Field	Description
ProcessSession:	Session processing
InEncrypt:key-algorithm	Incoming encryption algorithm information
OutEncrypt: key-algorithm	Outgoing encryption algorithm information
InMac:mac-algorithm	Incoming MAC algorithm information
OutMac: mac-algorithm	Outgoing MAC algorithm information
KeyType:key-type	Key type
Process Kex Init:	Initialize algorithm negotiation
Connect Socket:	Socket connection
FSM from fsm1 to fsm2	The state of the state machines is changed from Connected to version negotiation.
Read Buffer	Read the buffer of the client
Client_SUB1_FSM from fsm1 to fsm2	On the client, the state of the Sub1 state machine is changed.

Table 1-2 Description on the fields of the debugging ssh client message command

Field	Description
STELC:	Stelnet client
Client Data Flow Control:	Flow control on the client
Send Disconnect:	Send the Disconnect information
Window Adjust:	The channel window on the client is adjusted.
AuthReq:	Send an authentication request
ServiceReq:	Service request
NewKey:	The client is in newkey state.
GEX Init:	Initialize the GEX algorithm
GEX Request:	GEX request
Send GEX Request:	Send a GEX request
Send GRP Init:	Send a GEX initialization message
SendKexInit:	Send a KEX initialization message
Client_SendVersionString:	The client sends a version character string.
SFTPC:	SFTP client
SFTPC CUSTOM CLOSED	Customer Closed message

Table 1-3 Description on the fields of the debugging ssh client error command

Field	Description
ProcessSession Error:	Session processing error
Error:	Error message
GEX Init Error:	An error occurs to initialization of the GEX algorithm.
GRP Init Error:	An error occurs to initialization of the GRP algorithm.
Process Kex Init Error:	Key exchange error
VersionString Received Error:	An error occurs to the received version string.
DoClose:	An error occurs when the file is closed.
Process RealPath Error:	An error occurs when a relative path is converted to an absolute path.
Connect Socket Error:	Error of Socket connection

Examples

# Enable event debugging on the SSH client. The IP address of the SSH client is 10.1.1.1. The user (username: client; password: aabbcc) logs into the SSH server with the IP address of 10.1.1.2 from the SSH client.

<Sysname> debugging ssh client event

<Sysname> system-view

[Sysname] ssh2 10.1.1.2

Username: client

Trying 10.1.1.2 ...

Press CTRL+K to abort

Connected to 10.1.1.2 ...

*Oct 12 09:21:00:252 2006 Sysname SSH/7/Client_EVENT: FSM from SSH_Main_Connect to SSH_Main_VersionMatch

// The client performs version negotiation with the server.

*Oct 12 09:21:00:254 2006 Sysname SSH/7/Client_EVENT: FSM from SSH_Main_Connect to SSH2_Main_KEX_Init

*Oct 12 09:21:00:478 2006 Sysname SSH/7/Client_EVENT: Read Buffer:

Receive Packet(len=284).

// Receive a 284-byte packet.

*Oct 12 09:21:00:478 2006 Sysname SSH/7/Client_EVENT: Process Kex Init:

InEncrypt:aes128-cbc, OutEncrypt:aes128-cbc

InMac:hmac-sha1-96, OutMac:hmac-sha1-96

KeyType:KEX_DH_GEX_SHA1

// Perform algorithm negotiation.

*Oct 12 09:21:00:479 2006 Sysname SSH/7/Client_EVENT: FSM from SSH2_Main_KEX_Init to SSH2_Main_KEX_GEX_Request

*Oct 12 09:21:00:889 2006 Sysname SSH/7/Client_EVENT: Read Buffer:

Receive Packet(len=276).

*Oct 12 09:21:00:889 2006 Sysname SSH/7/Client_EVENT: FSM from SSH2_Main_KEX_GEX_Request to SSH2_Main_KEX_GEX_Init

// Negotiate about the GEX algorithm.

*Oct 12 09:21:01:441 2006 Sysname SSH/7/Client_EVENT: Read Buffer:

Receive Packet(len=572).

*Oct 12 09:21:01:441 2006 Sysname SSH/7/Client_EVENT: FSM from SSH2_Main_KEX_GEX_Init to SSH2_Main_KEX_NewKey

// Update the key.

*Oct 12 09:21:01:539 2006 Sysname SSH/7/Client_EVENT: Read Buffer:

Receive Packet(len=12).

*Oct 12 09:21:01:540 2006 Sysname SSH/7/Client_EVENT: FSM from SSH2_Main_KEX_NewKey to SSH2_Main_Authentication

// Authenticate the user.

*Oct 12 09:21:01:640 2006 Sysname SSH/7/Client_EVENT: Read Buffer:

Receive Packet(len=28).

*Oct 12 09:21:01:641 2006 Sysname SSH/7/Client_EVENT: Client_SUB1_FSM from SSH2_Sub1_Service_Req to SSH2_Sub1_Auth_Req

Enter password:

// Prompt the user to enter a password.

*Oct 12 09:21:01:739 2006 Sysname SSH/7/Client_EVENT: Read Buffer:

Receive Packet(len=28).

*Oct 12 09:21:09:841 2006 Sysname SSH/7/Client_EVENT: Read Buffer:

Receive Packet(len=12).

*Oct 12 09:21:09:842 2006 Sysname SSH/7/Client_EVENT: Client_SUB1_FSM from SSH2_Sub1_Auth_Req to SSH2_Sub1_Service_Req

// Service request.

*Oct 12 09:21:09:843 2006 Sysname SSH/7/Client_EVENT: FSM from SSH2_Main_Authentication to SSH2_Main_Channel

// Channel request.

*Oct 12 09:21:09:941 2006 Sysname SSH/7/Client_EVENT: Read Buffer:

Receive Packet(len=28).

*Oct 12 09:21:09:942 2006 Sysname SSH/7/Client_EVENT: FSM from SSH2_Main_Channel to SSH2_Main_Pty

// Send a channel request of PTY type.

*Oct 12 09:21:10:42 2006 Sysname SSH/7/Client_EVENT: Read Buffer:

Receive Packet(len=12).

*Oct 12 09:21:10:42 2006 Sysname SSH/7/Client_EVENT: FSM from SSH2_Main_Pty to SSH2_Main_Shell

// Send a channel request of Shell type.

*Oct 12 09:21:10:141 2006 Sysname SSH/7/Client_EVENT: Read Buffer:

Receive Packet(len=12).

*Oct 12 09:21:10:142 2006 Sysname SSH/7/Client_EVENT: FSM from SSH2_Main_Shell to SSH2_Main_Session

Establish a session.

1.1.2 debugging ssh server

Syntax

debugging ssh server { all | vty vty-num { all | error | event | message } }

undo debugging ssh server { all | vty vty-num { all | error | event | message } }

View

User view

Default Level

1: Monitor level

Parameters

all: Enables debugging for all SSH channels.

vty-num: SSH channel to be debugged. Its value depends on the number of VTY user view, and ranges from 0 to 4.

all: Enables all types of debugging.

error: Enables error debugging.

event: Enables event debugging.

message: Enables message debugging.

Description

Use the debugging ssh server command to enable debugging for SSH servers and to debug a user interface separately.

Use the undo debugging ssh server command to disable debugging for SSH servers.

Be default, debugging is disabled for SSH servers.

Table 1-4 Description on the fields of the debugging ssh server vty error command

Field	Description
VTY[vty-num]	Current user interface
STELS Data Error:	Data resolution error
Read Buffer Error:	An error occurs when the buffer is read.
Read Buffer:	Read the buffer
CRC WRONG:	An error occurs during the CRC.
READ LENGTH WRONG:	An error occurs when the length is read.
Accept Error:	Accept error of the Socket
ProcessAuthentication Error:	Error of authentication
ProcessSub1Password Error:	Error of the password
ProcessSessionKey Error:	Error of the session key
Received unexpected packet:	Receive an unexpected packet
Session Key Store Error:	Error of key storage
Unsupported Cookie_type:	Unsupported cookie type
Unsupported Cipher_type:	Unsupported Cipher type
SSH1 VersionMatch Error:	Error of version match
Verify UserName Error:	Error of the username
Process RsaChallenge Error:	Error of RSA processing
Receive error msgtype:	Receive an erroneous message type
Process Auth Sign Error:	An error occurs to the digital signature authentication on the server.
Process AuthPK Error:	An error occurs to authentication of the public key on the server.
Process Password Error:	Error of the authenticated password
User Auth Init Error:	Fail to initialize the authentication on the server
Service Auth Error:	The request for ID authentication fails.
NewKey Error:	An error occurs to the processing of the newkey state machine on the server.
GEX_Reply Error:	An error occurs to the reply of the GEX public key.
GEX_Group Error:	An error occurs to the processing of the key exchange algorithm.
GRP Reply Error:	An error occurs to the reply of the GRP public key.
Server Key Init Error:	An error occurs to the initialization of algorithm negotiation.
Rename Error:	An error occurs when the file is renamed.
SFTPS Opendir:	An error occurs when the SFTP server opens a directory.
SFTPS Open Error:	An error occurs when the file is opened.
SFTPS Process Error:	An error occurs when the SFTP server processes a message.

Table 1-5 Description on the fields of the debugging ssh server vty event command

Field	Description
VTY[vty-num]	Current user interface
Accept:	Accept event of the Socket
Send Version To CLient:	Send version information to the client
Succeed to send version string: version-string	Send the version string successfully
Socket:soketid	ID of the current Socket
LineIndex:lineindex	Index to the current line resource
IP:ipaddress	IP address of the login user
FSM Change: From fsm1 to fsm2	The state of the state machine is changed.
Read:	Read event of the Socket
Read Buffer:	Read the buffer on the server
Receive Packet(len=length)	Receive a packet with the length specified by length
Server Key Init:	Initialize the server key on the server
InEncrypt:key-algorithm	Incoming encryption algorithm information
OutEncrypt: key-algorithm	Outgoing encryption algorithm information
InMac:mac-algorithm	Incoming MAC algorithm information
OutMac: mac-algorithm	Outgoing MAC algorithm information
KeyType:key-type	Key type
SUB1_FSM Change: From sub1_fsm1 to sub1_fsm2	The state of the Sub1 state machine is changed.
SUB2_Auth_FSM from sub2_fsm1 to sub2_fsm2	The state of the Sub2 state machine is changed.
UserAuthInit:	Initialize user authentication
Get user name:user-name!	Username of the client
Sub2Password:	Password authentication
User: user-name	Username
PasswordLen:length	Password length
LOGIN Succeed:	Successful login
LOGIN Failed:	Login failure
Channel Request:	Channel request on the client
Received channel request:request-type	Type of the received channel request message
STELS Start Shell:	Start the Shell
SFTPS_TaskQuit:	The SFTP task quits.
SFTPS Requeset SubSystem:	SFTP subsystem requests
Receive message:	Received message from the SFTP client
Successful to create task: Id=taskid	Create an SFTP task successfully
SFTP Server Init:	Initialize SFTP version negotiation
SFTPS Open:	Open the file
SFTPS Close:	Close the file
SFTPS Read:	Read the file
SFTPS Write:	Write data into the file
SFTPS Opendir:	Open the directory
Readdir:	Read the directory
SFTPS Remove:	Remove the file
SFTPS Mkdir:	Create a directory
SFTPS Rmdir:	Delete a directory
SFTPS RealPath:	Convert a relative path is into an absolute path
SFTPS Rename:	Rename the file
SFTPS SetStat:	Set file attributes
Window Adjust:	Adjust the sliding window
Verify UserName:	Verify the username
UserNameDazzle:	Dazzle the username
Session Key Store:	Store the session key

Table 1-6 Description on the fields of the debugging ssh server vty message command

Field	Description
VTY[vty-num]	Current user interface
Send Message:	Send a message to the client
SSH_VERSION_SEND from SocketID socketid	The server sends version information.
VersionReseived:	Receive the version of the client
Received VersionString[len=length]: version-string	Received version string and its length
SendKexInit:	Send the key negotiation information on the server
Read Buffer:	Read the buffer on the server
Received Message[Type=type-number]:message-type	Type of the received message
GEX_Group:	GEX key exchange algorithm
GEX Reply:	The server replies to the GEX key exchange algorithm.
Service Auth:	Authentication service
Authentication Failure:	Authentication failure
Authentication Success:	Authentication is successful.
Process Channel:	Process the channel message
STELS Request PTY:	PTY request from the Stelnet client
SSH Channel:	SSH channel message
STELS Start Shell:	Start the Shell
Process Session:	Process the session message
STELS Data:	Process the data message
SFTPS Trans:	Send a packet to the client
Data Flow Control:	Flow control on the SFTP server
SFTPS Send Data:	Send data
SFTPS Send Handle:	Send a handle message
SFTPS Send Status:	Send a status message
SFTPS Send Names:	Send a filename
SFTPS Send Attrs:	Send file attributes
Send Disconnect:	Send a Disconnect message

Examples

# Enable event debugging for the SSH server on the user interface VTY 1. The IP address of the SSH client is 10.1.1.1. The user (username: client; password: aabbcc) logs into the SSH server with the IP address of 10.1.1.2 from the SSH client.

<Sysname> debugging ssh server vty 1 event

*Oct 12 09:32:58:462 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Accept:

Socket:6 LineIndex:83,IP:10.1.1.1

// The user logs in from VTY 1, and creates a socket on the server.

*Oct 12 09:32:58:463 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Accept:

SSH user comes from 10.1.1.1, and current FSM is SSH_Main_Connect

// The user logs in from a client with the IP address of 10.1.1.1. A TCP connection has been established.

*Oct 12 09:32:58:463 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Send Version To CLient:

Successful to send version string: SSH-1.99-CMW-3.4

// Send version information to the client.

*Oct 12 09:32:58:464 2006 Sysname SSH/7/Server_EVENT: VTY[1]:FSM Change:

From SSH_Main_Connect to SSH_Main_VersionMatch.

// The client performs version negotiation with the server.

*Oct 12 09:32:58:467 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read:

Process user [] from 10.1.1.1.

// Process user data from the IP address of 10.1.1.1.

*Oct 12 09:32:58:467 2006 Sysname SSH/7/Server_EVENT: VTY[1]:FSM Change:

From SSH_Main_VersionMatch to SSH_Main_SSHProcess.

*Oct 12 09:32:58:564 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read:

Process user [] from 10.1.1.1.

*Oct 12 09:32:58:565 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read Buffer:

Receive Packet(len=284).

// Receive a 284-byte packet.

*Oct 12 09:32:58:566 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Server Key Init:

InEncrypt:aes128-cbc, OutEncrypt:aes128-cbc

InMac:hmac-sha1-96, OutMac:hmac-sha1-96

KeyType:KEX_DH_GEX_SHA1

// Initialize the key on the server.

*Oct 12 09:32:58:566 2006 Sysname SSH/7/Server_EVENT: VTY[1]:SUB1_FSM Change:

From SSH_Sub1_KEX_Init to SSH_Sub1_KEX_GEX_Group.

*Oct 12 09:32:58:943 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read:

Process user [] from 10.1.1.1.

*Oct 12 09:32:58:944 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read Buffer:

Receive Packet(len=20).

*Oct 12 09:32:58:944 2006 Sysname SSH/7/Server_EVENT: VTY[1]:SUB1_FSM Change:

From SSH_Sub1_KEX_GEX_Group to SSH_Sub1_KEX_GEX_Reply.

// Negotiate about the GEX algorithm.

*Oct 12 09:32:58:955 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read:

Process user [] from 10.1.1.1.

*Oct 12 09:32:59:263 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read Buffer:

Receive Packet(len=268).

*Oct 12 09:32:59:263 2006 Sysname SSH/7/Server_EVENT: VTY[1]:SUB1_FSM Change:

From SSH_Sub1_KEX_GEX_Reply to SSH_Sub1_KEX_NewKey.

// Update the key.

*Oct 12 09:32:59:507 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read:

Process user [] from 10.1.1.1.

*Oct 12 09:32:59:508 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read Buffer:

Receive Packet(len=12).

*Oct 12 09:32:59:509 2006 Sysname SSH/7/Server_EVENT: VTY[1]:SUB1_FSM Change:

From SSH_Sub1_KEX_NewKey to SSH_Sub1_Authentication.

// Authenticate the user.

*Oct 12 09:32:59:605 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read:

Process user [] from 10.1.1.1.

*Oct 12 09:32:59:606 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read Buffer:

Receive Packet(len=28).

*Oct 12 09:32:59:607 2006 Sysname SSH/7/Server_EVENT: VTY[1]:SUB2_Auth_FSM

from SSH_Sub2_Service_Acc to SSH_Sub2_Auth_Init

// Initialize user authentication.

*Oct 12 09:32:59:707 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read:

Process user [] from 10.1.1.1.

*Oct 12 09:32:59:707 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read Buffer:

Receive Packet(len=44).

*Oct 12 09:32:59:708 2006 Sysname SSH/7/Server_EVENT: VTY[1]:UserAuthInit:

Get user name: client!

// The login user is named "client”.

*Oct 12 09:32:59:709 2006 Sysname SSH/7/Server_EVENT: VTY[1]:UserAuthInit:

Current AuthType is SSH_AUTH_PASSWORD

// The authentication mode is "password”.

*Oct 12 09:33:01:585 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read:

Process user [client] from 10.1.1.1.

*Oct 12 09:33:01:585 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read Buffer:

Receive Packet(len=60).

*Oct 12 09:33:01:586 2006 Sysname SSH/7/Server_EVENT: VTY[1]:UserAuthInit:

Get user name: client!

*Oct 12 09:33:01:587 2006 Sysname SSH/7/Server_EVENT: VTY[1]:SUB2_Auth_FSM

from SSH_Sub2_Auth_Init to SSH_Sub2_Auth_Password

*Oct 12 09:33:01:587 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Sub2Password:

User:client PasswordLen: 6

// The password of the "client“ user is 6 in length.

*Oct 12 09:33:01:613 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Sub2Password: SSH user client succeeded to login from 10.1.1.1 on VTY1.

*Oct 12 09:33:01:614 2006 Sysname SSH/7/Server_EVENT: VTY[1]:LOGIN Succeed:

SSH user client succeeded to login from 10.1.1.1(000f-e200-0001) on VTY1.

// Succeed in authenticating the “client” user.

*Oct 12 09:33:01:615 2006 Sysname SSH/7/Server_EVENT: VTY[1]:SUB2_Auth_FSM

from SSH_Sub2_Auth_Password to SSH_Sub2_Auth_Init

// The Sub2 state machine returns to the authentication initialization state.

*Oct 12 09:33:01:615 2006 Sysname SSH/7/Server_EVENT: VTY[1]:SUB1_FSM Change:

From SSH_Sub1_Authentication to SSH_Sub1_Channel.

// Channel request.

*Oct 12 09:33:01:696 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read:

Process user [client] from 10.1.1.1.

*Oct 12 09:33:01:697 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read Buffer:

Receive Packet(len=44).

*Oct 12 09:33:01:697 2006 Sysname SSH/7/Server_EVENT: VTY[1]:SUB1_FSM Change:

From SSH_Sub1_Channel to SSH_Sub1_Session.

// Establish a session.

*Oct 12 09:33:01:796 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read:

Process user [client] from 10.1.1.1.

*Oct 12 09:33:01:797 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read Buffer:

Receive Packet(len=60).

*Oct 12 09:33:01:797 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Channel Request:

Received channel request: pty-req

// Receive a channel request of pty-req type.

*Oct 12 09:33:01:798 2006 Sysname SSH/7/Server_EVENT: VTY[1]:STELS Requeset PTY:

Successful to send SSH2_MSG_CHANNEL_SUCCESS(99) from 10.1.1.2 to 10.1.1.1

// Send an SSH2_MSG_CHANNEL_SUCCESS message successfully.

*Oct 12 09:33:01:897 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read:

Process user [client] from 10.1.1.1.

*Oct 12 09:33:01:898 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Read Buffer:

Receive Packet(len=28).

*Oct 12 09:33:01:898 2006 Sysname SSH/7/Server_EVENT: VTY[1]:Channel Request:

Received channel request: shell

// Receive a channel request of shell type.

*Oct 12 09:33:01:899 2006 Sysname SSH/7/Server_EVENT: VTY[1]:STELS Start Shell:

Send SSH2_MSG_CHANNEL_SUCCESS(99) from 10.1.1.2 to 10.1.1.1

%Oct 12 09:33:02:01 2006 Sysname SHELL/4/LOGIN: client login from 10.1.1.1

// The “client” user logs into the server from a client with the IP address of 10.1.1.1.

1.1.3 display rsa local-key-pair public

Syntax

display rsa local-key-pair public

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display rsa local-key-pair public command to display the public key information of the host key pair on the server and of server key pair. If no key is generated, the system prompts that no key is found.

Related commands: rsa local-key-pair create.

Examples

# Display the public key information of the host key pair on the server and of the server key pair.

<Sysname> display rsa local-key-pair public

=====================================================

Time of Key pair created: 13:41:21 2004/11/12

Key name: Sysname_Host

Key type: RSA encryption Key

=====================================================

Key code:

3047

0240

C30B0C1E 1AC2A028 984B7801 9583105D 78E69F6C

62561976 95E3B92B 7D9EC59C 150AE9CC 92E7CEF7

F025D3E0 C15408F5 4C9F4945 308A2DCF 1BA59D60

53DB5825

0203

010001

=====================================================

Time of Key pair created: 13:41:25 2004/11/12

Key name: Sysname_Server

Key type: RSA encryption Key

=====================================================

Key code:

3067

0260

E0DC0229 0525E04D AE3B8998 C56A18A1 997A609B

043B9302 F843715B FC727A3D 4A503B32 333DFD46

D95F4BD7 5AF63BBF 99100F9E EEAE4B3E DC6FBE42

1757F88D 1F7A098F 2C3FFFDF 8E2DA17D 991111ED

C318E857 6D40D224 4114AD15 A42068B9

0203

010001

Table 1-7 Description on the fields of the display rsa local-key-pair public command

Field	Description
Time of Key pair created	Time when the key pair is created
Key name	Key name
Key type	Key type, for example, RSA encryption Key
Key code	Key data

1.1.4 display rsa peer-public-key

Syntax

display rsa peer-public-key [ brief | name keyname ]

View

Any view

Default Level

1: Monitor level

Parameters

brief: Displays brief information about all remote public keys.

name keyname: Specifies a key by its name, a string of 1 to 64 characters.

Description

Use the display rsa peer-public-key command to displays remote RSA public keys.

If no parameters are specified, the system displays detailed information about all public keys.

Related commands: rsa local-key-pair create.

Examples

# Display detailed information about all public keys.

<Sysname> display rsa peer-public-key

=====================================

Key name: aa

Key address:

=====================================

Key Code:

308186

028180

6B494EC4 EBD23DEE 1375C2B5 AB892F69 F2529D09 5B559E26 26011A1F C58AA5E3

60258B01 26494D0E 7221BB98 1C844CCD 8F0F8AEA 4AA1CD5B 9C3C5EF5 3093319F

6F3AEA80 351E5E8D 29F1511C D4AC08B4 3FDF5B7B E30A4E47 6FF75B9A 63BE5E94

E9C344B7 F0EC9D53 AE54E0A3 0567184A 2E80BEC3 89A2DAFA 83C18591 5B29EAA1

0201

Table 1-8 Description on the fields of the display rsa peer-public-key command

Field	Description
Key name	Key name
Key address	Key address
Key code	Key data

# Display brief information about all remote public keys.

<Sysname>display rsa peer-public-key brief

Address Bits Name

---------------------------

1023 aaa

Table 1-9 Description on the fields of the display rsa peer-public-key brief command

Field	Description
Address	Remote address
Bits	Number of bits of the remote public key
Name	Name of the remote public key

1.1.5 display sftp client source

Syntax

display sftp client source

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display sftp client source command to display the source IP address or source interface currently set for the SFTP client.

If neither source IP address nor source interface is specified for the SFTP client, you will be notified of the fact.

Related commands: sftp client source.

Examples

# Display the source IP address of the SFTP client.

<Sysname> display sftp client source

The source IP address you specified is 192.168.0.1

1.1.6 display ssh client source

Syntax

display ssh client source

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display ssh client source command to display the source IP address or source interface currently set for the SSH client.

If neither source IP address nor source interface is specified for the SSH client, you will be notified of the fact.

Related commands: ssh client source.

Examples

# Display the source IP address of the SSH client.

<Sysname> display ssh client source

The source IP address you specified is 192.168.0.1

1.1.7 display ssh server

Syntax

display ssh server { session | status }

View

Any view

Default Level

1: Monitor level

Parameters

session: Displays the session information of the SSH server.

status: Displays the status information of the SSH server.

Description

Use the display ssh server command on an SSH server to display SSH server status information or session information.

Related commands: ssh server authentication-retries, ssh server rekey-interval, ssh server authentication-timeout, ssh server enable, and ssh server compatible-ssh1x enable.

Examples

# Display the SSH server status information.

<Sysname> display ssh server status

SSH Server: Disable

SSH version : 1.99

SSH authentication-timeout : 60 second(s)

SSH server key generating interval : 0 hour(s)

SSH Authentication retries : 3 time(s)

SFTP Server: Disable

SFTP Server Idle-Timeout: 10 minute(s)

Table 1-10 Description on fields of the display ssh server status command

Field	Description
SSH Server	Whether the SSH server function is enabled
SSH version	SSH protocol version
SSH authentication-timeout	Authentication timeout period
SSH server key generating interval	SSH server key pair update interval
SSH Authentication retries	Maximum number of SSH authentication attempts
SFTP Server	Whether the SFTP server function is enabled
SFTP Server Idle-Timeout	SFTP connection idle timeout period

# Display the SSH server session information.

<Sysname> display ssh server session

Conn Ver Encry State Retry SerType Username

VTY 0 2.0 3DES Established 0 SFTP client001

Table 1-11 Description on fields of the display ssh server session command

Field	Description
Conn	VTY interface used by the user
Ver	SSH server protocol version
Encry	Encryption algorithm used by SSH
State	Status of the session, including: Init, Ver-exchange, Keys-exchange, Auth-request, Serv-request, Established, Disconnected
Retry	Number of authentication attempts
SerType	Service type (SFTP, Stelnet)
Username	Name of a user during login

1.1.8 display ssh server-info

Syntax

display ssh server-info

View

Any view

Default Level

1: Monitor level

Parameters

None

Description

Use the display ssh server-info command on a client to display mappings between SSH servers and their host public keys saved on the client.

When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to check the public key of the server saved on the client.

Related commands: ssh client authentication server.

Examples

# Display the mappings between host public keys and SSH servers saved on the client.

<Sysname> display ssh server-info

Server Name(IP) Server public key name

______________________________________________________

192.168.0.1 abc_key01

192.168.0.2 abc_key02

Table 1-12 Descriptions on fields of the display ssh server-info command

Field	Description
Server Name(IP)	Name or IP address of the server
Server public key name	Name of the host public key of the server

1.1.9 display ssh user-information

Syntax

display ssh user-information [ username ]

View

Any view

Default Level

1: Monitor level

Parameters

username: SSH username, a string of 1 to 80 characters.

Description

Use the display ssh user-information command on an SSH server to display information about a specified or all SSH users.

With the username argument not specified, the command displays information about all users.

Related commands: ssh user assign rsa-key, ssh user authentication-type, ssh user service-type.

Examples

# Display information about all SSH users.

<Sysname> display ssh user-information

Total ssh users : 2

Username Authentication-type User-public-key-name Service-type

yemx password putty stelnet|sftp

test rsa null sftp

Table 1-13 Description on fields of the display ssh user-information command

Field	Description
Username	Name of the user
Authentication-type	Authentication type
User-public-key-name	Public key of the user
Service-type	Service type

1.1.10 peer-public-key end

Syntax

peer-public-key end

View

Public key view

Default Level

2: System level

Parameters

None

Description

Use the peer-public-key end command to return from public key view to system view.

Related commands: rsa peer-public-key.

Examples

# Exit public key view.

<Sysname> system-view

[Sysname] rsa peer-public-key Sysname003

[Sysname-rsa-public-key] peer-public-key end

[Sysname]

1.1.11 protocol inbound

Syntax

protocol inbound { all | ssh | telnet }

View

VTY user interface view

Default Level

2: System level

Parameters

all: Supports all of the three protocols: Telnet and SSH.

ssh: Supports SSH only.

telnet: Supports Telnet only.

Description

Use the protocol inbound command to enable the current user interface to support Telnet, and SSH.

By default, a user interface supports all of the three protocols: Telnet, PAD, and SSH.

The configuration of this command takes effect at next login.

If you configure the current user interface to support SSH, be sure to configure the authentication-mode scheme command.

Related commands: user-interface vty in User Interface Commands of System Volume.

& Note:

This command is not supported in Console user interface view or AUX user interface view.

Examples

# Enable VTYs 0 to 4 to support SSH only.

<Sysname> system-view

[Sysname] user-interface vty 0 4

[Sysname-ui-vty0-4] authentication-mode scheme

[Sysname-ui-vty0-4] protocol inbound ssh

1.1.12 public-key-code begin

Syntax

public-key-code begin

View

Public key view

Default Level

2: System level

Parameters

None

Description

Use the public-key-code begin command to enter RSA key code view.

After entering public key code view, you can input the key data. It must be a hexadecimal string that has not been converted and in the distinguished encoding rules (DER) encoding format. Spaces and carriage returns are allowed between characters.

Related commands: rsa peer-public-key, public-key-code end.

Examples

# Enter public key code view to input the key.

<Sysname> system-view

[Sysname] rsa peer-public-key Sysname003

[Sysname-rsa-public-key] public-key-code begin

[Sysname-rsa-key-code] 30818602 818078C4 32AD7864 BB0137AA 516284BB 3F55F0E3

[Sysname-rsa-key-code] F6DD9FC2 4A570215 68D2B3F7 5188A1C3 2B2D40BE D47A08FA

[Sysname-rsa-key-code] CF41AF4E 8CCC2ED0 C5F9D1C5 22FC0625 BA54BCB3 D1CBB500

[Sysname-rsa-key-code] A177E917 642BE3B5 C683B0EB 1EC041F0 08EF60B7 8B6ED628

[Sysname-rsa-key-code] 9830ED46 0BA21FDB F55E7C81 5D1A2045 54BFC853 5358E5CF

[Sysname-rsa-key-code] 7D7DDF25 03C44C00 E2F49539 5C4B0201 25

1.1.13 public-key-code end

Syntax

public-key-code end

View

RSA key code view

Default Level

2: System level

Parameters

None

Description

Use the public-key-code end command to return from public key code view to public key view.

The system verifies the key before saving it. If the key contains illegal characters, the system displays an error message, indicating that an illegal character is entered, and discards the key.

Related commands: rsa peer-public-key, public-key-code begin.

Examples

# Exit RSA key code view.

<Sysname> system-view

[Sysname] rsa peer-public-key Sysname003

[Sysname-rsa-public-key] public-key-code begin

[Sysname-rsa-key-code] public-key-code end

[Sysname-rsa-public-key]

1.1.14 rsa local-key-pair create

Syntax

rsa local-key-pair create

View

System view

Default Level

2: System level

Parameters

None

Description

Use the rsa local-key-pair create command to generate RSA host key pairs and server key pairs.

Note that:

l After you enter this command, the system prompts you to enter the number of bits of the key pair. For a host key pair and server key pair, the minimum length is 512 bits, and the maximum length is 2,048 bits. If a key pair already exists, you need to decide whether to modify it.

l You only need to execute this command once. You do not need to execute it again after the device is restarted.

Related commands: rsa local-key-pair destroy and display rsa local-key-pair public.

Examples

# Generate a host key pair and server key pair.

<Sysname> system-view

[Sysname] rsa local-key-pair create

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Input the bits in the modulus[default = 1024]:

Generating keys...

..........++++++++++++

...............++++++++++++

.......++++++++

....++++++++

Done!

1.1.15 rsa local-key-pair destroy

Syntax

rsa local-key-pair destroy

View

System view

Default Level

2: System level

Parameters

None

Description

Use the rsa local-key-pair destroy command to destroy RSA host key pairs and server key pairs.

After entering this command, you need to decide whether to destroy RSA host key pairs and server key pairs.

Related commands: rsa local-key-pair create.

Examples

# Destroy an RSA host key pair and server key pair.

<Sysname> system-view

[Sysname] rsa local-key-pair destroy

The local-key-pair will be destroyed.

Confirm to destroy these keys? [Y/N]:y

..........Done!

1.1.16 rsa local-key-pair export

Syntax

rsa local-key-pair export { ssh1 | ssh2 | openssh } [ filename ]

View

Any view

Default Level

2: System level

Parameters

ssh1: An RSA host public key is in the format of “SSH1”.

ssh2: An RSA host public key is in the format of “SSH2”.

openssh: An RSA host public key is in the format of “OpenSSH”.

filename: Name of the exported RSA host public key file. If a host public key filename is denoted in the format of “filename”, filename is a string of 1 to 91 characters. If a host public key filename is denoted in the format of “directory + filename”, filename is a string of 1 to 136 characters (the filename consists of a maximum of 91 characters).

Description

Use the rsa local-key-pair export command to display RSA host public keys in the screen in a specified format or to export RSA host public keys to a specified file.

If no filename is specified, the system displays RSA host public keys in the screen. Otherwise, the system exports and saves RSA host public keys to the specified file.

SSH1, SSH2 and OpenSSH indicate three different types of public key file formats.

Related commands: rsa local-key-pair create and rsa local-key-pair destroy.

Examples

# Export RSA host public keys in the format of “OpenSSH”.

<Sysname> rsa local-key-pair export OpenSSH myOpenSSH

The file of public key is successfully generated.

# Display RSA host public keys in the format of “SSH2”.

<Sysname> rsa local-key-pair export SSH2

Host public key for SSH2 format code:

---- BEGIN SSH2 PUBLIC KEY ----

AAAAB3NzaC1yc2EAAAADAQABAAAAgQCusCaLG/BIkVdFQT7pND+ETtHZGnOclMuK

9zxdbzcjcAdWIZY4Hwu/AOGbn7Sj2NJZNeqUzFrYNeOjD1cGqO5NkgLvy+2lAUSW

+L9usdsIk67fiF63Msu3i9HcqyA0mUuToNjQUZoltU1kbqFK7zE1CCZAt7+55rWk

SqcCGqFBsw==

---- END SSH2 PUBLIC KEY ----

[Sysname]

# Display RSA host public keys in the format of “OpenSSH”.

<Sysname> rsa local-key-pair export OpenSSH

Public key code for pasting into OpenSSH authorized_keys file :

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCusCaLG/BIkVdFQT7pND+ETtHZGnOclMuK9zxdbzcj

cAdWIZY4Hwu/AOGbn7Sj2NJZNeqUzFrYNeOjD1cGqO5NkgLvy+2lAUSW+L9usdsIk67fiF63Msu3i9HcqyA0mUuToNjQUZoltU1kbqFK7zE1CCZAt7+55rWkSqcCGqFBsw== rsa-key

1.1.17 rsa peer-public-key

Syntax

rsa peer-public-key keyname

undo rsa peer-public-key keyname

View

System view

Default Level

2: System level

Parameters

keyname: Name of a public key, a string of 1 to 64 characters.

Description

Use the rsa peer-public-key command to enter public key view.

Use the undo rsa peer public-key command to delete the configured remote public keys.

In public key view, you can configure remote public keys using the public-key-code begin and public-key-code end commands together. You need to first obtain the remotely generated hexadecimal public keys.

Related commands: public-key-code begin and public-key-code end.

Examples

# Enter public key view (the public key is named “abc123”).

<Sysname> system-view

[Sysname] rsa peer-public-key abc123

[Sysname-pkeyrsa-public-key]

1.1.18 rsa peer-public-key import sshkey

Syntax

rsa peer-public-key keyname import sshkey filename

undo rsa peer-public-key keyname

View

System view

Default Level

2: System level

Parameters

keyname: Name of a public key, a string of 1 to 64 characters.

filename: Name of a public key file, a string of 1 to 136 characters.

Description

Use the rsa peer-public-key import sshkey command to import remote public keys from a public key file.

Use the undo rsa peer public-key command to delete the configured remote public keys.

After you execute this command, the system automatically converts the generated public key files (support SSH1, SSH2, and OpenSSH formats) into PKCS codes, and configures remote public keys. The remote public key file of the RSA key must be FTPed/TFTPed to the local device in advance.

Examples

# Import the remote public key named “abc456” from the public file “pub2”.

<Sysname> system-view

[Sysname] rsa peer-public-key abc456 import sshkey pub2

1.1.19 sftp

Syntax

sftp { host-ip | host-name } [ port-number ] [ prefer_ctos_cipher { 3des | aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { 3des | aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] *

View

System view

Default Level

3: Manage level

Parameters

host-ip: IPv4 address of the server.

host-name: Server name, a string of 1 to 20 characters.

port-number: Port number of the server, in the range 0 to 65535. The default is 22.

prefer_ctos_cipher: Preferred encryption algorithm from client to server, defaulted to aes128.

l 3des: Encryption algorithm 3des_cbc.

l aes128: Encryption algorithm aes128_cbc.

l des: Encryption algorithm des_cbc.

prefer_ctos_hmac: Preferred HMAC algorithm from client to server, defaulted to sha1.

l md5: HMAC algorithm hmac-md5.

l md5_96: HMAC algorithm hmac-md5-96.

l sha1: HMAC algorithm hmac-sha1.

l sha1_96: HMAC algorithm hmac-sha1-96.

prefer_kex: Preferred key exchange algorithm, defaulted to dh_group1.

l dh_exchange_group: Key exchange algorithm diffie-hellman-group-exchange-sha1.

l dh_group1: Key exchange algorithm diffie-hellman-group1-sha1.

prefer_stoc_cipher: Preferred algorithm from server to client, defaulted to aes128.

prefer_stoc_hmac: Preferred HMAC algorithm from server to client, defaulted to sha1.

Description

Use the sftp command to establish a connection to a remote IPv4 SFTP server and enter SFTP client view.

Examples

# Connect to SFTP server 10.1.1.2.

<Sysname> system-view

[Sysname] sftp 10.1.1.2

Input Username:

1.1.20 sftp client ipv6 source

Syntax

sftp client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number }

undo sftp client ipv6 source

View

System view

Default Level

3: Manage level

Parameters

ipv6 ipv6-address: Specifies a source IPv6 address.

interface interface-type interface-number: Specifies a source interface by its type and number.

Description

Use the sftp client ipv6 source command to specify the source IPv6 address or source interface for an SFTP client.

Use the undo sftp client ipv6 source command to remove the configuration.

By default, the client uses the interface address specified by the route of the device to access the SFTP server.

If the specified interface does not exist, the system prompts failure.

Related commands: display sftp client source.

Examples

# Specify the source IPv6 address of the SFTP client as 2:2::2:2.

<Sysname> system-view

[Sysname] sftp client ipv6 source ipv6 2:2::2:2

1.1.21 sftp client source

Syntax

sftp client source { ip ip-address | interface interface-type interface-number }

undo sftp client source

View

System view

Default Level

3: Manage level

Parameters

ip ip-address: Specifies a source IPv4 address.

interface interface-type interface-number: Specifies a source interface by its type and number.

Description

Use the sftp client source command to specify the source IPv4 address or interface of an SFTP client.

Use the undo sftp source-interface command to remove the configuration.

By default, a client uses the IP address or interface specified by the route to access the SFTP server.

Related commands: display sftp client source.

Examples

# Specify the source IP address of the SFTP client as 192.168.0.1.

<Sysname> system-view

[Sysname] sftp client source ip 192.168.0.1

1.1.22 sftp ipv6

Syntax

sftp ipv6 { ipv6-address | host-name } [ port-number ] [ prefer_ctos_cipher { 3des | aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { 3des | aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] *

View

System view

Default Level

3: Manage level

Parameters

ipv6-address: IPv6 address of the server.

host-name: Server name, a string of 1 to 46 characters.

port-number: Port number of the server, in the range 0 to 65535. The default is 22.

prefer_ctos_cipher: Preferred encryption algorithm from client to server, defaulted to aes128.

l 3des: Encryption algorithm 3des_cbc.

l aes128: Encryption algorithm aes128_cbc.

l des: Encryption algorithm des_cbc.

prefer_ctos_hmac: Preferred HMAC algorithm from client to server, defaulted to sha1.

l md5: HMAC algorithm hmac-md5.

l md5_96: HMAC algorithm hmac-md5-96.

l sha1: HMAC algorithm hmac-sha1.

l sha1_96: HMAC algorithm hmac-sha1-96.

prefer_kex: Preferred key exchange algorithm, defaulted to dh_group1.

l dh_exchange_group: Key exchange algorithm diffie-hellman-group-exchange-sha1.

l dh_group1: Key exchange algorithm diffie-hellman-group1-sha1.

prefer_stoc_cipher: Preferred encryption algorithm from server to client, defaulted to aes128.

prefer_stoc_hmac: Preferred HMAC algorithm from server to client, defaulted to sha1.

Description

Use the sftp ipv6 command to establish a connection to a remote IPv6 SFTP server and enter SFTP client view.

Examples

# Connect to server 2:5::8:9.

<Sysname> system-view

[Sysname] sftp ipv6 2:5::8:9

Input Username:

1.1.23 sftp server enable

Syntax

sftp server enable

undo sftp server enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the sftp server enable command to enable SFTP server.

Use the undo sftp server enable command to disable SFTP server.

By default, SFTP server is disabled.

Related commands: display ssh server.

Examples

# Enable SFTP server.

<Sysname> system-view

[Sysname] sftp server enable

1.1.24 sftp server idle-timeout

Syntax

sftp server idle-timeout time-out-value

undo sftp server idle-timeout

View

System view

Default Level

2: System level

Parameters

time-out-value: Timeout period in minutes. It ranges from 1 to 35,791.

Description

Use the sftp server idle-timeout command to set the idle timeout period for SFTP user connections.

Use the undo sftp server idle-timeout command to restore the default.

By default, the idle timeout period is 10 minutes.

Related commands: display ssh server.

Examples

# Set the idle timeout period for SFTP user connections to 500 minutes.

<Sysname> system-view

[Sysname] sftp server idle-timeout 500

1.1.25 ssh client authentication server

Syntax

ssh client authentication server { server-ip | server-name } assign rsa-key keyname

undo ssh client authentication server { server-ip | server-name } assign rsa-key

View

System view

Default Level

2: System level

Parameters

server-ip: IP address of the server, a string of 1 to 80 characters.

server-name: Server name, a string of 1 to 64 characters.

keyname: Name of the host public key on the server.

Description

Use the ssh client authentication server command to configure the host public key of the server so that the client can determine whether the server is trustworthy.

Use the undo ssh authentication server command to remove the configuration.

By default, the host public key of the server is not configured, and when logging into the server, the client uses the IP address or host name used for login as the public key name.

Examples

# Configure the public key of the server with the IP address of 192.168.0.1 to be abc.

<Sysname> system-view

[Sysname] ssh client authentication server 192.168.0.1 assign rsa-key abc

1.1.26 ssh client first-time enable

Syntax

ssh client first-time enable

undo ssh client first-time

View

System view

Default Level

2: System level

Parameters

None

Description

Use the ssh client first-time enable command to enable the first authentication function.

Use the undo ssh client first-time command to disable the function.

By default, the function is enabled.

When an SSH client tries to access a server whose public host key it does not know for the first time, the first authentication function enables it to access the server and obtain and save the public host key of the server. When the client accesses the server later, it can use the locally saved public host key of the server to authenticate the server.

With the first authentication function disabled, an SSH client cannot access any server whose public host key it does not know. In this case, you must configure the public host key of the server to be accessed and specify the public key name on the client at first.

Examples

# Enable the first authentication function.

<Sysname> system-view

[Sysname] ssh client first-time enable

1.1.27 ssh client ipv6 source

Syntax

ssh client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number }

undo ssh client ipv6 source

View

System view

Default Level

3: Manage level

Parameters

ipv6 ipv6-address: Specifies a source IPv6 address.

interface interface-type interface-number: Specifies a source interface by its type and number.

Description

Use the ssh client ipv6 source command to specify the source IPv6 address or source interface for the SSH client.

Use the undo ssh client ipv6 source command to remove the configuration.

By default, the client uses the source address specified by the route of the device to access the SSH server.

Examples

# Specify the source IPv6 address as 2:2::2:2 for the SSH client.

<Sysname> system-view

[Sysname] ssh client ipv6 source ipv6 2:2::2:2

1.1.28 ssh client source

Syntax

ssh client source { ip ip-address | interface interface-type interface-number }

undo ssh client source

View

System view

Default Level

3: Manage level

Parameters

ip ip-address: Specifies a source IPv4 address.

interface interface-type interface-number: Specifies a source interface by its type and number.

Description

Use the ssh client source command to specify the source IPv4 address or source interface of the SSH client.

Use the undo ssh client source command to remove the configuration.

By default, an SSH client uses the IP address or interface specified by the route to access the SSH server.

If the specified interface does not exist, the system prompts failure.

Related commands: display ssh client source.

Examples

# Specify the source IPv4 address of the SSH client as 192.168.0.1.

<Sysname> system-view

[Sysname] ssh client source ip 192.168.0.1

1.1.29 ssh server authentication-retries

Syntax

ssh server authentication-retries times

undo ssh server authentication-retries

View

System view

Default Level

2: System level

Parameters

times: Maximum number of authentication attempts, in the range 1 to 5.

Description

Use the ssh server authentication-retries command to set the maximum number of SSH connection authentication attempts, which takes effect at next login.

Use the undo ssh server authentication-retries command to restore the default.

By default, the maximum number of SSH connection authentication attempts is 3.

Note that the threshold specified by using the ssh server authentication-retries command takes into account both RSA authentication attempts and password authentication attempts.

Related commands: display ssh server.

Examples

# Set the maximum number of SSH connection authentication attempts to four.

<Sysname> system-view

[Sysname] ssh server authentication-retries 4

1.1.30 ssh server authentication-timeout

Syntax

ssh server authentication-timeout time-out-value

undo ssh server authentication-timeout

View

System view

Default Level

2: System level

Parameters

time-out-value: Authentication timeout period in seconds, in the range 1 to.

Description

Use the ssh server authentication-timeout command to set the SSH user authentication timeout period on the SSH server.

Use the undo ssh server authentication-timeout command to restore the default.

By default, the authentication timeout period is 60 seconds.

Related commands: display ssh server.

Examples

# Set the SSH user authentication timeout period to 10 seconds.

<Sysname> system-view

[Sysname] ssh server authentication-timeout 10

1.1.31 ssh server compatible-ssh1x enable

Syntax

ssh server compatible-ssh1x enable

undo ssh server compatible-ssh1x

View

System view

Default Level

2: System level

Parameters

None

Description

Use the ssh server compatible-ssh1x command to enable the SSH server to work with SSH1.x clients.

Use the undo ssh server compatible-ssh1x command to disable the SSH server from working with SSH1.x clients.

By default, the SSH server can work with SSH1.x clients.

This configuration takes effect at next login.

Related commands: display ssh server.

Examples

# Enable the SSH server to work with SSH1.x clients.

<Sysname> system-view

[Sysname] ssh server compatible-ssh1x enable

1.1.32 ssh server enable

Syntax

ssh server enable

undo ssh server enable

View

System view

Default Level

2: System level

Parameters

None

Description

Use the ssh server enable command to enable SSH server.

Use the undo ssh server enable command to disable SSH server.

By default, SSH server is disabled.

Examples

# Enable SSH server.

<Sysname> system-view

[Sysname] ssh server enable

1.1.33 ssh server rekey-interval

Syntax

ssh server rekey-interval hours

undo ssh server rekey-interval

View

System view

Default Level

2: System level

Parameters

hours: Server key pair update interval in hours, in the range 1 to 24.

Description

Use the ssh server rekey-interval command to set the interval for updating the server key pair.

Use the undo ssh server rekey-interval command to restore the default.

By default, the update interval of the server key pair is 0, that is, the server key pair is not updated.

Related commands: display ssh server.

Examples

# Set the server key pair update interval to three hours.

<Sysname> system-view

[Sysname] ssh server rekey-interval 3

1.1.34 ssh user assign rsa-key

Syntax

ssh user username assign rsa-key keyname

undo ssh user username assign rsa-key

undo ssh user username

View

System view

Default Level

2: System level

Parameters

username: SSH username, a string of 1 to 80 characters.

keyname: Name of an existing client public key, a string of 1 to 64 characters.

Description

Use the ssh user assign rsa-key command to assign an existing public key to the specified SSH user.

Use the undo ssh user assign rsa-key command to remove the mapping between a user and its public key.

Note that:

l The system creates an SSH user while you configure the ssh user assign rsa-key command. By default, the authentication mode is RSA, and the service type is stelnet. Use the undo ssh user username command to delete SSH users.

l If you configure the ssh user assign rsa-key command for a user with a public key, the new public key overwrites the old one.

l The new public key takes effect when the user logs in next time.

Related commands: display ssh user-information.

Examples

# Assign key named “key1” to the user named “aaa”.

<Sysname> system-view

[Sysname] ssh user aaa assign rsa-key key1

1.1.35 ssh user authentication-type

Syntax

ssh user username authentication-type { password | rsa | password-publickey | all }

undo ssh user username authentication-type

undo ssh user username

View

System view

Default Level

2: System level

Parameters

username: Name of the SSH user, a string of 1 to 80 characters.

password: Sets the authentication mode of the user to “password” forcibly.

rsa: Sets the authentication mode of the user to “RSA” forcibly.

password-publickey: Sets the authentication mode of the user to “RSA” plus “password” forcibly.

all: Sets the authentication mode to either “password” or “RSA”. Clients will attempt to log in through RSA first.

& Note:

For the authentication mode specified by password-publickey:

l SSH1 users can log in successfully if passing one kind of authentication.

l SSH2 users cannot log in successfully unless passing both kinds of authentication.

Description

Use the ssh user authentication-type command to specify an authentication mode for a specific user. Use the undo ssh user authentication-type command to restore the default authentication mode.

By default, the system specifies the authentication mode as “RSA”.

Note that:

l This command is used to specify an optional authentication mode for user login on the server. In practice, users can adopt an authentication mode on a client at their discretion.

l The system creates an SSH user while you configure the ssh user authentication-type command. The default service type is “stelnet”. Use the undo ssh user command to delete SSH users.

l A newly configured authentication mode will take effect when users log in next time.

l If a user uses the RSA authentication mode, this user and its public key must be configured on a switch. If a user uses the password authentication mode, its account information can be configured on a switch or remote authentication server (for example, a RADIUS authentication server).

Related commands: display ssh user-information.

Examples

# Specify the authentication mode of the user named “aaa” as a password.

<Sysname> system-view

[Sysname] ssh user aaa authentication-type password

1.1.36 ssh user service-type

Syntax

ssh user username service-type { stelnet | sftp | all }

undo ssh user username service-type

undo ssh user username

View

System view

Default Level

2: System level

Parameters

username: Name of the SSH user, a string of 1 to 80 characters.

stelnet: The service type is secure Telnet.

sftp: The service type is Secure FTP.

all: Two service types including Stelnet and SFTP.

Description

Use the ssh user service-type command to specify a service type for a specific user. Use the undo ssh user service-type command to restore the default service type.

By default, the service type is Stelnet.

The system creates an SSH user while you configure the ssh user service-type command. The default service type is “RSA”. Use the undo ssh user command to delete SSH users.

Related commands: display ssh user-information.

Examples

# Specify the service type as SFTP for the user named “aaa”.

<Sysname> system-view

[Sysname] ssh user aaa service-type sftp

1.1.37 ssh user work-directory

Syntax

ssh user username work-directory directory-name

undo ssh user username work-directory

undo ssh user username

View

System view

Default Level

2: System level

Parameters

username: Name of the SSH user, a string of 1 to 80 characters.

directory-name: Working folder of the SSH user, a string of 1 to 135 characters.

Description

Use the ssh user work-directory command to specify the working folder for an SSH user.

Use the undo ssh user work-directory command to remove the working folder configuration for a user.

Executing the ssh user work-directory command will also create an SSH user. To remove an SSH user, use the undo ssh user command.

Note that:

l You need to use this command to specify a working folder for each user whose authentication mode is publickey and service type is SFTP.

l If a user uses publickey and password authentication at the same time, the working folder specified by the ssh user work-directory command takes priority.

Examples

# Specify working folder flash:/ for user aaa.

<Sysname> system-view

System View: return to User View with Ctrl+Z.

[Sysname] ssh user aaa work-directory flash:/

1.1.38 ssh2

Syntax

ssh2 { host-ip | host-name } [ port-number ] [ prefer_ctos_cipher { 3des | aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { 3des | aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] *

View

System view

Default Level

0: Visit level

Parameters

host-ip: IPv4 address of the server.

host-name: Server name, a string of 1 to 20 characters.

port-number: Port number of the server, in the range 0 to 65535. The default is 22.

prefer_ctos_cipher: Preferred encryption algorithm from client to server, defaulted to aes128.

l 3des: Encryption algorithm 3des_cbc.

l aes128: Encryption algorithm aes128_cbc

l des: Encryption algorithm des_cbc.

prefer_ctos_hmac: Preferred HMAC algorithm from client to server, defaulted to sha1.

l md5: HMAC algorithm hmac-md5.

l md5_96: HMAC algorithm hmac-md5-96.

l sha1: HMAC algorithm hmac-sha1.

l sha1_96: HMAC algorithm hmac-sha1-96.

prefer_kex: Preferred key exchange algorithm, defaulted to dh_group1.

l dh_exchange_group: Key exchange algorithm diffie-hellman-group-exchange-sha1.

l dh_group1: Key exchange algorithm diffie-hellman-group1-sha1.

prefer_stoc_cipher: Preferred encryption algorithm from server to client, defaulted to aes128.

prefer_stoc_hmac: Preferred HMAC algorithm from server to client, defaulted to sha1.

Description

Use the ssh2 command to establish a connection to an SSH server, and specify the preferred key exchange algorithm, encryption algorithms, and HMAC algorithms of the client and the server.

Examples

# Login to remote SSH2 server 10.214.50.51, setting the algorithms as follows:

l Preferred key exchange algorithm: DH_exchange_group

l Preferred encryption algorithm from server to client: AES128

l Preferred HMAC algorithm from client to server: MD5

l Preferred HMAC algorithm from server to client: SHA1-96.

<Sysname> system-view

[Sysname] ssh2 10.214.50.51 prefer_kex dh_exchange_group prefer_stoc_cipher aes128 prefer_ctos_hmac md5 prefer_stoc_hmac sha1_96

1.1.39 ssh2 ipv6

Syntax

ssh2 ipv6 { ipv6-address | host-name } [ port-number ] [ prefer_ctos_cipher { 3des | aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { 3des | aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] *

View

System view

Default Level

0: Visit level

Parameters

ipv6-address: IPv6 address of the server.

host-name: Server name, a string of 1 to 46 characters.

port-number: Port number of the server, in the range 0 to 65535. The default is 22.

prefer_ctos_cipher: Preferred encryption algorithm from client to server, defaulted to aes128.

l 3des: Encryption algorithm 3des_cbc.

l aes128: Encryption algorithm aes128_cbc.

l des: Encryption algorithm des_cbc.

prefer_ctos_hmac: Preferred HMAC algorithm from client to server, defaulted to sha1.

l md5: HMAC algorithm hmac-md5.

l md5_96: HMAC algorithm hmac-md5-96.

l sha1: HMAC algorithm hmac-sha1.

l sha1_96: HMAC algorithm hmac-sha1-96.

prefer_kex: Preferred key exchange algorithm, default to dh_group1.

l dh_exchange_group: Key exchange algorithm diffie-hellman-group-exchange-sha1.

l dh_group1: Key exchange algorithm diffie-hellman-group1-sha1.

prefer_stoc_cipher: Preferred encryption algorithm from server to client, defaulted to aes128.

prefer_stoc_hmac: Preferred HMAC algorithm from server to client, defaulted to sha1.

Description

Use the ssh2 ipv6 command to establish a connection to an IPv6 SSH server and specify the preferred key exchange algorithm, encryption algorithms, and HMAC algorithms of the client and the server.

Examples

# Login to remote SSH2 server 2000::1, setting the algorithms as follows:

l Preferred key exchange algorithm: DH_exchange_group

l Preferred encryption algorithm from server to client: AES128

l Preferred HMAC algorithm from client to server: MD5

l Preferred HMAC algorithm from server to client: SHA1-96.

<Sysname> system-view

[Sysname] ssh2 ipv6 2000::1 prefer_kex dh_exchange_group prefer_stoc_cipher aes128 prefer_ctos_hmac md5 prefer_stoc_hmac sha1_96

1.2 SFTP Configuration Commands

1.2.1 bye

Syntax

bye

View

SFTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the bye command to terminate the connection with a remote SFTP server and return to user view.

This command functions as the exit and quit commands.

Examples

# Terminate the connection with the remote SFTP server.

sftp-client> bye

Bye

1.2.2 cd

Syntax

cd [ remote-path ]

View

SFTP client view

Default Level

3: Manage level

Parameters

remote-path: Name of a path on the server.

Description

Use the cd command to change the working path on a remote SFTP server. With the argument not specified, the command displays the current working path.

& Note:

l You can use the cd .. command to return to the upper-level directory.

l You can use the cd / command to return to the root directory of the system.

Examples

# Change the working path to new1.

sftp-client> cd new1

Current Directory is:

/new1

1.2.3 cdup

Syntax

cdup

View

SFTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the cdup command to return to the upper-level directory.

Examples

# From the current working directory /new1, return to the upper-level directory.

sftp-client> cdup

Current Directory is:

1.2.4 delete

Syntax

delete remote-file&<1-10>

View

SFTP client view

Default Level

3: Manage level

Parameters

remote-file&<1-10>: Name of a file on the server. &<1-10> means that you can provide up to 10 filenames, which are separated by space.

Description

Use the delete command to delete a specified file from a server.

This command functions as the remove command.

Examples

# Delete file temp.c from the server.

sftp-client> delete temp.c

The following files will be deleted:

/temp.c

Are you sure to delete it? [Y/N]:y

This operation may take a long time.Please wait...

File successfully Removed

1.2.5 dir

Syntax

dir [ -a | -l ] [ remote-path ]

View

SFTP client view

Default Level

3: Manage level

Parameters

-a: Displays the filenames or the folder names of the specified directory.

-l: Displays in list form detailed information of the files and folder of the specified directory

remote-path: Name of the directory to be queried.

Description

Use the dir command to display file and folder information under a specified directory.

With the –a and –l keyword not specified, the command displays detailed information of files and folder under the specified directory in a list form.

With the remote-path not specified, the command displays the file and folder information of the current working directory.

This command functions as the ls command.

Examples

# Display in a list form detailed file and folder information under the current working directory.

sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

1.2.6 exit

Syntax

exit

View

SFTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the exit command to terminate the connection with a remote SFTP server and return to user view.

This command functions as the bye and quit commands.

Examples

# Terminate the connection with the remote SFTP server.

sftp-client> exit

Bye

1.2.7 get

Syntax

get remote-file [ local-file ]

View

SFTP client view

Default Level

3: Manage level

Parameters

remote-file: Name of a file on the remote SFTP server.

local-file: Name for the local file.

Description

Use the get command to download a file from a remote SFTP server and save it locally.

If you do not specify the local-file argument, the file will be saved locally with the same name as that on the remote SFTP server.

Examples

# Download file temp1.c and save it as temp.c locally.

sftp-client> get temp1.c temp.c

Remote file:/temp1.c ---> Local file: temp.c

Downloading file successfully ended

1.2.8 help

Syntax

help [ all | command-name ]

View

SFTP client view

Default Level

3: Manage level

Parameters

all: Displays a list of all commands.

command-name: Name of a command.

Description

Use the help command to display a list of all commands or the help information of an SFTP client command.

With neither the argument nor the keyword specified, the command displays a list of all commands.

Examples

# Display the help information of the get command.

sftp-client> help get

get remote-path [local-path] Download file

Default local-path is the same with remote-path

1.2.9 ls

Syntax

ls [ -a | -l ] [ remote-path ]

View

SFTP client view

Default Level

3: Manage level

Parameters

-a: Displays the filenames or the folder names of the specified directory.

-l: Displays in list form detailed information of the files and folder of the specified directory

remote-path: Name of the directory to be queried.

Description

Use the ls command to display file and folder information under a specified directory.

With the –a and –l keyword not specified, the command displays detailed information of files and folder under the specified directory in a list form.

With the remote-path not specified, the command displays the file and folder information of the current working directory.

This command functions as the dir command.

Examples

# Display in a list form detailed file and folder information under the current working directory.

sftp-client> ls

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

1.2.10 mkdir

Syntax

mkdir remote-path

View

SFTP client view

Default Level

3: Manage level

Parameters

remote-path: Name for the directory on a remote SFTP server.

Description

Use the mkdir command to create a directory on a remote SFTP server.

Examples

# Create a directory named test on the remote SFTP server.

sftp-client> mkdir test

New directory created

1.2.11 put

Syntax

put local-file [ remote-file ]

View

SFTP client view

Default Level

3: Manage level

Parameters

local-file: Name of a local file.

remote-file: Name for the file on a remote SFTP server.

Description

Use the put command to upload a local file to a remote SFTP server.

If you do not specify the remote-file argument, the file will be saved remotely with the same name as the local one.

Examples

# Upload local file temp.c to the remote SFTP server and save it as temp1.c.

sftp-client> put temp.c temp1.c

Local file:temp.c ---> Remote file: /temp1.c

Uploading file successfully ended

1.2.12 pwd

Syntax

pwd

View

SFTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the pwd command to display the current working directory of a remote SFTP server.

Examples

# Display the current working directory of the remote SFTP server.

sftp-client> pwd

1.2.13 quit

Syntax

quit

View

SFTP client view

Default Level

3: Manage level

Parameters

None

Description

Use the quit command to terminate the connection with a remote SFTP server and return to user view.

This command functions as the bye and exit commands.

Examples

# Terminate the connection with the remote SFTP server.

sftp-client> quit

Bye

1.2.14 remove

Syntax

remove remote-file&<1-10>

View

SFTP client view

Default Level

3: Manage level

Parameters

remote-file&<1-10>: Name of a file on an SFTP server. &<1-10> means that you can provide up to 10 filenames, which are separated by space.

Description

Use the remove command to delete a specified file from a remote server.

This command functions as the delete command.

Examples

# Delete file temp.c from the server.

sftp-client> remove temp.c

The following files will be deleted:

/temp.c

Are you sure to delete it? [Y/N]:y

This operation may take a long time.Please wait...

File successfully Removed

1.2.15 rename

Syntax

rename oldname newname

View

SFTP client view

Default Level

3: Manage level

Parameters

oldname: Original file name or directory name.

newname: New file name or directory name.

Description

Use the rename command to change the name of a specified file or directory on an SFTP server.

Examples

# Change the name of a file on the SFTP server from temp1.c to temp2.c.

sftp-client> rename temp1.c temp2.c

File successfully renamed

1.2.16 rmdir

Syntax

rmdir remote-path&<1-10>

View

SFTP client view

Default Level

3: Manage level

Parameters

remote-path&<1-10>: Name of the directory on the remote SFTP server. &<1-10> means that you can specify up to 10 directory names that are separated by space.

Description

Use the rmdir command to delete a specified directory from an SFTP server.

Examples

# On the SFTP server, delete directory temp1 in the current directory.

sftp-client> rmdir temp1

Directory successfully removed

H3C S9500 Command Manual-Release2132[V2.03]-07 Security Volume

Chapter 1 SSH2.0 Configuration Commands

1.1 SSH2.0 Configuration Commands

1.1.1 debugging ssh client

1.1.6 display ssh client source

1.1.7 display ssh server

1.1.9 display ssh user-information

1.1.11 protocol inbound

1.1.12 public-key-code begin

1.1.13 public-key-code end

1.1.15 rsa local-key-pair destroy

1.1.19 sftp

1.1.20 sftp client ipv6 source

1.1.23 sftp server enable

1.1.25 ssh client authentication server

1.1.34 ssh user assign rsa-key

1.1.37 ssh user work-directory

1.1.39 ssh2 ipv6

1.2 SFTP Configuration Commands

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us