1.1.1 Introduction
to SSH
Secure Shell (SSH) can provide information
security and powerful authentication to prevent such assaults as IP address
spoofing, plain-text password interception when users log on to the Switch remotely
via an insecure network environment.
A Switch can connect to multiple SSH
clients. SSH2.0 is currently available. SSH client functions to enable SSH
connections between users and the Switch or UNIX host that support SSH server.
Figure 1-1 and Figure 1-2 shows respectively SSH connection establishment for client and server.
l
SSH connections through LAN
Figure 1-1 Establish SSH channels
through LAN
l
SSH connections through WAN
Figure 1-2 Establish SSH channels
through WAN
The communication process between the
server and client includes these five stages:
1)
Version negotiation stage. These operations are
completed at this stage:
l
The client sends TCP connection requirement to
the server.
l
When TCP connection is established, both ends
begin to negotiate the SSH version.
l
If they can work together in harmony, they enter
the key algorithm negotiation stage. Otherwise the server clears the TCP
connection.
2)
Key and algorithm negotiation stage:
l
The server and the client send key algorithm
negotiation packets to each other, which include the supported server-side
public key algorithm list, encryption algorithm list, MAC algorithm list, and
compression algorithm list.
l
Based on the received algorithm negotiation
packets, the server and the client figure out the algorithms to be used.
l
The server and the client use the DH key
exchange algorithm and parameters such as the host key pair to generate the
session key and session ID.
Through the above steps, the server and the
client get the same session key, which is to be used to encrypt and decrypt
data exchanged between the server and the client later. The server and the
client use session ID in the authentication stage.
3)
Authentication method negotiation stage. These
operations are completed at this stage:
l
The client sends its username information to the
server.
l
The server authenticates the username
information from the client. If the user is configured as no authentication on the
server, authentication stage is skipped and session request stage starts
directly.
l
The client authenticates information from the
user at the server till the authentication succeeds or the connection is turned
off due to authentication timeout.
SSH supports two
authentication types: password authentication and RSA authentication.
(1) Password
authentication works as follows:
l
The client sends its username and password to
the server.
l
The server compares the username and password
received with those configured locally. The user is allowed to log on to the
Switch if the usernames and passwords match exactly.
(2) RSA
authentication works as follows:
l
Configure the RSA public key of the client user
at the server.
l
The client sends the member modules of its RSA
public key to the server.
l
The server checks the validity of the member
module. If it is valid, the server generates a random number, which is sent to
the client after being encrypted with RSA public key of the client.
l
Both ends calculate authentication data based on
the random number and session ID.
l
The client sends the authentication data
calculated back to the server.
l
The server compares it with its authentication data
obtained locally. If they match exactly, the user is allowed to access the
switch.
4)
Session request stage. The client sends session
request messages to the server which processes the request messages.
5)
Interactive session stage. Both ends exchange
data till the session ends.
The following table describes SSH server
configuration tasks.
Table 1-1 Configure SSH2.0 server
Table 1-2 Configure
supported protocols
|
Operation
|
Command
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter one or multiple user interface
views
|
user-interface [ type-keyword ] number [ ending-number ]
|
Required
|
|
Set the login authentication method
|
authentication-mode scheme [ command-authorization ]
|
Required
|
|
Configure the protocols supported in the
user interface view(s)
|
protocol inbound { all |ssh | telnet }
|
Optional
By default, the system supports both
Telnet and SSH.
|
Caution:
l
When SSH protocol is specified, to ensure a
successful login, you must configure the AAA authentication using the authentication-mode
scheme command.
l
The protocol inbound ssh configuration
fails if you configured authentication-mode password and authentication-mode
none. When you configure SSH protocol successfully for the user interface,
then you cannot configure authentication-mode password and authentication-mode
none any more.
The name of the server RSA key pair is in
the format of switch name plus _host, H3C_host for example.
After you use the command, the system
prompts you to define the key length.
In SSH2.0, the key length is in the range
of 512 to 2048 (bits). With SSH2, some clients require that the keys generated
by the server must be at least or more than 768 bits.
Table 1-3 Generate
or destroy RSA key pairs
|
Operation
|
Command
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Generate a local RSA key pair
|
rsa local-key-pair create
|
Required
|
|
Destroy a local RSA key pair
|
rsa local-key-pair destroy
|
Required
|
Caution:
l
For a successful SSH login, you must generate a
local RSA key pair first.
l
You just need to execute the command once, with
no further action required even after the system is rebooted.
l
If you use this command to generate an RSA key
provided an old one exits, the system will prompt you to replace the previous
one or not.
Table 1-4 Create an SSH user
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Create an SSH user
|
ssh user username
|
Required
|
For an SSH user
created by using this command, if you do not specify an authentication type by
using the ssh user authentication-type command for this user, this SSH
user adopts the default authentication type. On the other hand, if the default
authentication type is not specified, you need to specify an authentication
type for this SSH user.
New users must
specify authentication type. Otherwise, they cannot access the switch.
Table 1-5 Configure authentication type
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Specify a default authentication type for
SSH users
|
ssh authentication-type default { password | rsa | password-publickey | all
}
|
At least one required;
By default, no authentication type is
specified for an SSH user, and the user can not access the switch.
|
|
Configure authentication type for SSH
users
|
ssh user username authentication-type { password
| password-publickey | rsa| all }
|
Note that:
l
The ssh authentication-type default command
is used to configure the default authentication type for all SSH users.
l
The ssh user username authentication-type
command is used to configure an authentication type for a specific SSH user.
l
When both commands are configured with different
authentication types, for the specific user (user specified by the username argument),
the authentication type specified by the ssh user username
authentication-type command will take effect instead of that specified for
all SSH users.
Caution:
l
If RSA authentication type is defined, then the
RSA public key of the client user must be configured on the switch.
l
By default, no authentication type is specified
for a new user, so they cannot access the switch.
l
For the password-publickey authentication
type: SSHv1 client users can access the switch as long as they pass one of the
two authentications. SSHv2 client users can access the switch only when they
pass both the authentications.
l
For the password authentication, username
should be consistent with the effective user name defined in AAA; for the RSA
authentication, username is the SSH local user name, so that there is no
need to configure a local user in AAA.
l
If the default authentication type for SSH users
is password and local AAA authentication is adopted, you need not use the ssh
user command to create an SSH user. Instead, you can use the local-user command
to create a user name and its password and then set the service type of the
user to SSH.
l
If the default authentication type for SSH users
is password and remote authentication (RADIUS authentication, for example) is
adopted, you need not use the ssh user command to create an SSH user,
because it is created on the remote server. And the user can use its username
and password configured on the remote server to access the network.
l
If you use the ssh user username authentication-type
command to specify an authentication type for an inexistent SSH user, the
system will create the SSH user automatically.
l
If the RSA authentication type is specified, you
can use the user privilege
level command to set the level of the commands
available to the SSH users logging into the server. Additionally, the command
levels accessible to the users adopting RSA authentication are the same.
l
If the password authentication type is
specified, the command levels accessible to SSH users logging into the server
are determined through AAA. In this case, the command level may vary with users.
Configuring server SSH authentication
timeout time and retry times can effectively assure security of SSH connections
and avoid illegal actions.
Table 1-6 Configure server SSH attributes
|
Operation
|
Command
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Set SSH authentication timeout time
|
ssh server timeout seconds
|
Optional
The timeout time defaults to 60 seconds.
|
|
Set SSH authentication retry times
|
ssh server authentication-retries times
|
Optional
The retry times defaults to 3.
|
You can configure RSA public keys for
client users on the switch and specify RSA private keys, which correspond to the
public keys, on the client. Then client keys are generated randomly by the
SSH2.0 client software. This operation is not required for password
authentication type.
Table 1-7 Configure client public keys
|
Operation
|
Command
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter public key view
|
rsa peer-public-key key-name
|
Required
|
|
Enter public key edit view
|
public-key-code begin
|
—
|
|
Configure the
client public key
|
Enter the content of the public key
|
Required
When you input the key data, spaces are
allowed between the characters you input (because the system can remove the
spaces automatically); you can also press <Enter> to continue your
input at the next line. But the key you input should be a hexadecimal digit
string coded in the public key format.
|
|
Return to public key view from public key
edit view
|
public-key-code end
|
—
The system saves public key data when
exiting from public key edit view
|
|
Return to system view from public key
view
|
peer-public-key end
|
—
|
|
Allocate public keys to SSH users
|
ssh user username assign rsa-key keyname
|
Required
Keyname is
the name of an existing public key. If the user already has a public key, the
new public key overrides the old one.
|
l
The above method requires you to transform the
format of the public key on the client, and then manually configure the
transformed public key on the server. So, the method is relatively more
complex.
l
If you use the ssh user username assign
rsa-key command to assign an public key for an inexistent SSH user, the
system will create the SSH user automatically.
l
When configuring the public key for a client
manually, you can copy the local host public key configuration on the client
and then paste it to the server.
A variety of SSH client software are
available, such as PuTTY and OpenSSH. For an SSH client to establish a
connection with an SSH server, you must complete these configuration tasks:
l
Specifying the IP address of the server.
l
Selecting the protocol for remote connection as
SSH. Usually, a client can use a variety of remote connection protocols, such
as Telnet, Rlogin, and SSH. To establish an SSH connection, you must select SSH.
l
Selecting the SSH version. Since the device
supports SSH Server 2.0 now, select 2.0 for the client.
l
Specifying the RSA private key file. On the
server, if RSA authentication is enabled for an SSH user and a public key is
set for the user, the private key file corresponding to the public key must be
specified on the client. RSA key pairs are generated by a tool of the client
software.
The following takes the client software of PuTTY,
PuTTYGen and SSHKEY as examples to illustrate how to configure the SSH client:
I. Generating the Client Keys
To generate the client key pair, run PuTTYGen.exe,
choose SSH-2 RSA under Parameters and click Generate.
Figure 1-3 Generating the client keys
(1)
Note that while generating the key pair,
you must move the mouse continuously and keep the mouse off the green process
bar in the blue box of shown in Figure 1-4. Otherwise, the process bar stops moving and the key pair generating
process is stopped.
Figure 1-4 Generating the client keys (2)
After the key pair is generated, click Save
public key and enter the name of the file for saving the public key (public
in this case) to save the public key.
Figure 1-5 Generating the client keys
(3)
Likewise, to save the private key, click Save
private key. A warning window pops up to prompt you whether to save the
private key without any precaution. Click Yes and enter the name of the
file for saving the public key (private in this case) to save the
private key.
Figure 1-6 Generating the client keys
(4)
To generate RSA public key in PKCS format,
run SSHKEY.exe, click Browse and select the public key file, and then
click Convert.
Figure 1-7 Generating the client keys (5)
II. Specifying the IP address of the Server
Launch PuTTY.exe. The following window
appears.
Figure 1-8 SSH client configuration interface 1
In the Host Name (or IP address)
text box, enter the IP address of the server, Note that there must be a route
available between the IP address of the server and the client.
III. Selecting the Protocol for Remote
Connection
As shown in Figure 1-8, select SSH under Protocol.
IV. Selecting the SSH Version
From the category on the left pane of the
window, select SSH under Connection. The window as shown in Figure 1-9 appears.
Figure 1-9 SSH client configuration interface 2
Under Protocol options, select 2
from Preferred SSH protocol version.
Some SSH client
software, for example, Tectia client software, supports the DES algorithm only
when the ssh1 version is selected. The PuTTY client software supports DES
algorithm negotiation ssh2.
V. Opening an SSH Connection with RSA
If the client needs to use RSA
authentication, you must specify the RSA private key file. If the client needs
to use password authentication, this is not required.
From the category on the left of the
window, Select Connection/SSH/Auth. The following window
appears.
Figure 1-10 SSH client configuration interface 3
Click Browse… to bring up the
file selection window, navigate to the private key file and click OK.
1)
From the window shown in Figure 1-10, click Open. The following SSH client interface appears. If
the connection is normal, you will be prompted to enter the username and password,
as shown in Figure 1-11.
Figure 1-11 SSH client interface
2)
Enter the username and password to establish an
SSH connection.
3)
To log out, enter the quit command.
When the device connects to the SSH server
as an SSH client, you can configure the SSH client to authenticate the SSH
server during the first access.
l
The first authentication means that when the SSH
client accesses the server for the first time and is not configured with the
server host public key, the user can choose to continue accessing the server
and save the host public key on the client for future authentication of the
server.
l
With first authentication not supported, the
client cannot authenticate the server if it is not configured with the server
host public key. In this case, you must configure the host public key of the
server and specify the key name on the client beforehand, so that the client
can authenticate the server.
I. configure the device as an SSH
client that supports first authentication
Table 1-8 Configure the device as an SSH
client that supports first authentication
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enable the client to run initial
authentication
|
ssh client first-time enable
|
Optional
By default, the client is enabled to run
initial authentication.
|
|
Start the client to establish a
connection with an SSH server
|
ssh2 { host-ip
| host-name } [ port-num ] [ prefer_kex { dh_group1
| dh_exchange_group } | prefer_ctos_cipher { des | aes128
} | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac
{ sha1 | sha1_96 | md5 | md5_96
} | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96
} ] *
|
Required
In this command, you can also specify the
preferred key exchange algorithm, encryption algorithms and HMAC algorithms
between the server and client.
HMAC: Hash-based message authentication
code
|
II. configure the device as an SSH
client that does not support first authentication
Table 1-9 Configure the device as an SSH
client that does not support first authentication
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Disable the SSH client from performing
first authentication for the SSH server to be accessed
|
undo ssh client first-time
|
Required
By default, the SSH client performs first
authentication.
|
|
Enter public key view
|
rsa peer-public-key keyname
|
Optional
|
|
Enter public key edit view
|
public-key-code begin
|
—
|
|
Configure the public key for the server
|
Input the public key directly
|
—
The input public key string can contain
spaces and enters. The public key to be configured must be a hexadecimal
string coded in the public format.
|
|
Quit to public key view
|
public-key-code end
|
—
The input public keys are saved when you
quit the public key edit view.
|
|
Quit to system view
|
peer-public-key end
|
—
|
|
Specify the name of the host public key
of the SSH server to be accessed on the SSH client
|
ssh client
{ server-ip | server-name } assign rsa-key
keyname
|
Required
|
|
Connect the SSH client to the SSH server,
and specify the preferred key exchange algorithm, the preferred encryption
algorithm and the preferred HMAC algorithm for the SSH client and the SSH
server
|
ssh2 { host-ip
| host-name } [ port-num ] [ prefer_kex { dh_group1
| dh_exchange_group } | prefer_ctos_cipher { des | aes128
} | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac
{ sha1 | sha1_96 | md5 | md5_96
} | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96
} ] *
|
Required
|
1.1.5 Displaying SSH Configuration
Use the display commands in any view
to view the running of SSH and further to check the configuration result.
Table 1-10 Display SSH configuration
|
Operation
|
Command
|
|
Display host and server public keys
|
display rsa local-key-pair public
|
|
Display client RSA public key
|
display rsa peer-public-key [ brief | name keyname ]
|
|
Display SSH status and session
information
|
display ssh server { status | session }
|
|
Display SSH user information
|
display ssh user-information [ username ]
|
|
Display the mappings between host public
keys and SSH servers saved on a client
|
display ssh server-info
|
I. Network requirements
As shown in Figure
1-12, configure a local connection from the SSH client to the switch. The PC runs the SSH2.0-supported client software.
II. Network diagram
Figure 1-12 Network diagram for SSH server configuration
III. Configuration procedure
The configuration procedure varies with
login authentication modes. However, you must complete the following three
configuration tasks before any configuration procedure.
<H3C> system-view
[H3C] rsa local-key-pair create
Then, you must create a VLAN interface on
the switch and assign an IP address, which the SSH client will use as the
destination for SSH connection.
[H3C] interface vlan-interface 1
[H3C-Vlan-interface1] ip address
192.168.0.1 255.255.255.0
[H3C-Vlan-interface1] quit
Finally, you must configure an IP address
(192.168.0.2 in this case) for the SSH client. This IP address and that of the
VLAN interface on the switch must be in the same network segment.
1)
Set authentication type.
Settings for the two authentication types
are described respectively in the following:
l
Password authentication
# Set AAA authentication on the user
interfaces.
[H3C] user-interface vty 0 4
[H3C-ui-vty0-4] authentication-mode scheme
# Set the user interfaces to support SSH.
[H3C-ui-vty0-4] protocol inbound ssh
[H3C-ui-vty0-4] quit
# Set login protocol to SSH, specify
commands of level 3, and authentication password to "abc" for user
clinet001.
[H3C] local-user client001
[H3C-luser-client001] password simple
abc
[H3C-luser-client001] service-type ssh
level 3
[H3C-luser-client001] quit
[H3C] ssh user client001
authentication-type password
Select the default
SSH authentication timeout time and authentication retry times. After these
settings, run the SSN2.0-supported client software on other hosts connected to
the switch. Log in to the switch using user name client001 and password abc.
l
RSA public key authentication
# Set AAA authentication on the user
interfaces.
[H3C] user-interface vty 0 4
[H3C-ui-vty0-4] authentication-mode scheme
# Set the user interfaces to support SSH.
[H3C-ui-vty0-4] protocol inbound ssh
# Set the command level for the login users
to 3.
[H3C-ui-vty0-4] user privilege level 3
[H3C-ui-vty0-4] quit
# Set login protocol to SSH and
authentication type to RSA for user client001.
[H3C] ssh user client001
authentication-type rsa
At this time, the client supporting SSH2.0
will generate a random RSA key pair, including public key and private key. You
need to add the RSA public key, a hexadecimal character string encoded by the
SSHKEY.EXE software in accordance with the public key cryptography standards
(PKCS), to the rsa peer-public-key on the specified SSH server in the following
way.
# Configure client public keys on the
server, with their name as Switch001.
[H3C] rsa peer-public-key Switch001
[H3C-rsa-public-key] public-key-code
begin
[H3C-rsa-key-code]
308186028180739A291ABDA704F5D93DC8FDF84C427463
[H3C-rsa-key-code]
1991C164B0DF178C55FA833591C7D47D5381D09CE82913
[H3C-rsa-key-code]
D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4
[H3C-rsa-key-code]
0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC
[H3C-rsa-key-code]
C48E3306367FE187BDD944018B3B69F3CBB0A573202C16
[H3C-rsa-key-code]
BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125
[H3C-rsa-key-code] public-key-code
end
[H3C-rsa-public-key] peer-public-key
end
# Specify a
public key of Switch001 for user client001.
[H3C] ssh user client001 assign rsa-key
Switch001
For the RSA authentication, you not only
need to configure the IP address, protocol type, and protocol version of the
SSH server, but also need to specify an RSA private key file (generated by the
client software at random) on the client. After the SSH connection is
established, enter the username as prompted to go into the configuration
interface of the switch.
I. Network Requirements
As shown in Figure
1-13,
l
Switch A serves as an SSH client with user name
as client001.
l
Switch B serves as an SSH server, with its IP
address 10.165.87.136.
II. Network diagram
Figure 1-13 Network diagram for SSH
client configuration
III. Configuration procedure
1)
Configure SwitchB
# Create an RSA host key pair
<H3C> system-view
[H3C] rsa local-key-pair create
# Create a VLAN interface and assign an IP
address, which the SSH client will use as the destination for SSH connection.
[H3C] interface vlan-interface 1
[H3C-Vlan-interface1] ip address 10.165.87.136
255.255.255.0
[H3C-Vlan-interface1] quit
# Set the authentication method of the user
interface to AAA for SSH client.
[H3C] user-interface vty 0 4
[H3C-ui-vty0-4] authentication-mode scheme
# Set the protocol that a remote user uses
to login as SSH.
[H3C-ui-vty0-4] protocol inbound ssh
[H3C-ui-vty0-4] quit
# Set login protocol to SSH, specify
commands of level 3, and authentication password to "abc" for user
clinet001.
[H3C] local-user client001
[H3C-luser-client001] password simple
abc
[H3C-luser-client001] service-type ssh
level 3
[H3C-luser-client001] quit
# Set the SSH authentication method to
password. The SSH authentication timeout period, number of SSH authentication
attempts and server key pair update interval can be the default values.
[H3C] ssh user client001
authentication-type password
2)
Configure SwitchA
# Configure an IP address (10.165.87.137 in
this case) for the VLAN interface on SwitchA. This IP address and that of the
VLAN interface on SwitchB must be in the same network segment.
<H3C> system-view
[H3C] interface vlan-interface 1
[H3C-Vlan-interface1] ip address 10.165.87.137
255.255.255.0
[H3C-Vlan-interface1] quit
# Establish an SSH connection to server
10.165.87.136.
[H3C] ssh2 10.165.87.136
Username: client001
Trying 10.165.87.136 ...
Press CTRL+K to abort
Connected to 10.165.87.136 ...
The Server is not authenticated. Do
you continue to access it?(Y/N):y
Do you want to save the server's
public key?(Y/N):n
Enter password:
**************************************************************************
* Copyright(c) 2004-2007 Hangzhou H3C
Tech. Co., Ltd. Ltd. All rights reserved*
* Without the owner's prior written
consent, *
* no decompiling or
reverse-engineering shall be allowed. *
**************************************************************************
<H3C>
