Chapter 1 SSH
Terminal Services
1.1.1 Introduction
to SSH
Secure Shell (SSH) can provide information
security and powerful authentication to prevent such assaults as IP address
spoofing, plain-text password interception when users log on to the Switch
remotely through an insecure network environment.
As an SSH server, a switch can connect to
multiple SSH clients; as an SSH client, a switch can establish SSH connections
with switch or UNIX host that support SSH server.
Currently, the S7500 switch supports
SSHv2.0 (compatible with SSHv1.5).
Figure 1-1 and Figure 1-2 shows respectively SSH connection
establishment for client and server.
l
SSH connections through LAN
Figure 1-1 Establish SSH channels through LAN
l
SSH connections through WAN
Figure 1-2 Establish SSH channels through WAN
The communication process between the
server and client includes these five stages:
1)
Version negotiation stage. These operations are
completed at this stage:
l
The client sends TCP connection requirement to
the server.
l
When TCP connection is established, both ends
begin to negotiate the SSH version.
l
If they can work together in harmony, they enter
the key algorithm negotiation stage. Otherwise the server clears the TCP
connection.
2)
Key algorithm negotiation stage. These
operations are completed at this stage:
l
The server sends the public key in a randomly
generated RSA key pair to the client.
l
The client figures out session key based on the
public key from the server and the random number generated locally.
l
The client encrypts the random number with the
public key from the server and sends the result back to the server.
l
The server then decrypts the received data with
the server private key to get the client random number.
l
The server then uses the same algorithm to work
out the session key based on server public key and the returned random number.
Then both ends get the same session key
without data transfer over the network, while the key is used at both ends for
encryption and decryption.
3)
Authentication method negotiation stage. These
operations are completed at this stage:
l
The client sends its username information to the
server.
l
The server authenticates the username
information from the client. If the user is configured as no authentication on
the server, authentication stage is skipped and session request stage starts
directly.
l
The client authenticates information from the
user at the server till the authentication succeeds or the connection is turned
off due to authentication timeout.
SSH supports two
authentication types: password authentication and RSA authentication.
(1) Password
authentication works as follows:
l
The client sends its username and password to
the server.
l
The server compares the username and password
received with those configured locally. The user is allowed to log on to the
Switch if the usernames and passwords match exactly.
(2) RSA
authentication works as follows:
l
Configure the RSA public key of the client user
at the server.
l
The client sends the member modules of its RSA
public key to the server.
l
The server checks the validity of the member
module. If it is valid, the server generates a random number, which is sent to
the client after being encrypted with RSA public key of the client.
l
Both ends calculate authentication data based on
the random number and session ID.
l
The client sends the authentication data
calculated back to the server.
l
The server compares it with its authentication
data obtained locally. If they match exactly, the user is allowed to access the
switch.
4)
Session request stage. The client sends session
request messages to the server which processes the request messages.
5)
Interactive session stage. Both ends exchange
data till the session ends.
The following table describes SSH server
configuration tasks.
Table 1-1 Configure
SSHv2.0 server
|
Configuration
|
Keyword
|
Description
|
|
Configure supported protocols
|
protocol inbound
|
Refer to the “Configuring
supported protocols" part of this
manual.
|
|
Generate a local RSA key pair
|
rsa local-key-pair create
|
Refer to the “Generating or destroying RSA key pairs
|
|
Destroy a local RSA key pair
|
rsa local-key-pair destroy
|
|
Specify a default authentication type for
SSH users
|
ssh authentication-type default
|
Refer to
the “Configuring authentication type”
|
|
Configure authentication type for SSH
users
|
ssh user username authentication-type
|
|
Set SSH authentication timeout time
|
ssh server timeout
|
Refer to
the
“Configuring server SSH attributes
|
|
Set SSH authentication retry times
|
ssh server authentication-retries
|
|
Set the update interval for the server
key
|
ssh server rekey-interval
|
|
Specify the server compatible with the
SSHv1.x version-supported client.
|
ssh server compatible-ssh1x enable
|
|
Allocate public keys for
SSH users
|
ssh user username assign rsa-key keyname
|
Refer to the “Configuring client public keys part of this manual.
|
Table 1-2 Configure supported protocols
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter one or multiple user interface
views
|
user-interface [ type-keyword ] number [ ending-number ]
|
Required
|
|
Configure the protocols supported in the
user interface view(s)
|
protocol inbound { all |ssh | telnet }
|
Optional
By default, the system supports both
Telnet and SSH.
|
Caution:
l
When SSH protocol is specified, to ensure a
successful login, you must configure the AAA authentication using the authentication-mode
scheme command.
l
The protocol inbound ssh configuration
fails if you configured authentication-mode password or authentication-mode
none. When you configure SSH protocol successfully for the user interface,
then you cannot configure authentication-mode password or authentication-mode
none any more.
This configuration task is used to generate
or destroy the server RSA key pair, including the host RSA key pair and the
server RSA key pair.
l
The name of the host RSA key pair is in the
format of switch name plus _Host, for example, H3C_Host.
l
The name of the server RSA key pair is in the
format of switch name plus _Server, for example, H3C_Server.
l Server RSA key pair (H3C_Server) is not used in SSHv2.0; therefore,
when the rsa local-key-pair create command is executed,
the system only prompts you the host RSA key pair (H3C_Host) is generated, and
does not inform you the information about the server RSA key pair even if the
server RSA key pair is generated in the background for the purpose of SSHv1.x
compatibility. You can use the display rsa local-key-pair public command
to display the generated key pairs.
After you configure the rsa
local-key-pair command, the system prompts you to define the key length.
l
In SSHv1.x, the key length is in the range of
512 to 2,048 (bits).
l
In SSHv2.0, the key length is in the range of
768 to 2,048 (bits).
Table 1-3 Generate or destroy RSA key pairs
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Generate a local RSA key pair
|
rsa local-key-pair create
|
Required
|
|
Destroy a local RSA key pair
|
rsa local-key-pair destroy
|
Optional
|
Caution:
l
For a successful SSH login, you must generate a
local RSA key pair first.
l
You just need to execute the command once, with
no further action required even after the system is rebooted.
l
If you use this command to generate an RSA key
provided an old one exits, the system will prompt you to replace the previous
one or not.
New users must specify authentication type.
Otherwise, they cannot access the switch.
Table 1-4 Configure authentication type
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Specify a default authentication type for
SSH users
|
ssh authentication-type default { password | rsa | password-publickey | all
}
|
Optional;
By default, the system does not specify
available authentication types for SSH users, that is, they can not access
the switch.
|
|
Configure authentication type for SSH
users
|
ssh user username authentication-type { password
| password-publickey | rsa| all }
|
Note that:
l
Use the ssh authentication-type default command
to configure the default authentication type for all users.
l
Use the ssh user username authentication-type
command to specify the authentication type for a user.
l
When the two commands are configured
simultaneously, and the authentication types configured for the user (specified
by username) are different with each other, comply with the
configuration of the ssh user username authentication-type
command.
Caution:
l
If RSA authentication type is defined, then the
RSA public key of the client user must be configured on the switch.
l
By default, no authentication type is specified
for a new user, so they cannot access the switch.
l
For the password-publickey authentication
type: SSHv1 client users can access the switch as long as they pass one of the
two authentications. SSHv2 client users can access the switch only when they
pass both the authentications.
l
For the password authentication, username
should be consistent with the effective user name defined in AAA; for the RSA
authentication, username is the SSH local user name, so that there is no
need to configure a local user in AAA.
Configuring server SSH authentication
timeout time, retry times, server keys update interval and SSH compatible mode
can effectively assure security of SSH connections by avoiding illegal actions
such as malicious password guessing.
Table 1-5 Configure server SSH
attributes
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Set SSH authentication timeout time
|
ssh server timeout seconds
|
Optional
The timeout time defaults to 60 seconds.
|
|
Set SSH authentication retry times
|
ssh server authentication-retries times
|
Optional
The retry times defaults to 3.
|
|
Set server keys update interval
|
ssh server rekey-interval
|
Optional
By default, the system does not update
server keys.
|
|
Set SSH server compatible with SSHv1.x
client
|
ssh server compatible-ssh1x enable
|
Optional
By default, SSH server is compatible with
SSHv1.x client.
|
You can configure RSA public keys for client
users on the switch and specify RSA private keys, which correspond to the
public keys, on the client. Then client keys are generated randomly by the
SSHv2.0 client software. This operation is not required for password
authentication type.
Table 1-6 Configure
client public keys
|
Operation
|
Command
|
Description
|
|
Enter system view
|
system-view
|
—
|
|
Enter public key view
|
rsa peer-public-key key-name
|
Required
|
|
Enter public key edit view
|
public-key-code begin
|
You can key in a blank space between
characters, since the system can remove the blank space automatically. But
the public key should be composed of hexadecimal characters.
|
|
Return to public key view from public key
edit view
|
public-key-code end
|
The system saves public key data when
exiting from public key edit view
|
|
Return to system view from public key
view
|
peer-public-key end
|
—
|
|
Allocate public keys to SSH users
|
ssh user username assign rsa-key keyname
|
Required
Keyname is
the name of an existing public key. If the user already has a public key, the
new public key overrides the old one.
|
I. Configuring SSH client
l
Create the connection between SSH client and
server.
l
Allocate a public key to the server.
l
Configure the client to run the initial
authentication.
The following table describes SSH
configuration tasks.
Table 1-7 Configure SSH client
|
Operation
|
Command
|
Description
|
|
Enter
system view
|
system-view
|
—
|
|
Create the connection between SSH client
and server
|
ssh2 { host-ip
| host-name } [ port-num ] [ prefer_kex { dh_group1
| dh_exchange_group } ] [ prefer_ctos_cipher { des | aes128
} ] [ prefer_stoc_cipher { des | aes128 } ] [ prefer_ctos_hmac
{ sha1 | sha1_96 | md5 | md5_96
} ] [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96
} ]
|
Required
You can use this command to enable the
connection between SSH client and server, define key exchange algorithm
preference, encryption algorithm preference and HMAC algorithm preference
between the server and client.
|
|
Allocate a public key to the server
|
ssh client server-ip assign rsa-key keyname
|
Required
You can specify on the client the public key
for the server to be connected to guarantee the client can be connected to a
reliable server.
|
|
Configure the client to run the initial
authentication
|
ssh client first-time enable
|
Optional
By default, the client runs the initial
authentication.
|
In the initial
authentication, if the SSH client does not have the public key for the server
which it accesses for the first time, the client continues to access the server
and save locally the public key of the server. Then at the next access, the
client can authenticate the server through the public key saved locally.
1.1.4 Displaying
SSH Configuration
Use the display commands in any view
to view the running of SSH and further to check the configuration result.
Through the displaying information, you can verify the configuration effect.
Table 1-8 Display SSH configuration
|
Operation
|
Command
|
Description
|
|
Display
host and server public keys
|
display
rsa local-key-pair public
|
display command can be executed in any view
|
|
Display client RSA public key
|
display rsa peer-public-key [ brief | name keyname ]
|
|
Display SSH status and session
information
|
display ssh server { status | session }
|
|
Display SSH user information
|
display ssh user-information [ username ]
|
I. Network requirements
As shown in Figure
1-3, The PC (SSH Client) runs the client software which supports SSHv2.0,
establish a local connection with the switch (SSH Server) and ensure the
security of data exchange.
II. Network diagram
Figure 1-3 Network diagram for SSH
server configuration
III. Configuration procedure
1)
Generate a local RSA key pair.
<H3C>system-view
[H3C] rsa local-key-pair create
If the local RSA
key pair has been generated in previous operations, skip this step here.
2)
Set authentication type.
Settings for the two authentication types
are described respectively in the following:
l
Password authentication
# Set AAA authentication on the user
interfaces.
[H3C] user-interface vty 0 4
[H3C-ui-vty0-4] authentication-mode
scheme
# Set the user interfaces to support SSH.
[H3C-ui-vty0-4] protocol inbound ssh
# Configure the login protocol for the
clinet001 user as SSH and authentication type as password.
[H3C] local-user client001
[H3C-luser-client001] password simple
abc
[H3C-luser-client001] service-type
ssh
[H3C-luser-client001] quit
[H3C] ssh user client001
authentication-type password
Select the default
SSH authentication timeout time and authentication retry times. After these
settings, run the SSHv2.0-supported client software on other hosts connected to
the switch. Log in to the switch using user name client001 and password abc.
l
RSA public key authentication
# Set AAA authentication on the user
interfaces.
[H3C] user-interface vty 0 4
[H3C-ui-vty0-4] authentication-mode
scheme
# Set
