ssh user username assign rsa-key keyname
|
Required
Keyname is the name of an existing public key. If
the user has already been assigned with a public key, the newly assigned
public key overwrites the old one.
|
The above method requires you to transform the format of the public
key on the client, and then manually configure the transformed public key on
the server. So, the method is relatively more complex.
2)
Automatic configuration
First, perform the following operations on
a client:
l
Use the SSH2.0 client software to randomly
generate a RSA key pair.
l
Use FTP/TFTP to transfer the corresponding public
key file to the Flash memory of the server.
Then, perform the following operations on
the server:
Table 1-7
Automatic configuration
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Transform the format of the key in a client
public key file and automatically configure a client public key on the server
|
rsa peer-public-key key-name import sshkey file-name
|
filename must be consistent with the name of a
public key file in the Flash memory.
|
The above method
does not require you to manually configure a public key. So the method is
relatively simple and is the recommended method.
VI. Specifying
a source IP address/interface for the SSH server
You can perform the following
configurations to specify a source IP address or a source interface for the SSH
server, thus enhancing traffic manageability.
Table 1-8
Specify a source IP address/interface for the SSH
server
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Specify a source
IP address for the SSH server
|
ssh-server source-ip ip-address
|
Optional
|
|
Specify a source
interface for the SSH server
|
ssh-server source-interface interface-type interface-number
|
Optional
|
A variety of
SSH client software are available, such as PuTTY and FreeBSD. For an SSH client
to establish a connection with an SSH server, you must complete these configuration
tasks:
l
Specifying
the IP address of the server
l
Selecting
the protocol for remote connection Usually, a client can use a variety of
remote connection protocols, such as Telnet, Rlogin, SSH. To establish an SSH
connection, you must select SSH.
l
Selecting
the SSH version Since the device supports SSH Server 2.0 now, select 2.0 or
lower for the client.
l
Specifying the RSA private key file. The
RSA keys for an SSH user include a public key and a private key, which are
generated by the tool accompanied with the client software. The public key must
be configured on the server, while the private key must be configured on the
client.
The following takes the client software of PuTTY,
PuTTYGen and SSHKEY as examples to illustrate how to configure the SSH client:
To generate the client key pair, run PuTTYGen.exe,
choose “SSH2(RSA)” in the parameter field and click “Generate”.
Figure
1-3 Generating the client key (1)
While generating the key pair, you must move
the mouse continuously. The mouse should be restricted off the green process
bar in the blue box of Figure 1-4. Otherwise, the process bar does not move and the key pair cannot be generated.
Figure 1-4 Generating the client key (2)
After the key pair is generated, click
“Save public key” and enter the file name (public for here) to save
the key pair.
Figure
1-5 Generating the client key (3)
Likewise, to save a private key, click
“Save private key” and a warning window pops up to prompt you
whether to save a private key without any precautions. Click “Yes”
and enter a name (private for here) to save the private key.
Figure 1-6 Generating the client key (4)
To generate RSA public key in PKCS format,
run SSHKEY.exe, click “Browse” and select the public key file, and
then click “Convert”.
Figure
1-7 Generating the client key (5)
II. Specifying the
IP address of the server
Launch PuTTY.exe and the following window appears.
Figure 1-8 SSH client interface 1
In the [Host Name (or IP address)] text
box, enter the IP address of the server, for example, 10.110.28.10. Note that
the IP address can be the IP address of any interface on the server that has
SSH in the state of up and a route to the client.
III. Selecting the
protocol for remote connection
As shown in Figure
1-8, select the [SSH] option from the [Protocol] section.
IV. Selecting the
SSH version
From the category on the left of the
window, click [Connection/SSH]. The window as shown in Figure
1-9 appears.
Figure 1-9 SSH client interface 2
In the [Protocol options] field, select [2]
from the [Preferred SSH protocol version] section.
V. Open an SSH
Connection with RSA
If the client needs to use RSA
authentication, you must specify the RSA private key file. If the client needs
to use password authentication, this is not required.
From the category on the left of the
window, click [Connection/SSH/Auth]. The following window appears.
Figure
1-10 SSH client interface 3
Click <Browse…> to bring up the
file selection window, navigate to the private key file and click <OK>.
1)
Click <Open>. The following SSH client
interface appears. If the connection is normal, you will be prompted to enter
the username and password, as shown in Figure 1-11.
Figure 1-11 SSH client interface
2)
Enter the username and password to create an SSH
connection.
3)
To log out, enter the quit command.
The following table describes SSH Client
configuration tasks.
Table 1-9 SSH Client configuration tasks
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
