When configuring SSH2.0, go to these sections for information you
are interested in:
l
SSH Overview
l
SSH Configuration Tasks
l
Configuring the SSH Server
l
Configuring the SSH Client
l
Configuring the Device as
an SSH Client
l
Displaying and Maintaining
the SSH Protocol
l
SSH Server Configuration
Example
l
SSH Client Configuration
Example
1.1 SSH Overview
Secure shell
(SSH) offers an approach to securely logging into a remote device. It can
protect devices against attacks such as IP spoofing and plain text password
interception.
The device can not only work as an SSH
server to support connections with SSH clients, but also work as an SSH client
to allow users to establish SSH connections with a remote device acting as the SSH
server. Figure 1-1 and Figure 1-2 shows SSH connections established on the LAN and over the WAN respectively.
Figure 1-1
SSH connection on the local network
Figure 1-2
SSH connection over a WAN
At present, the
device supports two SSH versions: SSH2 and SSH1. Unless otherwise noted, SSH
refers to SSH2 throughout this document.
To establish an SSH connection, the server
and the client go through the following five stages:
1)
Version number negotiation
l
The server opens port 22 to listen to connection
requests from clients.
l
The client sends a TCP connection request to the
server. After the TCP connection is established, the server sends the first
packet to the client, which includes a version identification string in the
format of “SSH-<primary protocol version number>.<secondary
protocol version number>-<software version number>”. The primary
and secondary protocol version numbers constitute the protocol version number, while
the software version number is used for debugging.
l
The client receives and resolves the packet. If
the protocol version of the server is lower but supportable, the client uses
the protocol version of the server; otherwise, the client uses its own protocol
version.
l
The client sends to the server a packet that contains
the number of the protocol version it decides to use. The server compares the
version carried in the packet with that of its own to determine whether it can cooperate
with the client.
l
If the negotiation is successful, the server and
the client go on to key and algorithm negotiation; otherwise, the server breaks
the TCP connection.
All the packets
above are transferred in plain text.
2)
Key and algorithm negotiation
l
The server and the client send key algorithm
negotiation packets to each other, which include the supported server-side
public key algorithm list, encryption algorithm list, MAC algorithm list, and
compression algorithm list.
l
Based on the received algorithm negotiation
packets, the server and the client figure out the algorithms to be used.
l
The server and the client use the DH key
exchange algorithm and parameters such as the host key pair to generate the
session key and session ID.
Through the above steps, the server and the
client get the same session key, which is to be used to encrypt and decrypt
data exchanged between the server and the client later. The server and the
client use session ID in the authentication stage.
Caution:
Before the
negotiation, the server must have already generated the server key pair and the
host key pair, which are mainly used for generating the session key. The server
key pair applies only to SSH1.
3)
Authentication
The client sends to the server an
authentication request, which includes the username and authentication method,
and the server starts to authenticate the client.
SSH provides two authentication methods:
password authentication and RSA authentication.
For password authentication:
l
The client encrypts the username and password,
encapsulates them into a password authentication request, and sends the request
to the server.
l
Upon receiving the request, the server decrypts
the username and password, compares them against those it maintains, and then
informs the client of the authentication result.
For RSA authentication:
l
The client sends to the server an RSA
authentication request containing its RSA public key modulus.
l
The server validates the modulus. If the modulus
is invalid, the authentication fails; otherwise, the server generates a 32-byte
random number, converts it to a multiple precision (MP) integer (MSB first), encrypts
it using the RSA public key from the client, and then sends a challenge to the
client.
l
Upon receiving the challenge, the client
decrypts it with its private key and gets an MP integer, creates an MD5 value
using the MP integer and the session ID, and then encrypts and sends the MD5
value to the server.
l
After receiving the encrypted MD5 value, the
server decrypts it to obtain the MD5 value and compares it with that locally
calculated. If they match, the authentication succeeds.
Besides password
authentication and RSA authentication, SSH2.0 provides another two
authentication methods:
l
password-publickey: Performs both password authentication and RSA authentication of
the client. A client running SSH1 client only needs to pass either type of the
two, while a client running SSH2 client must pass both of them to login.
l
all: Performs
either password authentication or RSA authentication. The client tries RSA
authentication first.
4)
Session request
After passing authentication, the client
sends a session request to the server, while the server listens to and
processes the request from the client. If the client passes authentication, the
server sends back to the client an SSH_SMSG_SUCCESS packet and goes on to the
interactive session stage with the client. Otherwise, the server sends back to
the client an SSH_SMSG_FAILURE packet, indicating that the processing fails or
it cannot resolve the request.
5)
Interactive session
In this stage, the server and the client
exchanges data in this way:
l
The client encrypts and sends the command to be
executed to the server.
l
The server decrypts and executes the command,
and then encrypts and sends the result to the client.
l
The client decrypts and displays the result on the
terminal.
l
During the interactive session phase, a client
user can issue the commands to be executed by pasting command text on the
client. Note that the text must be no more than 2,000 bytes in length and the
commands pasted must be in the same view; otherwise, the server may be unable
to execute the commands correctly.
l
If the text exceeds 2000 bytes, you can upload
the configuration file to the server and use the configuration file to restart
the server so that the server executes the commands.
1.2 SSH Configuration Tasks
1.3 Configuring the SSH Server
1.3.1 Enabling SSH Server
Follow these steps
to enable the SSH server:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable the SSH server
|
ssh server enable
|
Required
Disabled by default
|
1.3.2 Configuring the Protocols for the SSH
Client User Interface to Support
After enabling the SSH server, you must
configure the device to support the protocols for remote SSH login. Note that
the configuration takes effect at next login.
Follow these steps to configure the
protocols for the current user interface to support:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter single-user interface view or
multi-user interface view
|
user-interface [ type-keyword ] number [ ending-number ]
|
Required
|
|
Set the login authentication method
|
authentication-mode scheme [ command-authorization ]
|
Required
|
|
Specify the protocols for the user
interfaces to support
|
protocol inbound { all | ssh | telnet }
|
Optional
All of the two are supported by default.
|
Caution:
l
If you configure a user interface to support
SSH, be sure to configure the corresponding authentication method with the authentication-mode
scheme command.
l
For a user interface configured to support SSH,
you cannot configure the authentication-mode password command and the authentication-mode
none command.
1.3.3 Creating/Destroying/Exporting RSA
Keys
For successful SSH login, you must create
the RSA key pairs at first. Without them, SSH login will fail even if you have
SSH enabled.
You can display the created RSA host public
key on the screen in a specified format, or export it to a specified file for
use when configuring the key at a remote site.
I. Creating RSA keys
Follow these steps to create the host key
pair and server key pair:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Create the RSA host key pair and server
key pair
|
rsa local-key-pair create
|
Required
|
II. Destroying RSA keys
Follow these steps
to destroy the host key pair and server key pair:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Destroy the RSA host key pair and server
key pair
|
rsa local-key-pair destroy
|
Required
|
III. Displaying/exporting the
public host key
Once created, the public host key can be
displayed on the screen or exported to a specified file.
Follow these steps to export the host key
pair:
|
To do…
|
Use the command…
|
Remarks
|
|
Display the RSA host public key on the
screen or export it to a specified file
|
rsa local-key-pair export { ssh1 | ssh2 | openssh } [ filename ]
|
Required
You can configure the command in any
view.
|
Caution:
l
The configuration of the rsa local-key-pair
create command can survive a reboot. You only need to configure it once.
l
When you create a key pair, if the key pair is already
configured, the system will ask you whether you want to overwrite it.
l
The length of a server/host key must be in the
range 512 to 2048 bits. With SSH2, some clients require that the keys generated
by the server must be at least or more than 768 bits.
1.3.4 Configuring the Authentication Method for an SSH User
The configured authentication method takes
effect when the user logs in next time.
Follow these steps to configure the
authentication method for an SSH user:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Specify the authentication method for an
SSH user
|
ssh user username authentication-type { password | rsa | password-publickey | all
}
|
Optional
RSA authentication by default
|
Caution:
For a user using
RSA authentication, you must configure the username and public keys on the
device. For a user using password authentication, you can configure the
accounting information on the device or the remote authentication server (such
as RADIUS authentication server).
1.3.5 Specifying the Service Type of an SSH User
Follow these steps
to specify the service type of an SSH user:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Specify the service types of an SSH user
|
ssh user username service-type { stelnet | sftp | all }
|
Required
stelnet by
default
|
Caution:
l
For successful login through SFTP, you must set
the user service type to sftp or all.
l
You can set the service type of an SSH user to stelnet
or all if the user does not need SFTP service.
1.3.6 Setting the SSH Management Parameters
SSH management includes:
l
Enabling the SSH server to be compatible with
SSH1
l
Setting the server key pair update interval
l
Setting the SSH user authentication timeout
period
l
Setting the maximum number of SSH authentication
attempts
Setting the above parameters can help avoid
malicious guess at and cracking of the keys and usernames, securing your SSH
connections.
Follow these steps to set the SSH
management parameters:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enable the SSH server to work with SSH1.x
clients
|
ssh server compatible-ssh1x enable
|
Optional
By default, the SSH server can work with
SSH1.x clients.
|
|
Set the server key pair update interval
|
ssh server rekey-interval hours
|
Optional
0 by default, that is, the server key
pair is not updated.
|
|
Set the SSH user authentication timeout
period
|
ssh server authentication-timeout time-out-value
|
Optional
60 seconds by default
|
|
Set the maximum number of SSH
authentication attempts
|
ssh server authentication-retries times
|
Optional
3 by default
|
1.3.7 Configuring the Client RSA Public Key
These configurations are required for an
SSH user using RSA authentication. For an SSH user using password
authentication, they are not required.
This configuration task is for configuring
the RSA public key of a client with an SSH user. The RSA private key for the
SSH user must be configured on the client. The client key pair is generated
randomly by the SSH client software.
You can manually configure or import the
RSA public key from a public key file. When you import a public key, the system
automatically converts the public key to a string coded using the PKCS
standard. Before importing the public key, you must upload the public key file
to the server through FTP or TFTP.
Caution:
l
When the device functions as the SSH server, you
cannot use Secure CRT 4.07 to upload the client public key to the server.
l
You configure any of these three commands to
create an SSH user: ssh user assign rsa-key, ssh user
authentication-type, and ssh user service-type. Up to 1024 SSH users
can be created. By default, the authentication method for an SSH user is RSA
and the service type is stelnet.
l
If no SSH users are created, but there are local
users whose service type is SSH, the SSH client can still logs in the SSH
server through these users. Here, the system performs password authentication
and the SSH service type is stelnet.
I. Configuring the client RSA public
key manually
Follow these steps to configure the client
RSA public key manually:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Enter public key view
|
rsa peer-public-key keyname
|
Required
|
|
Enter public key code view
|
public-key-code begin
|
—
|
|
Configure the
client public key
|
Enter the content of the public key
|
—
The content must be a hexadecimal string that
is generated randomly by the SSH-supported client software and coded compliant
to PKCS. Spaces and carriage returns are allowed between characters.
|
|
Return from public key code view to
public key view
|
public-key-code end
|
—
When you exit public key code view, the
system automatically saves the public key.
|
|
Return from public key view to system
view
|
peer-public-key end
|
—
|
|
Assign a public key to an SSH user
|
ssh user username assign rsa-key keyname
|
Required
The public key must exist. If the user
has already a public key, the new public key overwrites the old one.
|
II. Importing the RSA public key
from a public key file
Follow these steps to import the RSA public
key from a public key file:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Import the RSA public key from a public key
file
|
rsa peer-public-key keyname import sshkey filename
|
Required
|
1.4 Configuring the SSH Client
A variety of SSH client software are
available, such as PuTTY and OpenSSH. For an SSH client to establish a
connection with an SSH server, you must complete these configuration tasks:
l
Specifying the IP address of the server.
l
Selecting the protocol for remote connection as
SSH. Usually, a client can use a variety of remote connection protocols, such
as Telnet, Rlogin, and SSH. To establish an SSH connection, you must select
SSH.
l
Selecting the SSH version. Since the device
supports SSH Server 2.0 now, select 2.0 or lower for the client.
l
Specifying the RSA private key file. On the
server, if RSA authentication is enabled for an SSH user and a public key is
set for the user, the private key file corresponding to the public key must be
specified on the client. RSA key pairs are generated by a tool of the client
software.
The following takes the client software of PuTTY,
PuTTYGen and SSHKEY as examples to illustrate how to configure the SSH client:
1.4.1 Generating the Client Keys
To generate the client key pair, run PuTTYGen.exe,
choose SSH-2 RSA under Parameters and click Generate.
Figure 1-3 Generating the client keys
(1)
Note that while generating the key pair,
you must move the mouse continuously and keep the mouse off the green process
bar in the blue box of shown in Figure 1-4. Otherwise, the process bar stops moving and the key pair generating process is stopped.
Figure 1-4 Generating the client keys (2)
After the key pair is generated, click Save
public key and enter the name of the file for saving the public key (public
in this case) to save the public key.
Figure 1-5 Generating the client keys
(3)
Likewise, to save the private key, click Save
private key. A warning window pops up to prompt you whether to save the
private key without any precaution. Click Yes and enter the name of the
file for saving the public key (private in this case) to save the
private key.
Figure 1-6 Generating the client keys
(4)
To generate RSA public key in PKCS format,
run SSHKEY.exe, click Browse and select the public key file, and then
click Convert.
Figure 1-7 Generating the client keys (5)
1.4.2 Specifying the IP address of the
Server
Launch PuTTY.exe. The following window
appears.
Figure 1-8 SSH client configuration interface 1
In the Host Name (or IP address)
text box, enter the IP address of the server, 10.110.28.10, for example. Note
that there must be a route available between the IP address of the server and
the client.
1.4.3 Selecting the Protocol for Remote
Connection
As shown in Figure
1-8, select SSH under Protocol.
1.4.4 Selecting the SSH Version
From the category on the left pane of the
window, select SSH under Connection. The window as shown in Figure 1-9 appears.
Figure 1-9 SSH client configuration interface 2
Under Protocol options, select 2
from Preferred SSH protocol version.
1.4.5 Opening an SSH Connection with RSA
If the client needs to use RSA
authentication, you must specify the RSA private key file. If the client needs
to use password authentication, this is not required.
From the category on the left of the
window, Select Connection/SSH/Auth. The following window
appears.
Figure 1-10 SSH client configuration interface 3
Click Browse… to bring up the
file selection window, navigate to the private key file and click OK.
1)
From the window shown in Figure
1-10, click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 1-11.
Figure 1-11 SSH client interface
2)
Enter the username and password to establish an
SSH connection.
3)
To log out, enter the quit command.
1.5 Configuring the Device as an SSH Client
Complete the configuration of the SSH
server. For detailed configuration information, refer to Configuring the SSH Server
When the device connects to the SSH server
as an SSH client, you can configure the SSH client to authenticate the SSH
server during the first access.
l
The first authentication means that when the SSH
client accesses the server for the first time and is not configured with the
server host public key, the user can choose to continue accessing the server
and save the host public key on the client for future authentication of the
server.
l
With first authentication not supported, the
client cannot authenticate the server if it is not configured with the server
host public key. In this case, you must configure the host public key of the
server and specify the key name on the client beforehand, so that the client
can authenticate the server.
l
You can configure the client to use a specified
IP address or interface to access the SSH.
Follow these steps to configure the device
as an SSH client:
|
To do…
|
Use the command…
|
Remarks
|
|
Enter system view
|
system-view
|
—
|
|
Disable the first authentication function
|
undo ssh client first-time
|
Optional
Enabled by default
|
|
Enter public key view
|
rsa peer-public-key keyname
|
Optional
|
|
Enter public key code view
|
public-key-code begin
|
—
|
|
Configure the server public key
|
Enter the content of the public key
|
—
The content must be a hexadecimal string that
is generated randomly by the SSH-supported client software and coded compliant
to PKCS. Spaces and carriage returns are allowed between characters.
|
|
Return from public key code view to
public key view
|
public-key-code end
|
—
When you exit public key code view, the
system automatically saves the public key.
|
|
Return from public key view to system
view
|
peer-public-key end
|
—
|
|
Configure the host public key of the
server on the client
|
ssh client
authentication server { server-ip | server-name }
assign rsa-key keyname
|
Optional
|
|
Specify
the source IP address or source interface of the SSH client
|
Specify
the source IPv4 address or source interface of the SSH client
|
ssh
client source { ip ip-address | interface
interface-type interface-number }
|
Optional
IP address
or interface specified by the route by default
|
|
Specify
the source IPv6 address or source interface of the SSH client
|
ssh
client ipv6 source { ipv6 ipv6-address
| interface interface-type interface-number }
|
|
Establish a
connection between the SSH client and the server, and specify the preferred
key exchange algorithm, encryption algorithms, and HMAC algorithms of the
client and the server
|
Establish a connection between the SSH
client and the IPv4 server, and specify the preferred key exchange algorithm,
encryption algorithms, and HMAC algorithms of the client and the server
|
ssh2 { host-ip
| host-name } [ port-number ] [ prefer_kex { dh_group1
| dh_exchange_group } | prefer_ctos_cipher { des | aes128}
| prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac
{ sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac
{ sha1 | sha1_96 | md5 | md5_96 } ]*
|
Use one command as required.
|
|
Establish a connection between the SSH
client and the IPv6 server, and specify the preferred key exchange algorithm,
encryption algorithms, and HMAC algorithms of the client and the server
|
