Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-SSH2.0 Configuration | 405.46 KB |
Table of Contents
1.1.2 Asymmetric Key Algorithm
1.2 SSH Configuration Task List
1.3 Configuring the SSH Server
1.3.2 Configuring the Protocol Support for a User Interface
1.3.3 Creating/Destroying/Exporting RSA Keys
1.3.4 Configuring Authentication Mode for SSH Users
1.3.5 Configuring Service Type for SSH Users
1.3.6 Configuring Working Folders for SSH Users
1.3.7 Setting the SSH Management Parameters
1.3.8 Configuring RSA Public Key for the Client
1.3.9 Assigning RSA Public Keys to SSH Users
1.4 Configuring the SSH Client
1.4.2 Assigning an IP Address to the Server
1.4.3 Setting the Remote Connection Protocol to SSH
1.4.5 Opening SSH Connection Through RSA
1.4.6 Opening SSH Connection Through Password
1.5 Configuring the Device as an SSH Client
1.5.2 Configuring the Device as an SSH Client
1.6 Displaying and Maintaining SSH
1.7 SSH Server Configuration Example
1.8 SSH Client Configuration Example
2.2 Configuring an SFTP Server
2.2.1 Configuration Prerequisites
2.2.2 Enabling the SFTP Server
2.2.3 Configuring the SFTP Connection Idle Timeout Period
2.3 Configuring an SFTP Client
2.3.1 Specifying a Source IP Address or Interface for the SFTP Client
2.3.2 Establishing a Connection to the SFTP Server
2.3.3 Working with the SFTP Directories
2.3.5 Displaying Help Information
2.3.6 Disabling the SFTP Client
2.4 SFTP Configuration Example
Chapter 1 SSH2 Configuration
When configuring SSH2, go to these sections for information you are interested in:
l Configuring the Device as an SSH Client
l Displaying and Maintaining SSH
l SSH Server Configuration Example
l SSH Client Configuration Example
1.1 SSH2 Overview
Secure shell (SSH) offers an approach to securely logging into a remote device. By using encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception.
The device can not only work as an SSH server to support connections with SSH clients, but also work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server.
An SSH channel can be established through a local connection or WAN, as shown in Figure 1-1 and Figure 1-2.
Figure 1-1 Establish an SSH channel through local connection
Figure 1-2 Establish an SSH channel through WAN
Caution:
l Currently, when acting as an SSH server, the device supports two SSH versions: SSH2 and SSH1. When acting as an SSH client, the device supports SSH2 only.
l Unless otherwise noted, the “SSH” term in this document refers to SSH2.
1.1.1 Algorithm and Key
Algorithm is a set of transformation rules for encryption and decryption. Information without being encrypted is known as plain text, while information that is encrypted is known as cipher text. Encryption and decryption are performed using a string of characters called a key, which controls the transformation between plain text and cipher text, for example, changing the plain text into cipher text or cipher text into plain text.
Figure 1-3 Encryption and decryption
Key-based algorithm is usually classified into symmetric key algorithm and asymmetric key algorithm.
1.1.2 Asymmetric Key Algorithm
Asymmetric key algorithm means that a key pair exists at both ends. The key pair consists of a private key and a public key. The public key is effective for both ends, while the private key is effective only for the local end.
Asymmetric key algorithm encrypts data using the public key and decrypts the data using the private key, thus ensuring data security.
You can also use the asymmetric key algorithm for digital signature. For example, user 1 adds his signature to the data using the private key, and then sends the data to user 2. User 2 verifies the signature using the public key of user 1. If the signature is correct, this means that the data originates from user 1.
Revest Shamir and Adleman (RSA) is an asymmetric key algorithms. RSA can be used for both data encryption and signature.
1.1.3 SSH Operating Process
The session establishment between an SSH client and the SSH server involves the following five stages:
Table 1-1 Stages in establishing a session between the SSH client and the server
|
Stages |
Description |
|
SSH1 and SSH2 are supported. The two parties negotiate a version to use. |
|
|
SSH supports multiple algorithms. The two parties negotiate an algorithm for communication. |
|
|
The SSH server authenticates the client in response to the client’s authentication request. |
|
|
This client sends a session request to the server. |
|
|
The client and the server start to communicate with each other. |
I. Version negotiation
l The server opens port 22 to listen to connection requests from clients.
l The client sends a TCP connection request to the server. After the TCP connection is established, the server sends the first packet to the client, which includes a version identification string in the format of “SSH-<primary protocol version number>.<secondary protocol version number>-<software version number>”. The primary and secondary protocol version numbers constitute the protocol version number, while the software version number is used for debugging.
l The client receives and resolves the packet. If the protocol version of the server is lower but supportable, the client uses the protocol version of the server; otherwise, the client uses its own protocol version.
l The client sends to the server a packet that contains the number of the protocol version it decides to use. The server compares the version carried in the packet with that of its own to determine whether it can cooperate with the client.
l If the negotiation is successful, the server and the client go on to key and algorithm negotiation; otherwise, the server breaks the TCP connection.
& Note:
All the packets involved in the above steps are transferred in plain text.
II. Key and algorithm negotiation
l The server and the client send key algorithm negotiation packets to each other, which include the supported public key algorithm list, encryption algorithm list, MAC algorithm list, and compression algorithm list.
l Based on the received algorithm negotiation packets, the server and the client figure out the algorithms to be used.
l The server and the client use the DH key exchange algorithm and parameters such as the host key pair to generate the session key and session ID.
Through the above steps, the server and the client get the same session key, which is to be used to encrypt and decrypt data exchanged between the server and the client later. The server and the client use session ID in the authentication stage.
Caution:
Before the phase of negotiation, the system has generated a server key pair and host key pair on the server. They are used for generating session keys. The server key pair is only available for SSH1.
III. Authentication
l The client sends to the server an authentication request, which includes the username, authentication method and information related to the authentication method.
l The server authenticates the client. If the authentication fails, the server informs the client by sending a message, which includes a list of available methods for re-authentication.
l The client selects a method from the list to initiate another authentication.
l The above process repeats until the authentication succeeds or the authentication times timeout and the session is torn down.
SSH provides two authentication methods: password authentication and RSA authentication.
In password authentication:
l The client encrypts the username and password, encapsulates them into a password authentication request, and sends the request to the server.
l Upon receiving the request, the server decrypts the username and password, compares them against those it maintains, and then informs the client of the authentication result.
In RSA authentication:
l The client sends an RSA authentication request (containing its public key) to the server. Upon receiving the request, the server checks its validity. If the request is not valid, the server directly sends a failure message. Otherwise, the server generates a 32-byte random number, arranges the random number into a multiple-precision (MP) integer according to the most significant bit (MSB), encrypts the MP integer using the public key of the client, and initiates an authentication challenge to the client.
l Upon receiving the challenge message, the client decrypts the MP integer using its own private key, generates a message abstract MD5 using the integer and session ID (an intermediate result generated in the key and algorithm negotiation phase), encrypts the 16-byte MD5 value, and then sends the encrypted MD5 value to the server.
l Upon receiving the MD5 value, the server reverts it to the original value, and compares the reverted MD5 value with the MD5 value calculated by itself. If the two MD5 values are the same, the server sends an authentication success message. Otherwise, the server sends an authentication failure message.
& Note:
Besides password authentication and RSA authentication, SSH2 provides another two authentication methods:
l password-publickey: Performs both password authentication and publickey authentication of the client. A client running SSH1 client only needs to pass either type of the two, while a client running SSH2 client must pass both of them to login.
l all: Set the authentication mode to either “password” or “RSA”. Clients will attempt to log in through RSA first.
IV. Session request
After passing authentication, the client sends a session request to the server, while the server listens to and processes the request from the client. If the client passes authentication, the server sends back to the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client. Otherwise, the server sends back to the client an SSH_SMSG_FAILURE packet, indicating that the processing fails or it cannot resolve the request.
V. Interactive session
After a session is assigned successfully, the connection enters the interactive session mode. In this stage, the server and the client exchanges data in this way:
l The client encrypts and sends the command to be executed to the server.
l The server decrypts and executes the command, and then encrypts and sends the result to the client.
l The client decrypts and displays the result on the terminal.
l During interactive session, the client can send the commands to be performed by pasting the text, which must be within 2000 bytes (including spaces). It is recommended that the text pasted be commands in the same view; otherwise, the server may not be able to perform the commands.
l If the text exceeds 2000 bytes, you can upload the configuration file to the server and use the configuration file to restart the server so that the server executes the commands.
1.2 SSH Configuration Task List
|
Configuration tasks |
Remarks |
|
|
Configuring the SSH server |
Required |
|
|
Required |
||
|
Required |
||
|
Optional |
||
|
Optional |
||
|
Optional |
||
|
Optional |
||
|
Required for the SSH users that use the RSA authentication mode |
||
|
Required for the SSH users that use the RSA authentication mode |
||
|
Optional |
||
|
Optional |
||
1.3 Configuring the SSH Server
1.3.1 Enabling SSH Server
Follow these steps to enable SSH server:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the SSH server function |
ssh server enable |
Required Disabled by default |
1.3.2 Configuring the Protocol Support for a User Interface
After enabling the SSH server, you must configure the protocol support for the involved interface(s). Note that the configuration takes effect at the next login.
Follow these steps to configure the protocols for the current user interface to support:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter single-user interface view or multi-user interface view |
user-interface [ type-keyword ] number [ ending-number ] |
Required |
|
Set the login authentication mode to scheme |
authentication-mode scheme [ command-authorization ] |
Required By default, the authentication mode is password. |
|
Specify the protocols for the user interfaces to support |
protocol inbound { all | pad | ssh | telnet } |
Optional All protocols are supported by default. |
Caution:
l For detailed information about the authentication-mode and protocol inbound commands, refer to User Interface Commands of the System Volume.
l If you configure a user interface to support SSH, be sure to configure the corresponding authentication method with the authentication-mode scheme command.
l For a user interface configured to support SSH, you cannot configure the authentication-mode password command and the authentication-mode none command.
1.3.3 Creating/Destroying/Exporting RSA Keys
For successful SSH login, you must create the RSA key pairs first.
With SSH enabled, users still cannot log into the server through SSH if neither RSA host key pair nor server key pair is generated.
You can display the created RSA host public key on the screen in a specified format, or export it to a specified file for use when configuring the key at a remote site.
Follow these steps to create, destroy, or export the host key pair and server key pair:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Generate an RSA host key pair and server key pair |
rsa local-key-pair create |
Required |
|
Destroy an RSA host key pair and server key pair |
rsa local-key-pair destroy |
Required |
|
Display RSA host public keys in the screen in a specified format or export RSA host public keys to a specified file |
rsa local-key-pair export { ssh1 | ssh2 | openssh } [ filename ] |
Required Available in any view |
Caution:
l The configuration of the rsa local-key-pair create command can survive a reboot. You only need to configure it once.
l For a server key and host key, the minimum length is 512 bits, and the maximum length is 2,048 bits. In SSH2, some clients require that the keys generated on the server should be at least 768 bits in length.
l If you have configured a key pair, the system prompts whether you want to overwrite this key pair when you try to configure another key pair.
1.3.4 Configuring Authentication Mode for SSH Users
A newly configured authentication mode will take effect when users log in next time.
Follow these steps to configure the authentication mode for SSH users.
|
To do… |
Use the command… |
Remarks |
|
Enter system |
system-view |
— |
|
Configure an authentication mode for SSH users |
ssh user username authentication-type { password | rsa | password-publickey | all } |
Optional By default, the system specifies the authentication mode as “RSA”. |
Caution:
If a user uses the RSA authentication mode, this user and its public key must be configured on a switch. If a user uses the password authentication mode, his/her account information can be configured on a switch or remote authentication server (for example, a RADIUS authentication server).
1.3.5 Configuring Service Type for SSH Users
Follow these steps to configure the service type for SSH users:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
System-view |
— |
|
Specify a service type for a specific user |
ssh user username service-type { stelnet | sftp | all } |
Required By default, the service type is Stelnet. |
l stelnet (Secure Telnet) refers to the traditional SSH service. For details, refer to SSH2 Overview. For details about sftp (Secure FTP), refer to SFTP Overview.
l To log into the server through SFTP, you must set the service type to sftp or all. If the SFTP service is not used, you must set the service type to stelnet or all.
l SSH1 does not support the service type of sftp. If clients log into the server using SSH1, you must set the service type to stelnet or all on the server. Otherwise, clients cannot log into the server successfully.
1.3.6 Configuring Working Folders for SSH Users
Follow these steps to specify a working folder for an SSH user:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Specify a working folder for a user |
ssh user username work-directory directory-name |
Required |
Caution:
l You need to use this command to specify a working folder for each user whose authentication mode is publickey and service type is SFTP.
l If a user uses publickey and password authentication at the same time, the working folder specified by this command takes priority.
1.3.7 Setting the SSH Management Parameters
SSH management includes:
l Enabling the SSH server to be compatible with the SSH1 client
l Setting the server key pair update interval, applicable to users using SSH1 client
l Setting the SSH user authentication timeout period
l Setting the maximum number of SSH authentication attempts
Setting the above parameters can help avoid malicious guess at and cracking of the keys and usernames, securing your SSH connections.
Follow these steps to set the SSH management parameters:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the SSH server to work with SSH1.x clients |
ssh server compatible-ssh1x enable |
Optional By default, the SSH server can work with SSH1.x clients. |
|
Set the RSA server key pair update interval |
ssh server rekey-interval hours |
Optional 0 by default, that is, the RSA server key pair is not updated. |
|
Set the SSH user authentication timeout period |
ssh server authentication-timeout time-out-value |
Optional 60 seconds by default |
|
Set the maximum number of SSH authentication attempts |
ssh server authentication-retries times |
Optional 3 by default |
& Note:
Authentication will fail if the number of authentication attempts (including both RSA and password authentication) exceeds that specified in the ssh server authentication-retries command.
1.3.8 Configuring RSA Public Key for the Client
This configuration is applicable when the RSA authentication mode is used for SSH users. If the password authentication mode is configured for SSH users, this configuration is not required.
The RSA public key configured on the device is for the SSH user on the client. On the client, you need to specify an RSA private key corresponding to the RSA public key for the SSH user. The key pair on the client is generated at random by the client software that supports SSH.
You can configure an RSA public key of the client manually or by importing from a public key file.
l For the first method, you can configure the host public key of the client to the server using Copy plus Paste. Note that the copied public key must have not been converted and be in the distinguished encoding rules (DER) encoding format.
l For the second method, the system automatically converts the public key file generated by the client software to PKCS codes, and configures the public key of the client. The public key file of the RSA key must be FTPed/TFTPed to the server in advance.
Caution:
l You are recommended to configure the client public key by importing the key from a public key file.
l When acting as an SSH server, the device cannot FTP the public key of the client to the server through Secure CRT 4.07.
Follow these steps to configure the RSA public key of the client manually.
|
To do... |
Use the Command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter public key view |
rsa peer-public-key keyname |
— |
|
Enter public key editing view |
public-key-code begin |
— |
|
Configure the public key of the client |
Enter public key data directly |
Required When you enter public key data, there can be spaces between characters, you can also press Enter to enter data continuously. |
|
Exit public key editing view to public key view |
public-key-code end |
— Save the entered public key data when exiting the view |
|
Exit public key view to system view |
peer-public-key end |
— |
Follow these steps to import RSA public key of the client from a public key file.
|
To do... |
Use the Command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Import RSA public key of the SSH user from a public key file |
rsa peer-public-key keyname import sshkey filename |
Required |
1.3.9 Assigning RSA Public Keys to SSH Users
If the SSH user uses the RSA authentication mode, you need to specify a public key of the client on the server. When the SSH client logs into the server, the server will authenticate the SSH client using the public key.
If the SSH user uses the password authentication mode, this configuration is not required.
Follow these steps to assign an RSA public key to the SSH user.
|
To do... |
Use the Command... |
Remarks |
|
Enter system view |
system-view |
— |
|
Assign an RSA public key to the SSH user |
ssh user username assign rsa-key keyname |
Required keyname indicates the name of an existing public key. When you execute this command, the last assigned public key will prevail if public keys are already assigned to the user. |
& Note:
l An SSH user is created on the SSH server so as to specify an authentication mode, SSH service type and public key for the user. You can create an SSH user by configuring any one among the ssh user assign rsa-key, ssh user authentication-type, and ssh user service-type commands. For the S9500 Series Switches, up to 1,024 SSH users can be created, the default authentication mode is RSA, and the default service type is stelnet.
l A user without an SSH account can still pass password authentication and log into the server through Stelnet or SFTP, as long as the user can pass AAA authentication and the service type is SSH.
1.4 Configuring the SSH Client
There is a wide range of SSH client software, including PuTTY, and OpenSSH. To establish a connection between the SSH client and the server, you need to configure the SSH client as follows:
l Assign an IP address to the server.
l Set the remote connection protocol to SSH. Usually, the client can support a great variety of remote connection protocols, like Telnet, Rlogin, and SSH. To establish an SSH connection, you must set the remote connection protocol to SSH.
l Select an SSH version. The device currently supports SSH2, so you can select 2.0 or earlier versions.
l Specify an RSA private key file. If you configure the SSH user to use RSA authentication and specify an RSA public key for the SSH user on the server, you must specify a corresponding RSA private key file on the client. RSA key pairs are generated by the tools attached to the client software.
Taking PuTTY, PuTTYGen and SSHKEY as an example, the section below describes how to configure the SSH client.
1.4.1 Generating Client Key
Execute PuTTYGen.exe, select SSH-2 RSA from the Parameters section, and click Generate to generate a client key pair.
Figure 1-4 Generate a client key (1)
You need to move the mouse ceaselessly while the key pair is being generated. The mouse must be moved beyond the green progress bar in the blue box. Otherwise, the progress bar will stop and the system will stop generating the key pair, as shown in Figure 1-5.
Figure 1-5 Generate a client key (2)
After the key pair is generated, click save public key to enter the name public of the public key file, and then save the file.
Figure 1-6 Generate a client key (3)
Click save private key. Then the system displays a warning box, prompting whether you want to save this key without a passphrase to protect it. Click Yes, enter a private key filename private, and click Save.
Figure 1-7 Generate a client key (4)
Execute SSHKEY.exe, click Browse, and select the public key file public. Then click Convert to generate RSA public key data in the PKCS format.
Figure 1-8 Generate a client key (5)
1.4.2 Assigning an IP Address to the Server
Execute PuTTY.exe. The system displays a client configuration interface.
Figure 1-9 SSH client configuration (1)
Enter the IP address of the SSH server (the IP address of the SSH server and the IP address of the SSH client must be reachable to each other) in “Host Name (or IP address)”.
1.4.3 Setting the Remote Connection Protocol to SSH
Select SSH in the Protocol selection column, as shown in Figure 1-9.
1.4.4 Selecting SSH Version
Click SSH in Connection in the left Category. Then, the system displays an interface, as shown in Figure 1-10.
Figure 1-10 SSH client configuration (2)
In the Protocol options zone, set Preferred SSH protocol version to 2.
1.4.5 Opening SSH Connection Through RSA
If the user needs to use RSA authentication, you must specify an RSA private key file. If the user needs to use password authentication only, you do not need to specify an RSA private key file.
In Figure 1-10, click Auth under SSH. Then, the system displays an interface, as shown in Figure 1-11.
Figure 1-11 SSH client configuration (3)
1.4.6 Opening SSH Connection Through Password
1) In Figure 1-11, click Open. Then the system displays an SSH client interface, as shown in Figure 1-12. If the connection is normal, the system will prompt you to enter a username and password.
2) Enter a correct username and password to log into the server successfully.
3) To log out of the SSH server, execute the quit command.
1.5 Configuring the Device as an SSH Client
1.5.1 Prerequisite
Configure the SSH server completely. For details, refer to 1.3 Configuring the SSH Server.
1.5.2 Configuring the Device as an SSH Client
When the device, as an SSH client, is connected to the SSH server, you can configure the SSH client whether to perform first authentication to the accessed SSH server.
l First authentication: When the SSH client accesses the SSH server for the first time but is not configured with the host public key of the server, users can choose to access the server continuously and save the host public key on the client. When users access the server next time, the saved host public key will be used to authenticate the server.
In addition, you can configure the client to access the SSH server using a specified IP address or port address.
I. Configure the SSH client that supports first authentication
Follow these steps to configure the SSH client that supports first authentication.
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Configure the SSH client to perform first authentication to the accessed SSH server |
ssh client first-time enable |
Optional By default, first authentication is performed on the client. |
|
|
Specify an source IP address or source interface for the SSH client |
Specify an source IPv4 address or source interface for the SSH client |
ssh client source { ip ip-address | interface interface-type interface-number } |
Optional By default, the client accesses the SSH server using the interface address specified by the device route. |
|
Specify an source IPv6 address or source interface for the SSH client |
ssh client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number } |
||
|
Establish a connection between the SSH client and server, and specify the preferred key exchange algorithm, preferred encryption algorithm, and preferred HMAC algorithm for the client and server |
Establish a connection between the SSH client and IPv4 server, and specify the preferred key exchange algorithm, preferred encryption algorithm, and preferred HMAC algorithm for the client and server |
ssh2 { host-ip | host-name } [ port-number ] [ prefer_ctos_cipher { 3des | aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { 3des | aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] * |
Use one command |
|
Establish a connection between the SSH client and IPv6 server, and specify the preferred key exchange algorithm, preferred encryption algorithm, and preferred HMAC algorithm for the client and server |
ssh2 ipv6 { ipv6-address | host-name } [ port-number ] [ prefer_ctos_cipher { 3des | aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { 3des | aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] * |
||
II. Configure the SSH client that supports first authentication
Follow these steps to configure the SSH client that does not support first authentication.
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Configure the SSH client not to perform first authentication to the accessed SSH server |
undo ssh client first-time |
Required By default, first authentication is performed on the client. |
|
|
Enter public key view |
rsa peer-public-key keyname |
— |
|
|
Enter public key editing view |
public-key-code begin |
— |
|
|
Configure the public key of the server |
Enter the public key data directly |
— When you enter public key data, there can be spaces between characters, you can also press Enter to enter data continuously, and the configured public key must be a hexadecimal string of characters in the public key format. |
|
|
Return to public key view |
public-key-code end |
— Save the entered public key data when exiting the view |
|
|
Return to system view |
peer-public-key end |
— |
|
|
Specify the name of the host public key of the server to be connected on the client |
ssh client authentication server { server-ip | server-name } assign rsa-key keyname |
Required |
|
|
Specify an source IP address or source interface for the SSH client |
Specify an source IPv4 address or source interface for the SSH client |
ssh client source { ip ip-address | interface interface-type interface-number } |
Optional By default, the client accesses the SSH server using the interface address specified by the device route. |
|
Specify an source IPv6 address or source interface for the SSH client |
ssh client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number } |
||
|
Establish a connection between the SSH client and server, and specify the preferred key exchange algorithm, preferred encryption algorithm, and preferred HMAC algorithm for the client and server |
Establish a connection between the SSH client and IPv4 server, and specify the preferred key exchange algorithm, preferred encryption algorithm, and preferred HMAC algorithm for the client and server |
ssh2 { host-ip | host-name } [ port-number ] [ prefer_ctos_cipher { 3des | aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { 3des | aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] * |
Use one command |
|
Establish a connection between the SSH client and IPv6 server, and specify the preferred key exchange algorithm, preferred encryption algorithm, and preferred HMAC algorithm for the client and server |
ssh2 ipv6 { ipv6-address | host-name } [ port-number ] [ prefer_ctos_cipher { 3des | aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { 3des | aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] * |
||
1.6 Displaying and Maintaining SSH
Follow these steps to display and maintain the SSH protocol.
|
To do… |
Use the command… |
Remarks |
|
View the public key information of the host key pair and server key pair |
display rsa local-key-pair public |
Available in any view |
|
Display the remote RSA public key |
display rsa peer-public-key [ brief | name keyname ] |
Available in any view |
|
Display the source IP address or interface currently set for the SFTP client |
display sftp client source |
Available in any view |
|
Display the source IP address or interface currently set for the SSH client |
display ssh client source |
Available in any view |
|
Display the status information or session information on an SSH server |
display ssh server { status | session } |
Available in any view |
|
Display the mappings between host public keys and SSH servers saved on a client |
display ssh server-info |
Available in any view |
|
Display information about a specified or all SSH users on an SSH server |
display ssh user-information [ username ] |
Available in any view |
1.7 SSH Server Configuration Example
I. Network requirements
As shown in Figure 1-13, establish a local connection between the terminal (SSH client) and the Ethernet switch. The terminal logs into the switch through SSH, so as to ensure security of data exchange. For the SSH client, the username is client001, and the password is aabbccddeeff.
II. Network diagram
Figure 1-13 Local configuration of SSH
III. Configuration procedure
1) Configure the SSH server, Switch
# Generate a key pair and enable the SSH server.
<Switch> system-view
[Switch] rsa local-key-pair create
[Switch] ssh server enable
# Assign an IP address to the VLAN-interface 1. The client will be connected to the SSH server through this address.
[Switch] interface Vlan-interface 1
[Switch-Vlan-interface1] ip address 192.168.0.1 255.255.255.0
[Switch-Vlan-interface1] quit
The IP address of the client host and the IP address of the VLAN interface on the switch must be in a network segment. It is set to 192.168.0.2.
2) Configure the password authentication mode for the SSH user
# Configure the SSH client to log into the user interface through AAA
[Switch] user-interface vty 0 4
[Switch-vty0-4] authentication-mode scheme
# Set the remote user login protocol on the switch to SSH.
[Switch-vty0-4] protocol inbound ssh
[Switch-vty0-4] quit
# Create a local user named client001.
[Switch] local-user client001
[Switch-luser-client001] password simple aabbccddeeff
[Switch-luser-client001] service-type ssh level 3
[Switch-luser-client001] quit
[Switch] ssh user client001 authentication-type password
Configure the authentication timeout time, number of attempts, and server key update interval as default values.
Then, you need to run the SSH2-capable client software on the terminal connected to the switch, configure the IP address of the reachable interface of the SSH server (switch) to 192.168.0.1, configure the protocol type as SSH, and configure the protocol version to 2. Launch the SSH connection, and enter the username client001 and password aabbccddeeff as prompted. Then, you can enter the configuration interface of the switch.
login as: client001
[email protected]'s password:
*********************************************************
*All rights reserved (2004-2006) *
*Without the owner's prior written consent, *
*no decompiling or reverse-engineering shall be allowed.*
*********************************************************
<Switch>
3) Configure the RSA authentication mode for the SSH user
# Configure AAA on the user interface.
[Switch] user-interface vty 0 4
[Switch-vty0-4] authentication-mode scheme
# Set the remote user login protocol on the switch to SSH.
[Switch-vty0-4] protocol inbound ssh
# Set the privilege level to 3 for the user.
[Switch-vty0-4] user privilege level 3
[Switch-vty0-4] quit
# Set the authentication mode to RSA for the remote user client001 on the switch.
[Switch] ssh user client001 authentication-type rsa
Then, you need to generate an RSA key pair (including public key and private key) at random on the SSH2-capable client software, and configure the RSA public key (the RSA public key is a PKCS-compliant hexadecimal string that is encoded by the SSHKEY.EXE software) to the specified rsa peer-public-key on the SSH server.
# Set an RSA key on the switch.
[Switch] rsa peer-public-key Switch001
[Switch-rsa-public-key] public-key-code begin
[Switch-rsa-key-code]30818602 818078C4 32AD7864 BB0137AA 516284BB 3F55F0E3
[Switch-rsa-key-code]F6DD9FC2 4A570215 68D2B3F7 5188A1C3 2B2D40BE D47A08FA
[Switch-rsa-key-code]CF41AF4E 8CCC2ED0 C5F9D1C5 22FC0625 BA54BCB3 D1CBB500
[Switch-rsa-key-code]A177E917 642BE3B5 C683B0EB 1EC041F0 08EF60B7 8B6ED628
[Switch-rsa-key-code]9830ED46 0BA21FDB F55E7C81 5D1A2045 54BFC853 5358E5CF
[Switch-rsa-key-code]7D7DDF25 03C44C00 E2F49539 5C4B0201 25
[Switch-rsa-key-code] public-key-code end
[Switch-rsa-public-key] peer-public-key end
# If the server stores the public key of the client through a file named Switch001, you can import the public key directly from the file.
[Switch] rsa peer-public-key Switch001 import sshkey Switch001
# Specify the public key Switch001 for the user client001.
[Switch] ssh user client001 assign rsa-key Switch001
For RSA authentication, you need to configure the IP address, protocol type, and protocol version of the SSH server on the client, and to specify an RSA private key file (generated by the client software at random). Launch the SSH connection, and enter a username and password as prompted. Then, you can enter the configuration interface of the switch.
login as: client001
Authenticating with public key "rsa-key-20061023"
*********************************************************
*All rights reserved (2004-2006) *
*Without the owner's prior written consent, *
*no decompiling or reverse-engineering shall be allowed.*
*********************************************************
<Switch>
1.8 SSH Client Configuration Example
1.8.1 Network Requirements
As shown in Figure 1-14, configure Switch A as a client, and configure Switch A to log into Switch B through SSH. For the SSH client, the username is client001, and the password is aabbccddeeff.
1.8.2 Network Diagram
Figure 1-14 SSH client configuration
1.8.3 Configuration
1) Configure Switch B
# Generate an RSA host key pair and server key pair, and enable the SSH server.
<SwitchB> system-view
[SwitchB] rsa local-key-pair create
[SwitchB] ssh server enable
# Assign an IP address to the VLAN-interface 1. The client will be connected to the SSH server through this address.
[SwitchB] interface Vlan-interface 1
[SwitchB-Vlan-interface1] ip address 10.165.87.136 255.255.255.0
[SwitchB-Vlan-interface1] quit
# Configure the SSH client to log into the user interface through AAA
[SwitchB] user-interface vty 0 4
[SwitchB-vty0 4] authentication-mode scheme
# Set the remote user login protocol on the switch to SSH.
[SwitchB-ui-vty0 4] protocol inbound ssh
[SwitchB-ui-vty0 4] quit
# Create a local user named client001.
[SwitchB] local-user client001
[SwitchB-luser-client001] password simple aabbccddeeff
[SwitchB-luser-client001] service-type ssh level 3
[SwitchB-luser-client001] quit
# Configure the password authentication mode for the SSH user. Configure the authentication timeout time, number of attempts, and server key update interval as default values.
[SwitchB] ssh user client001 authentication-type password
& Note:
If configuring RSA authentication for the SSH user, you need to configure a host public key for Switch A. For details, refer to related section in 1.7 SSH Server Configuration Example.
2) Configure Switch A
# The IP address of the Vlan interface on Switch A and the IP address of the Vlan interface on Switch B must be in the same network segment. It is set to 10.165.87.137.
<SwitchA> system-view
[SwitchA] interface Vlan-interface 1
[SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0
[SwitchA-Vlan-interface1] quit
# Configure the client not to perform first authentication to the server.
[SwitchA] undo ssh client first-time
# Configure the host public key of the SSH server.
[SwitchA] rsa peer-public-key public
[SwitchA-rsa-public-key] public-key-code begin
[SwitchA-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463
[SwitchA-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913
[SwitchA-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4
[SwitchA-rsa-key-code]0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC
[SwitchA-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16
[SwitchA-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125
[SwitchA-rsa-key-code] public-key-code end
[SwitchA-rsa-public-key] peer-public-key end
[SwitchA] ssh client authentication server 10.165.87.136 assign rsa-key public
# Establish an SSH connection to the server with the IP address of 10.165.87.136.
[SwitchA] ssh2 10.165.87.136
Username: client001
Trying 10.165.87.136
Press CTRL+K to abort
Connected to 10.165.87.136...
Enter password:
*********************************************************
*All rights reserved (2004-2006) *
*Without the owner's prior written consent, *
*no decompiling or reverse-engineering shall be allowed.*
*********************************************************
Chapter 2 SFTP Service
When configuring SFTP, go to these sections for information you are interested in:
2.1 SFTP Overview
The secure file transfer protocol (SFTP) is a new feature in SSH 2.0.
SFTP uses the SSH connection to provide secure data transfer. The device can serve as the SFTP server, allowing a remote user to login to the SFTP server for secure file management and transfer. The device can also server as an SFTP client, enabling a user to login from the device to a remote device for secure file transfer.
2.2 Configuring an SFTP Server
2.2.1 Configuration Prerequisites
l You have configured the SSH server. For the detailed configuration procedure, refer to SSH Configuration Task List.
l You have used the ssh user service-type command to set the service type of SSH users to sftp or all. For configuration procedure, refer to Configuring Service Type for SSH Users.
2.2.2 Enabling the SFTP Server
This configuration task is to enable the SFTP service so that a client can login to the SFTP server through SFTP.
Follow these steps to enable the SFTP server:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enable the SFTP server |
sftp server enable |
Required Disabled by default |
& Note:
When the device functions as the SFTP server, only one client can access the SFTP server at a time. If the SFTP client uses WinSCP, a file on the server cannot be modified directly; it can only be downloaded to a local place, modified, and then uploaded to the server.
2.2.3 Configuring the SFTP Connection Idle Timeout Period
Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down, so that a user cannot occupy a connection for nothing.
Follow these steps to configure the SFTP connection idle timeout period:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Configure the SFTP connection idle timeout period |
sftp server idle-timeout time-out-value |
Required 10 minutes by default |
2.3 Configuring an SFTP Client
2.3.1 Specifying a Source IP Address or Interface for the SFTP Client
You can configure a client to use only a specified source IP address or interface to access the SFTP server, thus enhancing the service manageability.
Follow these steps to specify a source IP address or interface for the SFTP client:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Specify a source IP address or interface for the SFTP client |
Specify a source IPv4 address or interface for the SFTP client |
sftp client source { ip ip-address | interface interface-type interface-number } |
Use one command as required. By default, an SFTP client uses the port address specified by the route of the device to access the SFTP server. |
|
Specify a source IPv6 address or interface for the SFTP client |
sftp client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number } |
||
2.3.2 Establishing a Connection to the SFTP Server
This configuration task is to enable the SFTP client to establish a connection with the remote SFTP server and enter SFTP client view.
Follow these steps to enable the SFTP client:
|
To do… |
Use the command… |
Remarks |
|
|
Enter system view |
system-view |
— |
|
|
Establish a connection to the remote SFTP server, and enter SFTP Client view |
Establish a connection to the remote IPv4 SFTP server, and enter SFTP Client view |
sftp { host-ip | host-name } [ port-number ] [ prefer_ctos_cipher { 3des | aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { 3des | aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] * |
Use one command |
|
Establish a connection to the remote IPv6 SFTP server, and enter SFTP Client view |
sftp ipv6 { ipv6-address | host-name } [ port-number ] [ prefer_ctos_cipher { 3des | aes128 | des } | prefer_ctos_hmac { md5 | md5_96 | sha1 | sha1_96 } | prefer_kex { dh_exchange_group | dh_group1 } | prefer_stoc_cipher { 3des | aes128 | des } | prefer_stoc_hmac { md5 | md5_96 | sha1 | sha1_96 } ] * |
||
2.3.3 Working with the SFTP Directories
SFTP directory operations include:
l Changing or displaying the current working directory
l Displaying files under a specified directory or the directory information
l Changing the name of a specified directory on the server
l Creating or deleting a directory
Follow these steps to work with the SFTP directories:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter SFTP client view |
sftp { host-ip | host-name } [ port-number ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 | 3des } | prefer_stoc_cipher { des | aes128 | 3des } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]* |
Required |
|
Change the working directory of the remote SFTP server |
cd [ remote-path ] |
Optional |
|
Return to the upper-level directory |
cdup |
Optional |
|
Display the current working directory of the remote SFTP server |
pwd |
Optional |
|
Display files under a specified directory |
dir [ -a | -l ] [ remote-path ] |
Optional The dir command functions the same as the ls command. |
|
ls [ -a | -l ] [ remote-path ] |
||
|
Change the name of a specified file or directory on the SFTP server |
rename oldname newname |
Optional |
|
Create a new directory on the remote SFTP server |
mkdir remote-path |
Optional |
|
Delete a directory from the SFTP server |
rmdir remote-path&<1-10> |
Optional |
2.3.4 Working with SFTP Files
l Changing the name of a file
l Downloading a file
l Uploading a file
l Displaying a list of the files
l Deleting a file
Follow these steps to work with SFTP files:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter SFTP client view |
sftp { host-ip | host-name } [ port-number ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 | 3des } | prefer_stoc_cipher { des | aes128 | 3des } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]* |
Required |
|
Change the name of a specified file on the SFTP server |
rename old-name new-name |
Optional |
|
Download a file from the remote server and save it locally |
get remote-file [ local-file ] |
Optional |
|
Upload a local file to the remote SFTP server |
put local-file [ remote-file ] |
Optional |
|
Display the files under a specified directory |
dir [ -a | -l ] [ remote-path ] |
Optional The dir command functions the same as the ls command. |
|
ls [ -a | -l ] [ remote-path ] |
||
|
Delete a file from the SFTP server |
delete remote-file&<1-10> |
Optional The delete command functions the same as the remove command. |
|
remove remote-file&<1-10> |
2.3.5 Displaying Help Information
This configuration task is to display a list of all commands or the help information of an SFTP client command, such as the command format and parameters.
Follow these steps to display a list of all commands or the help information of an SFTP client command:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter SFTP client view |
sftp { host-ip | host-name } [ port-number ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 | 3des } | prefer_stoc_cipher { des | aes128 | 3des } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]* |
Required |
|
Display a list of all commands or the help information of an SFTP client command |
help [ all | command-name ] |
Required |
2.3.6 Disabling the SFTP Client
This configuration task is to disable the SFTP client.
Follow these steps to disable the SFTP client:
|
To do… |
Use the command… |
Remarks |
|
Enter system view |
system-view |
— |
|
Enter SFTP client view |
sftp { host-ip | host-name } [ port-number ] [ prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 | 3des } | prefer_stoc_cipher { des | aes128 | 3des } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] * |
— |
|
Terminate the connection to the remote SFTP server and return to system view |
bye |
Required. These three commands have the same function. |
|
exit |
||
|
quit |
2.4 SFTP Configuration Example
I. Network requirements
As shown in Figure 2-1, an SSH connection is established between Switch A and Switch B. Switch A, as an SFTP client, logs in to Switch B for file management and file transfer. The username is client001 and the password is aabbcc.
II. Network diagram
Figure 2-1 Network diagram for SFTP configuration
III. Configuration procedure
1) Configure the SFTP server (Switch B)
# Generate an RSA host key pair and server key pair, and enable the SSH server.
<SwitchB> system-view
[SwitchB] rsa local-key-pair create
[SwitchB] ssh server enable
# Assign an IP address to VLAN-interface 1. The client will be connected to the SSH server through this address.
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ip address 192.168.0.1 255.255.255.0
[SwitchB-Vlan-interface1] quit
# Configure the SSH client to log into the user interface through AAA
[SwitchB] user-interface vty 1
[SwitchB-ui-vty1] authentication-mode scheme
# Set the privilege level to 3 for the user.
[SwitchB-ui-vty1] user privilege level 3
# Set the remote user login protocol on the switch to SSH.
[SwitchB-ui-vty1] protocol inbound ssh
[SwitchB-ui-vty1] quit
# Configure local user client001.
[SwitchB] local-user client001
[SwitchB-luser-client001] password simple aabbcc
[SwitchB-luser-client001] service-type ssh
[SwitchB-luser-client001] quit
# Specify to authenticate the SSH user using the password authentication method, leaving the default authentication timeout time, number of attempts, and server key update interval settings unchanged.
[SwitchB] ssh user client001 authentication-type password
& Note:
For RSA authentication, you need to configure the host public key of Switch A. For details, refer to the relevant parts in SSH Server Configuration Example.
# Enable the SFTP server.
[SwitchB] sftp server enable
# Specify the service type as SFTP for the user.
[SwitchB] ssh user client001 service-type sftp
2) Configure the client (Switch A)
# Assign an IP address to VLAN-interface 1.
<SwitchA> system-view
System View: return to User View with Ctrl+Z.
[SwitchA] interface Vlan-interface 1
[SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0
[SwitchA-Vlan-interface1] quit
# Establish a connection to the remote SFTP server and enter SFTP client view
[SwitchA] sftp 192.168.0.1
Input Username: client001
Trying 192.168.0.1 ...
Press CTRL+K to abort
Connected to 192.168.0.1 ...
The Server is not authenticated. Do you continue access it? [Y/N]:y
Do you want to save the server's public key? [Y/N]:y
Enter password:
sftp-client>
# Display files under the current directory of the server, delete the file named z, and check if the file is deleted from the directory successfully.
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
-rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z
sftp-client> delete z
The following File will be deleted:
/z
Are you sure to delete it? [Y/N]:y
This operation may take a long time.Please wait...
File successfully Removed
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
# Create a directory named new1, and check if it is created successfully.
sftp-client> mkdir new1
New directory created
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1
# Rename the directory new1 to new2, and check if the directory is renamed successfully.
sftp-client> rename new1 new2
File successfully renamed
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2
# Download the file pubkey2 from the server to the local device, and rename the file to public.
sftp-client> get pubkey2 public
Remote file:/pubkey2 ---> Local file: public
Downloading file successfully ended
# Upload the local file pu to the server, rename the file to puk, and check if the file pu is uploaded successfully.
sftp-client> put pu puk
Local file:pu ---> Remote file: /puk
Uploading file successfully ended
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2
-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub
-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk
sftp-client>
# Exit SFTP.
sftp-client> quit
Bye
[SwitchA]
