Table of Contents

Chapter 1 SSH Terminal Service. 1-1

1.1 SSH Overview. 1-1

1.2 SSH Configuration Tasks. 1-5

1.3 Configuring the SSH Server 1-5

1.3.1 Enabling SSH Server 1-5

1.3.2 Configuring the Protocols for the SSH Client User Interface to Support 1-6

1.3.3 Creating/Destroying/Exporting RSA Keys. 1-6

1.3.4 Configuring the Authentication Method for an SSH User 1-8

1.3.5 Specifying the Service Type of an SSH User 1-8

1.3.6 Setting the SSH Management Parameters. 1-9

1.3.7 Configuring the Client RSA Public Key. 1-9

1.4 Configuring the SSH Client 1-11

1.4.1 Generating the Client Keys. 1-11

1.4.2 Specifying the IP address of the Server 1-15

1.4.3 Selecting the Protocol for Remote Connection. 1-16

1.4.4 Selecting the SSH Version. 1-16

1.4.5 Opening an SSH Connection with RSA. 1-17

1.4.6 Opening an SSH Connection with Password. 1-18

1.5 Configuring the Device as an SSH Client 1-19

1.5.1 Configuration Prerequisites. 1-19

1.5.2 Configuration Procedure. 1-19

1.6 Displaying and Maintaining the SSH Protocol 1-21

1.7 SSH Server Configuration Example. 1-22

1.8 SSH Client Configuration Example. 1-25

Chapter 2 SFTP Service. 2-1

2.1 SFTP Overview. 2-1

2.2 Configuring the SFTP Server 2-1

2.2.1 Configuration Prerequisites. 2-1

2.2.2 Enabling the SFTP Server 2-1

2.2.3 Configuring the SFTP Connection Idle Timeout Period. 2-2

2.3 Configuring the SFTP Client 2-2

2.3.1 Specifying a Source IP Address or Interface for the SFTP Client 2-2

2.3.2 Establishing a Connection to the SFTP Server 2-3

2.3.3 Working with the SFTP Directories. 2-3

2.3.4 Working with SFTP Files. 2-4

2.3.5 Displaying Help Information. 2-5

2.3.6 Disabling the SFTP Client 2-6

2.4 SFTP Configuration Example. 2-7

 

Chapter 1  SSH Terminal Service

When configuring SSH2.0, go to these sections for information you are interested in:

l           SSH Overview

l           SSH Configuration Tasks

l           Configuring the SSH Server

l           Configuring the SSH Client

l           Configuring the Device as an SSH Client

l           Displaying and Maintaining the SSH Protocol

l           SSH Server Configuration Example

l           SSH Client Configuration Example

1.1  SSH Overview

Secure shell (SSH) offers an approach to securely logging into a remote device. It can protect devices against attacks such as IP spoofing and plain text password interception.

The device can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server. Figure 1-1 and Figure 1-2 shows SSH connections established on the LAN and over the WAN respectively.

Figure 1-1 SSH connection on the local network

Figure 1-2 SSH connection over a WAN

 

 

To establish an SSH connection, the server and the client go through the following five stages:

1)         Version number negotiation

l           The server opens port 22 to listen to connection requests from clients.

l           The client sends a TCP connection request to the server. After the TCP connection is established, the server sends the first packet to the client, which includes a version identification string in the format of “SSH-<primary protocol version number>.<secondary protocol version number>-<software version number>”. The primary and secondary protocol version numbers constitute the protocol version number, while the software version number is used for debugging.

l           The client receives and resolves the packet. If the protocol version of the server is lower but supportable, the client uses the protocol version of the server; otherwise, the client uses its own protocol version.

l           The client sends to the server a packet that contains the number of the protocol version it decides to use. The server compares the version carried in the packet with that of its own to determine whether it can cooperate with the client.

l           If the negotiation is successful, the server and the client go on to key and algorithm negotiation; otherwise, the server breaks the TCP connection.

 

 

2)         Key and algorithm negotiation

l           The server and the client send key algorithm negotiation packets to each other, which include the supported server-side public key algorithm list, encryption algorithm list, MAC algorithm list, and compression algorithm list.

l           Based on the received algorithm negotiation packets, the server and the client figure out the algorithms to be used.

l           The server and the client use the DH key exchange algorithm and parameters such as the host key pair to generate the session key and session ID.

Through the above steps, the server and the client get the same session key, which is to be used to encrypt and decrypt data exchanged between the server and the client later. The server and the client use session ID in the authentication stage.

 

 

3)         Authentication

The client sends to the server an authentication request, which includes the username and authentication method, and the server starts to authenticate the client.

SSH provides two authentication methods: password authentication and RSA authentication.

For password authentication:

l           The client encrypts the username and password, encapsulates them into a password authentication request, and sends the request to the server.

l           Upon receiving the request, the server decrypts the username and password, compares them against those it maintains, and then informs the client of the authentication result.

For RSA authentication:

l           The client sends to the server an RSA authentication request containing its RSA public key modulus.

l           The server validates the modulus. If the modulus is invalid, the authentication fails; otherwise, the server generates a 32-byte random number, converts it to a multiple precision (MP) integer (MSB first), encrypts it using the RSA public key from the client, and then sends a challenge to the client.

l           Upon receiving the challenge, the client decrypts it with its private key and gets an MP integer, creates an MD5 value using the MP integer and the session ID, and then encrypts and sends the MD5 value to the server.

l           After receiving the encrypted MD5 value, the server decrypts it to obtain the MD5 value and compares it with that locally calculated. If they match, the authentication succeeds.

 

 

4)         Session request

After passing authentication, the client sends a session request to the server, while the server listens to and processes the request from the client. If the client passes authentication, the server sends back to the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client. Otherwise, the server sends back to the client an SSH_SMSG_FAILURE packet, indicating that the processing fails or it cannot resolve the request.

5)         Interactive session

In this stage, the server and the client exchanges data in this way:

l           The client encrypts and sends the command to be executed to the server.

l           The server decrypts and executes the command, and then encrypts and sends the result to the client.

l           The client decrypts and displays the result on the terminal.

 

 

1.2  SSH Configuration Tasks

Task		Remarks
Configuring the SSH Server	Enabling SSH Server	Required
	Configuring the Protocols for the SSH Client User Interface to Support	Optional
	Creating/Destroying/Exporting RSA Keys	Required
	Configuring the Authentication Method for an SSH User	Optional
	Specifying the Service Type of an SSH User	Optional
	Setting the SSH Management Parameters	Optional
	Configuring the Client RSA Public Key	Optional
Configuring the SSH Client		Optional
Configuring the Device as an SSH Client		Optional

 

1.3  Configuring the SSH Server

1.3.1  Enabling SSH Server

Follow these steps to enable the SSH server:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable the SSH server	ssh server enable	Required Disabled by default

 

1.3.2  Configuring the Protocols for the SSH Client User Interface to Support

After enabling the SSH server, you must configure the device to support the protocols for remote SSH login. Note that the configuration takes effect at next login.

Follow these steps to configure the protocols for the current user interface to support:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter single-user interface view or multi-user interface view	user-interface [ type-keyword ] number [ ending-number ]	Required
Set the login authentication method	authentication-mode scheme [ command-authorization ]	Required
Specify the protocols for the user interfaces to support	protocol inbound { all | ssh | telnet }	Optional All of the two are supported by default.

 

 

1.3.3  Creating/Destroying/Exporting RSA Keys

For successful SSH login, you must create the RSA key pairs at first. Without them, SSH login will fail even if you have SSH enabled.

You can display the created RSA host public key on the screen in a specified format, or export it to a specified file for use when configuring the key at a remote site.

I. Creating RSA keys

Follow these steps to create the host key pair and server key pair:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Create the RSA host key pair and server key pair	rsa local-key-pair create	Required

 

II. Destroying RSA keys

Follow these steps to destroy the host key pair and server key pair:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Destroy the RSA host key pair and server key pair	rsa local-key-pair destroy	Required

 

III. Displaying/exporting the public host key

Once created, the public host key can be displayed on the screen or exported to a specified file.

Follow these steps to export the host key pair:

To do…	Use the command…	Remarks
Display the RSA host public key on the screen or export it to a specified file	rsa local-key-pair export { ssh1 | ssh2 | openssh } [ filename ]	Required You can configure the command in any view.

 

 

1.3.4  Configuring the Authentication Method for an SSH User

The configured authentication method takes effect when the user logs in next time.

Follow these steps to configure the authentication method for an SSH user:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Specify the authentication method for an SSH user	ssh user username authentication-type { password | rsa | password-publickey | all }	Optional RSA authentication by default

 

 

1.3.5  Specifying the Service Type of an SSH User

Follow these steps to specify the service type of an SSH user:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Specify the service types of an SSH user	ssh user username service-type { stelnet | sftp | all }	Required stelnet by default

 

 

1.3.6  Setting the SSH Management Parameters

SSH management includes:

l           Enabling the SSH server to be compatible with SSH1

l           Setting the server key pair update interval

l           Setting the SSH user authentication timeout period

l           Setting the maximum number of SSH authentication attempts

Setting the above parameters can help avoid malicious guess at and cracking of the keys and usernames, securing your SSH connections.

Follow these steps to set the SSH management parameters:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable the SSH server to work with SSH1.x clients	ssh server compatible-ssh1x enable	Optional By default, the SSH server can work with SSH1.x clients.
Set the server key pair update interval	ssh server rekey-interval hours	Optional 0 by default, that is, the server key pair is not updated.
Set the SSH user authentication timeout period	ssh server authentication-timeout time-out-value	Optional 60 seconds by default
Set the maximum number of SSH authentication attempts	ssh server authentication-retries times	Optional 3 by default

 

1.3.7  Configuring the Client RSA Public Key

These configurations are required for an SSH user using RSA authentication. For an SSH user using password authentication, they are not required.

This configuration task is for configuring the RSA public key of a client with an SSH user. The RSA private key for the SSH user must be configured on the client. The client key pair is generated randomly by the SSH client software.

You can manually configure or import the RSA public key from a public key file. When you import a public key, the system automatically converts the public key to a string coded using the PKCS standard. Before importing the public key, you must upload the public key file to the server through FTP or TFTP.

 

 

I. Configuring the client RSA public key manually

Follow these steps to configure the client RSA public key manually:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter public key view	rsa peer-public-key keyname	Required
Enter public key code view	public-key-code begin	—
Configure the client public key	Enter the content of the public key	— The content must be a hexadecimal string that is generated randomly by the SSH-supported client software and coded compliant to PKCS. Spaces and carriage returns are allowed between characters.
Return from public key code view to public key view	public-key-code end	— When you exit public key code view, the system automatically saves the public key.
Return from public key view to system view	peer-public-key end	—
Assign a public key to an SSH user	ssh user username assign rsa-key keyname	Required The public key must exist. If the user has already a public key, the new public key overwrites the old one.

 

II. Importing the RSA public key from a public key file

Follow these steps to import the RSA public key from a public key file:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Import the RSA public key from a public key file	rsa peer-public-key keyname import sshkey filename	Required

 

1.4  Configuring the SSH Client

A variety of SSH client software are available, such as PuTTY and OpenSSH. For an SSH client to establish a connection with an SSH server, you must complete these configuration tasks:

l           Specifying the IP address of the server.

l           Selecting the protocol for remote connection as SSH. Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlogin, and SSH. To establish an SSH connection, you must select SSH.

l           Selecting the SSH version. Since the device supports SSH Server 2.0 now, select 2.0 or lower for the client.

l           Specifying the RSA private key file. On the server, if RSA authentication is enabled for an SSH user and a public key is set for the user, the private key file corresponding to the public key must be specified on the client. RSA key pairs are generated by a tool of the client software.

The following takes the client software of PuTTY, PuTTYGen and SSHKEY as examples to illustrate how to configure the SSH client:

1.4.1  Generating the Client Keys

To generate the client key pair, run PuTTYGen.exe, choose SSH-2 RSA under Parameters and click Generate.

Figure 1-3 Generating the client keys (1)

Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1-4. Otherwise, the process bar stops moving and the key pair generating process is stopped.

Figure 1-4 Generating the client keys (2)

After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key.

Figure 1-5 Generating the client keys (3)

Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the public key (private in this case) to save the private key.

Figure 1-6 Generating the client keys (4)

To generate RSA public key in PKCS format, run SSHKEY.exe, click Browse and select the public key file, and then click Convert.

Figure 1-7 Generating the client keys (5)

1.4.2  Specifying the IP address of the Server

Launch PuTTY.exe. The following window appears.

Figure 1-8 SSH client configuration interface 1

In the Host Name (or IP address) text box, enter the IP address of the server, 10.110.28.10, for example. Note that there must be a route available between the IP address of the server and the client.

1.4.3  Selecting the Protocol for Remote Connection

As shown in Figure 1-8, select SSH under Protocol.

1.4.4  Selecting the SSH Version

From the category on the left pane of the window, select SSH under Connection. The window as shown in Figure 1-9 appears.

Figure 1-9 SSH client configuration interface 2

Under Protocol options, select 2 from Preferred SSH protocol version.

1.4.5  Opening an SSH Connection with RSA

If the client needs to use RSA authentication, you must specify the RSA private key file. If the client needs to use password authentication, this is not required.

From the category on the left of the window, Select Connection/SSH/Auth. The following window appears.

Figure 1-10 SSH client configuration interface 3

Click Browse… to bring up the file selection window, navigate to the private key file and click OK.

1.4.6  Opening an SSH Connection with Password

1)         From the window shown in Figure 1-10, click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 1-11.

Figure 1-11 SSH client interface

2)         Enter the username and password to establish an SSH connection.

3)         To log out, enter the quit command.

1.5  Configuring the Device as an SSH Client

1.5.1  Configuration Prerequisites

Complete the configuration of the SSH server. For detailed configuration information, refer to Configuring the SSH Server

1.5.2  Configuration Procedure

When the device connects to the SSH server as an SSH client, you can configure the SSH client to authenticate the SSH server during the first access.

l           The first authentication means that when the SSH client accesses the server for the first time and is not configured with the server host public key, the user can choose to continue accessing the server and save the host public key on the client for future authentication of the server.

l           With first authentication not supported, the client cannot authenticate the server if it is not configured with the server host public key. In this case, you must configure the host public key of the server and specify the key name on the client beforehand, so that the client can authenticate the server.

l           You can configure the client to use a specified IP address or interface to access the SSH.

Follow these steps to configure the device as an SSH client:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Disable the first authentication function		undo ssh client first-time	Optional Enabled by default
Enter public key view		rsa peer-public-key keyname	Optional
Enter public key code view		public-key-code begin	—
Configure the server public key		Enter the content of the public key	— The content must be a hexadecimal string that is generated randomly by the SSH-supported client software and coded compliant to PKCS. Spaces and carriage returns are allowed between characters.
Return from public key code view to public key view		public-key-code end	— When you exit public key code view, the system automatically saves the public key.
Return from public key view to system view		peer-public-key end	—
Configure the host public key of the server on the client		ssh client authentication server { server-ip | server-name } assign rsa-key keyname	Optional
Specify the source IP address or source interface of the SSH client	Specify the source IPv4 address or source interface of the SSH client	ssh client source { ip ip-address | interface interface-type interface-number }	Optional IP address or interface specified by the route by default
	Specify the source IPv6 address or source interface of the SSH client	ssh client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number }
Establish a connection between the SSH client and the server, and specify the preferred key exchange algorithm, encryption algorithms, and HMAC algorithms of the client and the server	Establish a connection between the SSH client and the IPv4 server, and specify the preferred key exchange algorithm, encryption algorithms, and HMAC algorithms of the client and the server	ssh2 { host-ip | host-name } [ port-number ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128} | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]*	Use one command as required.
	Establish a connection between the SSH client and the IPv6 server, and specify the preferred key exchange algorithm, encryption algorithms, and HMAC algorithms of the client and the server	ssh2 ipv6 { ipv6-address | host-name } [ port-number ] [ prefer_ctos_cipher { aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] *

 

1.6  Displaying and Maintaining the SSH Protocol

To do…	Use the command…	Remarks
Display information about the public keys of the host key pair and server key pair	display rsa local-key-pair public	Available in any view
Display information about the peer RSA public keys	display rsa peer-public-key [ brief | name keyname ]	Available in any view
Display the source IP address or interface currently set for the SFTP client	display sftp client source	Available in any view
Display the source IP address or interface currently set for the SSH client	display ssh client source	Available in any view
Display the status information or session information of an SSH server	display ssh server { status | session }	Available in any view
Display the mappings between host public keys and SSH servers saved on a client	display ssh server-info	Available in any view
Display information about a specified or all SSH users	display ssh user-information [ username ]	Available in any view

 

1.7  SSH Server Configuration Example

I. Network requirements

As shown in Figure 1-12, a local SSH connection is established between the configuration terminal (SSH client) and the switch for secure data exchange. The username of the SSH client is client001, and the password is aabbcc.

II. Network diagram

Figure 1-12 Network diagram for SSH server configuration

III. Configuration procedure

The configuration procedure varies with login authentication modes. However, you must complete the following three configuration tasks before any configuration procedure.

First, create an RSA host key pair and server key pair and enable the SSH server.

<Switch> system-view

[Switch] rsa local-key-pair create

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

       It will take a few minutes.

Input the bits in the modulus[default = 1024]:

Generating keys...

.....++++++++++++

...++++++++++++

................++++++++

.............++++++++

......Done! 

[Switch] ssh server enable

 

 

Then, you must create a VLAN interface on the switch and assign an IP address, which the SSH client will use as the destination for SSH connection.

[Switch] interface vlan-interface 1

[Switch-Vlan-interface1] ip address 192.168.0.1 255.255.255.0

[Switch-Vlan-interface1] quit

Finally, you must configure an IP address (192.168.0.2 in this case) for the SSH client. This IP address and that of the VLAN interface on the switch must be in the same network segment.

1)         Set the SSH authentication method as password

# Set the authentication method for the SSH client to AAA. (AAA adopts the default ISP domain system and the default scheme local.)

[Switch] user-interface vty 0 4

[Switch-ui-vty0-4] authentication-mode scheme

# Set the protocol that a remote user uses to login as SSH.

[Switch-ui-vty0-4] protocol inbound ssh

[Switch-ui-vty0-4] quit

# Create local user client001,Set the service type to SSH, Specify commands of level 3 are available to the user.

[Switch] local-user client001

[Switch-luser-client001] password simple aabbcc

[Switch-luser-client001] service-type ssh level 3

[Switch-luser-client001] quit

The SSH authentication timeout period, number of SSH authentication attempts and server key pair update interval can be the default values.

After the above configurations, complete these tasks on the client to login to the server securely:

l           Run the SSH2.0-enabled client software.

l           Configure 192.168.0.1 as the IP address of the SSH server.

l           Set the protocol type to SSH.

l           Set the protocol version to 2.

l           Initiate the SSH connection, enter the username of client001 and password of aabbcc as prompted.

2)         Set the SSH authentication method to RSA

# Set the authentication method of the user interface to AAA.

[Switch] user-interface vty 0 4

[Switch-ui-vty0-4] authentication-mode scheme

# Set the command level for the login users to 3.

[Switch-ui-vty0-4] user privilege level 3

# Set the protocol that a remote user uses to login as SSH.

[Switch-ui-vty0-4] protocol inbound ssh

[Switch-ui-vty0-4] quit

# Set the SSH user authentication method as RSA.

[Switch] ssh user client001 authentication-type rsa

At this time, the client supporting SSH2.0 will generate a random RSA key pair, including public key and private key. You need to add the RSA public key, a hexadecimal character string encoded by the SSHKEY.EXE software in accordance with the public key cryptography standards (PKCS), to the rsa peer-public-key on the specified SSH server in the following way.

# Configure the RSA public key of the client manually or import it from a public key file, Switch001, for example.

[Switch] rsa peer-public-key Switch001

[Switch-rsa-public-key] public-key-code begin

[Switch-rsa-key-code]30818602 818078C4 32AD7864 BB0137AA 516284BB 3F55F0E3

[Switch-rsa-key-code]F6DD9FC2 4A570215 68D2B3F7 5188A1C3 2B2D40BE D47A08FA

[Switch-rsa-key-code]CF41AF4E 8CCC2ED0 C5F9D1C5 22FC0625 BA54BCB3 D1CBB500

[Switch-rsa-key-code]A177E917 642BE3B5 C683B0EB 1EC041F0 08EF60B7 8B6ED628

[Switch-rsa-key-code]9830ED46 0BA21FDB F55E7C81 5D1A2045 54BFC853 5358E5CF

[Switch-rsa-key-code]7D7DDF25 03C44C00 E2F49539 5C4B0201 25

[Switch-rsa-key-code] public-key-code end

[Switch-rsa-public-key] peer-public-key end

Or:

[Switch] rsa peer-public-key Switch001 import sshkey Switch001

# Specify a public key of Switch001 for user client001.

[Switch] ssh user client001 assign rsa-key Switch001

 

 

By now, you can run SSH2.0 on the terminal containing the RSA private key and perform corresponding configuration to establish an SSH connection.

1.8  SSH Client Configuration Example

I. Network requirements

As shown in Figure 1-13, SwitchA is an SSH client and needs to login to SwitchB through the SSH protocol. The username of the SSH client is client001 and the password is aabbcc.

II. Network diagram

Figure 1-13 Network diagram for SSH client configuration

III. Configuration procedure

1)         Configure SwitchB

# Create an RSA host key pair and server key pair and enable the SSH server.

<SwitchB> system-view

[SwitchB] rsa local-key-pair create

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

       It will take a few minutes.

Input the bits in the modulus[default = 1024]:

Generating keys...

..........++++++++++++

....................++++++++++++

............++++++++

...........................++++++++

......Done!

[SwitchB] ssh server enable

 

 

# Create a VLAN interface and assign an IP address, which the SSH client will use as the destination for SSH connection.

[SwitchB] interface vlan-interface 1

[SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0

[SwitchB-Vlan-interface1] quit

# Set the authentication method of the user interface to AAA for SSH client. (AAA adopts the default ISP domain system and the default scheme local.)

[SwitchB] user-interface vty 0 4

[SwitchB-ui-vty0-4] authentication-mode scheme

# Set the protocol that a remote user uses to login as SSH.

[SwitchB-ui-vty0-4] protocol inbound ssh

[SwitchB-ui-vty0-4] quit

# Create local user client001, Set the service type to SSH, Specify commands of level 3 are available to the user.

[SwitchB] local-user client001

[SwitchB-luser-client001] password simple aabbcc

[SwitchB-luser-client001] service-type ssh level 3

[SwitchB-luser-client001] quit

# Set the SSH authentication method to password. The SSH authentication timeout period, number of SSH authentication attempts and server key pair update interval can be the default values.)

 

 

2)         Configure SwitchA

# Configure an IP address (10.165.87.137 in this case) for the VLAN interface on SwitchA. This IP address and that of the VLAN interface on SwitchB must be in the same network segment.

<SwitchA> system-view

[SwitchA] interface vlan-interface 1

[SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0

[SwitchA-Vlan-interface1] quit

# Initiate an SSH connection to server 10.165.87.136, using the default algorithms.

[SwitchA] ssh2 10.165.87.136

username: client001

Trying 10.165.87.136

Press CTRL+K to abort

Connected to 10.165.87.136...

The Server is not autherncated.Do you continue access it?(Y/N):y

Do you want to save the server's public key?(Y/N):y

Enter password:     

**************************************************************************

* Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *

* Without the owner's prior written consent,                                 *

* no decompiling or reverse-engineering shall be allowed.                    *

**************************************************************************

<SwitchA>

 

Chapter 2  SFTP Service

When configuring SFTP, go to these sections for information you are interested in:

l           SFTP Overview

l           Configuring the SFTP Server

l           Configuring the SFTP Client

l           SFTP Configuration Example

2.1  SFTP Overview

The secure file transfer protocol (SFTP) is a new feature in SSH 2.0.

SFTP uses the SSH connection to provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to login to the SFTP server for secure file management and transfer. The device can also server as an SFTP client, enabling a user to login from the device to a remote device for secure file transfer.

2.2  Configuring the SFTP Server

2.2.1  Configuration Prerequisites

l           You have configured the SSH server. For the detailed configuration procedure, refer to SSH Configuration Tasks

l           You have used the ssh user service-type command to set the service type of SSH users to sftp or all. For configuration procedure, refer to Specifying the Service Type of an SSH User

2.2.2  Enabling the SFTP Server

This configuration task is to enable the SFTP service so that a client can login to the SFTP server through SFTP.

Follow these steps to enable the SFTP server:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable the SFTP server	sftp server enable	Required Disabled by default

 

 

2.2.3  Configuring the SFTP Connection Idle Timeout Period

Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down.

Follow these steps to configure the SFTP connection idle timeout period:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Configure the SFTP connection idle timeout period	sftp server idle-timeout time-out-value	Optional 10 minutes by default

 

2.3  Configuring the SFTP Client

2.3.1  Specifying a Source IP Address or Interface for the SFTP Client

The client accesses the SFTP server using the specified IP address and port address.

Follow these steps to specify a source IP address or interface for the SFTP client:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Specify a source IP address or interface for the SFTP client	Specify a source IPv4 address or interface for the SFTP client	sftp client source { ip ip-address | interface interface-type interface-number }	Optional Use one command as required. By default, an SFTP client uses the interface address specified by the route of the device to access the SFTP server.
	Specify a source IPv6 address or interface for the SFTP client	sftp client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number }

 

2.3.2  Establishing a Connection to the SFTP Server

This configuration task is to enable the SFTP client to establish a connection with the remote SFTP server and enter SFTP client view.

Follow these steps to enable the SFTP client:

To do…		Use the command…	Remarks
Enter system view		system-view	—
Establish a connection to the remote SFTP server and enter SFTP client view	Establish a connection to the remote IPv4 SFTP server and enter SFTP client view	sftp { host-ip | host-name } [ port-number ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]*	Use one command as required.
	Establish a connection to the remote IPv6 SFTP server and enter SFTP client view	sftp ipv6 { ipv6-address | host-name } [ port-number ] [ prefer_ctos_cipher { aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] *

 

2.3.3  Working with the SFTP Directories

SFTP directory operations include:

l           Changing or displaying the current working directory

l           Displaying files under a specified directory or the directory information

l           Changing the name of a specified directory on the server

l           Creating or deleting a directory

Follow these steps to work with the SFTP directories:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Establish a connection to the remote SFTP server and enter SFTP client view	sftp { host-ip | host-name } [ port-number ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]*	Required
Change the name of a specified directory on the SFTP server	rename old-name new-name	Optional You unnecessarily follow this sequence to carry out the commands. The dir command functions as the ls command does.
Change the working directory of the remote SFTP server	cd [ remote-path ]
Return to the upper-level directory	cdup
Display the current working directory of the remote SFTP server	pwd
Display files under a specified directory	dir [ remote-path ]
	ls [ remote-path ]
Create a new directory on the remote SFTP server	mkdir remote-path
Delete a directory from the SFTP server	rmdir remote-path

 

2.3.4  Working with SFTP Files

SFTP file operations include:

l           Changing the name of a file

l           Downloading a file

l           Uploading a file

l           Displaying a list of the files

l           Deleting a file

Follow these steps to work with SFTP files:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Establish a connection to the remote SFTP server and enter SFTP client view	sftp { host-ip | host-name } [ port-number ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]*	Required
Change the name of a specified file on the SFTP server	rename old-name new-name	Optional.
Download a file from the remote server and save it locally	get remote-file [ local-file ]	Optional
Upload a local file to the remote SFTP server	put local-file [ remote-file ]	Optional
Display the files under a specified directory	dir [ remote-path ]	Optional The dir command functions as the ls command.
	ls [ remote-path ]
Delete a file from the SFTP server	delete remote-file	Optional The delete command functions as the remove command.
	remove remote-file

 

2.3.5  Displaying Help Information

This configuration task is to display a list of all commands or the help information of an SFTP client command, such as the command format and parameters.

Follow these steps to display a list of all commands or the help information of an SFTP client command:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Establish a connection to the remote SFTP server and enter SFTP client view	sftp { host-ip | host-name } [ port-number ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]*	Required
Display a list of all commands or the help information of an SFTP client command	help [ all | command-name ]	Optional

 

2.3.6  Disabling the SFTP Client

This configuration task is to disable the SFTP client.

Follow these steps to disable the SFTP client:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Establish a connection to the remote SFTP server and enter SFTP client view	sftp { host-ip | host-name } [ port-number ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]*	—
Terminate the connection to the remote SFTP server and return to system view	bye	Required. Use any command. These three commands function in the same way.
	exit
	quit

 

2.4  SFTP Configuration Example

I. Network requirements

As shown in Figure 2-1, an SSH connection is established between SwitchA and SwitchB. SwitchA, an SFTP client, uses the username client001 and password aabbcc to login to SwitchB for file management and file transfer.

II. Network diagram

Figure 2-1 Network diagram for SFTP configuration

III. Configuration procedure

1)         Configure the SFTP server (SwitchB)

# Create an RSA host key pair and server key pair and enable the SSH server.

<SwitchB> system-view

[SwitchB] rsa local-key-pair create

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

       It will take a few minutes.

Input the bits in the modulus[default = 1024]:

Generating keys...

..........++++++++++++

....................++++++++++++

............++++++++

...........................++++++++

......Done!

[SwitchB] ssh server enable

 

 

# Create a VLAN interface on SwitchB and assign an IP address, which the SSH client uses as the destination for SSH connection.

[SwitchB] interface Vlan-interface 1

[SwitchB-Vlan-interface1] ip address 192.168.0.1 255.255.255.0

[SwitchB-Vlan-interface1] quit

# Set the authentication method on the user interface to AAA. (AAA adopts the default ISP domain system and the default scheme local.)

[SwitchB] user-interface vty 0 4

[SwitchB-ui-vty0-4] authentication-mode scheme

# Set the protocol that a remote user uses to login as SSH.

[SwitchB-ui-vty0-4] protocol inbound ssh

[SwitchB-ui-vty0-4] quit

# Create local user client001, Set the service type to SSH, Specify commands of level 3 are available to the user.

[SwitchB] local-user client001

[SwitchB-luser-client001] password simple aabbcc

[SwitchB-luser-client001] service-type ssh level 3

[SwitchB-luser-client001] quit

# Set the SSH authentication method to password. The SSH authentication timeout period, number of SSH authentication attempts and server key pair update interval can be default values.

 

 

# Specify the user service type as SFTP.

[SwitchB] ssh user client001 service-type sftp

# Enable the SFTP server.

[SwitchB] sftp server enable

2)         Configure the SFTP client (SwitchA)

# Configure an IP address (192.168.0.2 in this case) for the VLAN interface on SwitchA. This IP address and that of the VLAN interface on SwitchB must be in the same network segment.

<SwitchA> system-view

[SwitchA] interface vlan-interface 1

[SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0

[SwitchA-Vlan-interface1] quit

# Establish a connection with the remote SFTP server and enter SFTP client view.

[SwitchA] sftp 192.168.0.1

Input Username: client001

Trying 192.168.0.1 ...

Press CTRL+K to abort

Connected to 192.168.0.1 ...

The Server is not authenticated. Do you continue access it? [Y/N]:y

Do you want to save the server's public key? [Y/N]:y

Enter password:

 

sftp-client>

# Display files under the current directory of the server, delete the file of z, and check that the file is deleted successfully.

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg

-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2

-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey1

drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new

-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub

-rwxrwxrwx   1 noone    nogroup         0 Sep 01 08:00 z

sftp-client> delete z

The following files will be deleted:

/z

Are you sure to delete it? [Y/N]:y

This operation may take a long time.Please wait...

 

File successfully Removed

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg

-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2

-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey1

drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new

-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub

# Add a directory named new1 and check that it is created successfully.

sftp-client> mkdir new1

New directory created

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg

-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2

-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey1

drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new

-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub

drwxrwxrwx   1 noone    nogroup         0 Sep 02 06:30 new1

# Change the directory name new1 to new2 and check that the directory name is changed successfully.

sftp-client> rename new1 new2

File successfully renamed

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg

-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2

-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey1

drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new

-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub

drwxrwxrwx   1 noone    nogroup         0 Sep 02 06:33 new2

# Download the pubkey2 file from the server and save it local file public.

sftp-client> get pubkey2 public

Remote  file:/pubkey2 --->  Local file: public

Downloading file successfully ended

# Upload a local file named pu to the server, save it as puk, and check the file is uploaded successfully.

sftp-client> put pu puk

Local file:pu --->  Remote file: /puk

Uploading file successfully ended

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg

-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2

-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey1

drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new

drwxrwxrwx   1 noone    nogroup         0 Sep 02 06:33 new2

-rwxrwxrwx   1 noone    nogroup       283 Sep 02 06:35 pub

-rwxrwxrwx   1 noone    nogroup       283 Sep 02 06:36 puk

sftp-client>

# Terminate the connection with the remote SFTP server.

sftp-client> quit

Bye

[SwitchA]