Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-SSH2.0 Commands | 139.53 KB |
Table of Contents
1 SSH2.0 Configuration Commands
ssh client authentication server
ssh server authentication-retries
ssh server authentication-timeout
ssh server compatible-ssh1x enable
SFTP Client Configuration Commands
SSH2.0 Configuration Commands
display public-key local
Syntax
display public-key local rsa public
View
Any view
Default Level
1: Monitor level
Parameters
rsa: Displays the public key of the RSA local key pair.
Description
Use the display public-key local command to display the information about the public keys of the local key pairs.
Related commands: public-key local create.
Examples
# Display the public key information of the RSA local key pair.
<Sysname> display public-key local rsa public
=====================================================
Time of Key pair created: 19:59:16 2006/10/25
Key name: HOST_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100BC4C392A97734A63
3BA0F1DB01F84EB51228EC86ADE1DBA597E0D9066FDC4F04776CEA3610D2578341F5D04914
3656F1287502C06D39D39F28F0F5CBA630DA8CD1C16ECE8A7A65282F2407E8757E7937DCCD
B5DB620CD1F471401B7117139702348444A2D8900497A87B8D5F13D61C4DEFA3D14A7DC076
24791FC1D226F62DF3020301
0001
=====================================================
Time of Key pair created: 19:59:17 2006/10/25
Key name: SERVER_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2
AACC7B2AE12B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27
E054BFAA0A85E113FBDE751EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB
5D299D1E4E27A13C7DD10203010001
Table 1-1 display public-key local command output description
|
Field |
Description |
|
Time of Key pair created |
Time when the key pair is created |
|
Key name |
Name of the key |
|
Key type |
Type of the key |
|
Key code |
Code of the key |
display public-key peer
Syntax
display public-key peer [ brief | name publickey-name ]
View
Any view
Default Level
1: Monitor level
Parameters
brief: Displays brief information about all public keys of SSH peers.
name publickey-name: Specifies a public key of an SSH peer by its name, which is a string of 1 to 64 characters.
Description
Use the display public-key peer command to display information about the specified or all locally saved public keys of SSH peers.
With neither the brief keyword nor the name publickey-name combination specified, the command displays detailed information about all locally saved public keys of SSH peers.
You can use the public-key peer command or the public-key peer import sshkey command to get a local copy of the public keys of an SSH peer.
Related commands: public-key peer, public-key peer import sshkey.
Examples
# Display detailed information about the locally saved public key named idrsa.
<Sysname> display public-key peer name idrsa
=====================================
Key name : idrsa
Key type : RSA
Key module: 1024
=====================================
Key Code:
30819D300D06092A864886F70D010101050003818B00308187028181009C46A8710216CEC0
C01C7CE136BA76C79AA6040E79F9E305E453998C7ADE8276069410803D5974F708496947AB
39B3F39C5CE56C95B6AB7442D56393BF241F99A639DD02D9E29B1F5C1FD05CC1C44FBD6CFF
B58BE6F035FAA2C596B27D1231D159846B7CB9A7757C5800FADA9FD72F65672F4A549EE99F
63095E11BD37789955020123
Table 1-2 display public-key peer name command output description
|
Field |
Description |
|
Key name |
Name of the key |
|
Key type |
Type of the key |
|
Key module |
Module of the key |
|
Key code |
Code of the key |
# Display brief information about all locally saved public keys of SSH peers.
<Sysname> display public-key peer brief
Type Module Name
---------------------------
RSA 1024 idrsa
Table 1-3 display public-key peer brief command output description
|
Field |
Description |
|
Type |
Type of the key |
|
Module |
Number of bits in the key |
|
Name |
Name of the public key of an SSH peer |
display sftp client source
Syntax
display sftp client source
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display sftp client source command to display the source IP address or source interface currently set for the SFTP client.
If neither source IP address nor source interface is specified for the SFTP client, the system will prompt you to specify the source information.
Related commands: sftp client source.
Examples
# Display the source IP address of the SFTP client.
<Syaname> display sftp client source
The source IP address you specified is 192.168.0.1
display ssh client source
Syntax
display ssh client source
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display ssh client source command to display the source IP address or source interface currently set for the SSH client.
If neither source IP address nor source interface is specified for the SSH client, the system will prompt you to specify the source information.
Related commands: ssh client source.
Examples
# Display the source IP address of the SSH client.
<Sysname> display ssh client source
The source IP address you specified is 192.168.0.1
display ssh server
Syntax
display ssh server { session | status }
View
Any view
Default Level
1: Monitor level
Parameters
session: Displays the session information of the SSH server.
status: Displays the status information of the SSH server.
Description
Use the display ssh server command on an SSH server to display SSH server status information or session information.
Related commands: ssh server authentication-retries, ssh server rekey-interval, ssh server authentication-timeout, ssh server enable, ssh server compatible-ssh1x enable.
Examples
# Display the SSH server status information.
<Sysname> display ssh server status
SSH Server: Disable
SSH version : 1.99
SSH authentication-timeout : 60 second(s)
SSH server key generating interval : 0 hour(s)
SSH authentication retries : 3 time(s)
SFTP server: Disable
SFTP server Idle-Timeout: 10 minute(s)
Table 1-4 display ssh server status command output description
|
Field |
Description |
|
SSH Server |
Whether the SSH server function is enabled |
|
SSH version |
SSH protocol version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2.0. |
|
SSH authentication-timeout |
Authentication timeout period |
|
SSH server key generating interval |
SSH server key pair update interval |
|
SSH authentication retries |
Maximum number of SSH authentication attempts |
|
SFTP server |
Whether the SFTP server function is enabled |
|
SFTP server Idle-Timeout |
SFTP connection idle timeout period |
# Display the SSH server session information.
<Sysname> display ssh server session
Conn Ver Encry State Retry SerType Username
VTY 0 2.0 DES Established 0 SFTP client001
Table 1-5 display ssh server session command output description
|
Field |
Description |
|
Conn |
Connected VTY channel |
|
Ver |
SSH server protocol version |
|
Encry |
Encryption algorithm |
|
State |
Status of the session, including: Init, Ver-exchange, Keys-exchange, Auth-request, Serv-request, Established, Disconnected |
|
Retry |
Number of authentication attempts |
|
SerType |
Service type (SFTP, Stelnet) |
|
Username |
Name of a user during login |
display ssh server-info
Syntax
display ssh server-info
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display ssh server-info command on a client to display mappings between SSH servers and their host public keys saved on the client.
When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to check the public key of the server saved on the client.
Related commands: ssh client authentication server.
Examples
# Display the mappings between host public keys and SSH servers saved on the client.
<Sysname> display ssh server-info
Server Name(IP) Server public key name
______________________________________________________
192.168.0.1 abc_key01
192.168.0.2 abc_key02
Table 1-6 display ssh server-info command output description
|
Field |
Description |
|
Server Name(IP) |
Name or IP address of the server |
|
Server public key name |
Name of the host public key of the server |
display ssh user-information
Syntax
display ssh user-information [ username ]
View
Any view
Default Level
1: Monitor level
Parameters
username: SSH username, a string of 1 to 80 characters.
Description
Use the display ssh user-information command on an SSH server to display information about one or all SSH users.
With the username argument not specified, the command displays information about all SSH users.
Related commands: ssh user.
Examples
# Display information about all SSH users.
<Sysname> display ssh user-information
Total ssh users : 2
Username Authentication-type User-public-key-name Service-type
yemx password null stelnet|sftp
test publickey pubkey sftp
Table 1-7 display ssh user-information command output description
|
Field |
Description |
|
Username |
Name of the user |
|
Authentication-type |
Authentication type. If this field has a value of password, the next field will have a value of null. |
|
User-public-key-name |
Public key of the user |
|
Service-type |
Service type |
peer-public-key end
Syntax
peer-public-key end
View
Public key view
Default Level
2: System level
Parameters
None
Description
Use the peer-public-key end command to return from public key view to system view.
Related commands: public-key peer.
Examples
# Exit public key view.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key] peer-public-key end
[Sysname]
public-key-code begin
Syntax
public-key-code begin
View
Public key view
Default Level
2: System level
Parameters
None
Description
Use the public-key-code begin command to enter public key code view.
After entering public key code view, you can input the key data. It must be a hexadecimal string that has not been converted and in the distinguished encoding rules (DER) encoding format. Spaces and carriage returns are allowed between characters.
Related commands: public-key peer, public-key-code end.
Examples
# Enter public key code view to input the key.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key] public-key-code begin
[Sysname-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC8014F82515F6335A0A
[Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D1643135877E13B1C531B4
[Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6B80EB5F52698FCF3D6
[Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1DDE675AC30CB020301
[Sysname-pkey-key-code]0001
public-key-code end
Syntax
public-key-code end
View
Public key code view
Default Level
2: System level
Parameters
None
Description
Use the public-key-code end command to return from public key code view to public key view and to save the configured public key.
The system verifies the key before saving it. If the key contains illegal characters, the system displays an error message and discards the key. If the key is legal, the system saves it.
Related commands: public-key peer, public-key-code begin.
Examples
# Exit public key code view and save the configured public key.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key] public-key-code begin
[Sysname-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC8014F82515F6335A0A
[Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D1643135877E13B1C531B4
[Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6B80EB5F52698FCF3D6
[Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1DDE675AC30CB020301
[Sysname-pkey-key-code]0001
[Sysname-pkey-key-code] public-key-code end
[Sysname-pkey-public-key]
public-key local create
Syntax
public-key local create rsa
View
System view
Default Level
2: System level
Parameters
rsa: RSA key pair.
Description
Use the public-key local create command to create a local key pair.
Note that:
l When using this command to create a RSA key pair, you will be prompted to provide the length of the key pair. The length of a server/host key must be in the range 512 to 2048 bits and defaults to 1024. If the key pair already exists, the system will ask you whether you want to overwrite it.
l The configuration of this command can survive a reboot. You only need to configure it once.
Related commands: public-key local destroy, display public-key local.
Examples
# Create an RSA local key pair.
<Sysname> system-view
[Sysname] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It may take a few minutes.
Press CTRL+C to abort.
Input the bits in the modulus [default = 1024]:
Generating keys...
........++++++
....................................++++++
.......++++++++
......................++++++++
.
public-key local destroy
Syntax
public-key local destroy rsa
View
System view
Default Level
2: System level
Parameters
rsa: RSA key pair.
Description
Use the public-key local destroy command to destroy the local key pair(s).
Related commands: public-key local create.
Examples
# Destroy the RSA local key pair.
<Sysname> system-view
[Sysname] public-key local destroy rsa
Warning: Confirm to destroy these keys? [Y/N]:y
public-key local export rsa
Syntax
public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ]
View
System view
Default Level
2: System level
Parameters
openssh: Uses the format of OpenSSH.
ssh1: Uses the format of SSH1.5.
ssh2: Uses the format of SSH2.0.
filename: Name of the file for storing public key. For detailed information about file name, refer to File System Management in the System Volume.
Description
Use the public-key local export rsa command to display the RSA local public key on the screen or export it to a specified file.
If you do not specify the filename argument, the command displays the RSA local public key on the screen; otherwise, the command exports the RSA local public key to the specified file and saves the file.
SSH1, SSH2.0 and OpenSSH are three different public key file formats for different requirements.
Related commands: public-key local create, public-key local destroy.
Examples
# Export the RSA local public key in OpenSSH format to a file named key.pub.
<Sysname> system-view
[Sysname] public-key local export rsa openssh key.pub
# Display the RSA local public key in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export rsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20061105"
AAAAB3NzaC1yc2EAAAADAQABAAAAgKRkxFoZ+T72Srs9c60+j2yrkd0AHBsXBh0Uq+iNvE12PaYR1On4
x+aNlwe9fjW1PYgzH+DRkTpiMrn3j2pIs7gaJXvefTW94rbVWJ94uiSDk1NLX1JcoTtWnQcVhft3mUZ+
J0jBEhAcw4bROe7/qr6l7VTCo9FBZ0XgKuHroovX
---- END SSH2 PUBLIC KEY ----
# Display the RSA local public key in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export rsa openssh
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgLxMOSqXc0pjO6Dx2wH4TrUSKOyGreHbpZfg2QZv3E8Ed2
zqNhDSV4NB9dBJFDZW8Sh1AsBtOdOfKPD1y6Yw2ozRwW7OinplKC8kB+h1fnk33M2122IM0fRx
QBtxFxOXAjSERKLYkASXqHuNXxPWHE3vo9FKfcB2JHkfwdIm9i3z rsa-key
public-key peer
Syntax
public-key peer keyname
undo public-key peer keyname
View
System view
Default Level
2: System level
Parameters
keyname: Public key name, a string of 1 to 64 characters.
Description
Use the public-key peer command to enter public key view.
Use the undo public-key peer command to remove the configured peer public key.
After entering public key view, you can configure the peer public key with the public-key-code begin and public-key-code end commands. This requires that you obtain the hexadecimal public key from the peer beforehand.
Related commands: public-key-code begin, public-key-code end.
Examples
# Enter public key view, specifying a public key name of key1.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key]
public-key peer import sshkey
Syntax
public-key peer keyname import sshkey filename
undo public-key peer keyname
View
System view
Default Level
2: System level
Parameters
keyname: Public key name, a string of 1 to 64 characters.
filename: Public key file name. For detailed information about file name, refer to File System Management in the System Volume.
Description
Use the public-key peer import sshkey command to import a peer public key from the public key file.
Use the undo public-key peer command to remove the setting.
After execution of this command, the system automatically transforms the public key file in SSH1, SSH2.0 or OpenSSH format to PKCS format, and imports the peer public key. This requires that you get a copy of the public key file from the peer through FTP/TFTP.
Examples
# Import a peer public key named key2 from public key file key.pub.
<Sysname> system-view
[Sysname] public-key peer key2 import sshkey key.pub
sftp
Syntax
sftp server [ port-number ] [ prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *
View
User view
Default Level
3: Manage level
Parameters
server: IPv4 address or name of the server, a string of 1 to 20 characters.
port-number: Port number of the server, in the range 0 to 65535. The default is 22.
prefer-ctos-cipher: Preferred encryption algorithm from client to server, defaulted to aes128.
l 3des: Encryption algorithm 3des-cbc.
l aes128: Encryption algorithm aes128-cbc.
l des: Encryption algorithm des-cbc.
prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1.
l md5: HMAC algorithm hmac-md5.
l md5-96: HMAC algorithm hmac-md5-96.
l sha1: HMAC algorithm hmac-sha1.
l sha1-96: HMAC algorithm hmac-sha1-96.
prefer-kex: Preferred key exchange algorithm, defaulted to dh-group-exchange.
l dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1.
l dh-group1: Key exchange algorithm diffie-hellman-group1-sha1.
l dh-group14: Key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Preferred algorithm from server to client, defaulted to aes128.
prefer-stoc-hmac: Preferred HMAC algorithm from server to client, defaulted to sha1.
Description
Use the sftp command to establish a connection to a remote IPv4 SFTP server and enter SFTP client view.
Examples
# Connect to SFTP server 10.1.1.2.
<Sysname> sftp 10.1.1.2
Input Username:
sftp client ipv6 source
Syntax
sftp client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number }
undo sftp client ipv6 source
View
System view
Default Level
3: Manage level
Parameters
ipv6 ipv6-address: Specifies a source IPv6 address.
interface interface-type interface-number: Specifies a source interface by its type and number.
Description
Use the sftp client ipv6 source command to specify the source IPv6 address or source interface for an SFTP client.
Use the undo sftp client ipv6 source command to remove the configuration.
By default, the client uses the interface address specified by the route of the device to access the SFTP server.
Examples
# Specify the source IPv6 address of the SFTP client as 2:2::2:2.
<Sysname> system-view
[Sysname] sftp client ipv6 source ipv6 2:2::2:2
sftp client source
Syntax
sftp client source { ip ip-address | interface interface-type interface-number }
undo sftp client source
View
System view
Default Level
3: Manage level
Parameters
ip ip-address: Specifies a source IPv4 address.
interface interface-type interface-number: Specifies a source interface by its type and number.
Description
Use the sftp client source command to specify the source IPv4 address or interface of an SFTP client.
Use the undo sftp source-interface command to remove the configuration.
By default, a client uses the IP address of the interface specified by the route to access the SFTP server.
Related commands: display sftp client source.
Examples
# Specify the source IP address of the SFTP client as 192.168.0.1.
<Sysname> system-view
[Sysname] sftp client source ip 192.168.0.1
sftp ipv6
Syntax
sftp ipv6 server [ port-number ] [ prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *
View
User view
Default Level
3: Manage level
Parameters
server: IPv6 address or name of the server, a string of 1 to 46 characters.
port-number: Port number of the server, in the range 0 to 65535. The default is 22.
prefer-ctos-cipher: Preferred encryption algorithm from client to server, defaulted to aes128.
l 3des: Encryption algorithm 3des-cbc.
l aes128: Encryption algorithm aes128-cbc.
l des: Encryption algorithm des-cbc.
prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1.
l md5: HMAC algorithm hmac-md5.
l md5-96: HMAC algorithm hmac-md5-96.
l sha1: HMAC algorithm hmac-sha1.
l sha1-96: HMAC algorithm hmac-sha1-96.
prefer-kex: Preferred key exchange algorithm, defaulted to dh-group-exchange.
l dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1.
l dh-group1: Key exchange algorithm diffie-hellman-group1-sha1.
l dh-group14: Key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Preferred encryption algorithm from server to client, defaulted to aes128.
prefer-stoc-hmac: Preferred HMAC algorithm from server to client, defaulted to sha1.
Description
Use the sftp ipv6 command to establish a connection to a remote IPv6 SFTP server and enter SFTP client view.
Examples
# Connect to server 2:5::8:9.
<Sysname> sftp ipv6 2:5::8:9
Input Username:
sftp server enable
Syntax
sftp server enable
undo sftp server enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the sftp server enable command to enable SFTP server.
Use the undo sftp server enable command to disable SFTP server.
By default, SFTP server is disabled.
Related commands: display ssh server.
Examples
# Enable SFTP server.
<Sysname> system-view
[Sysname] sftp server enable
sftp server idle-timeout
Syntax
sftp server idle-timeout time-out-value
undo sftp server idle-timeout
View
System view
Default Level
2: System level
Parameters
time-out-value: Timeout period in minutes. It ranges from 1 to 35,791.
Description
Use the sftp server idle-timeout command to set the idle timeout period for SFTP user connections.
Use the undo sftp server idle-timeout command to restore the default.
By default, the idle timeout period is 10 minutes.
Related commands: display ssh server.
Examples
# Set the idle timeout period for SFTP user connections to 500 minutes.
<Sysname> system-view
[Sysname] sftp server idle-timeout 500
ssh client authentication server
Syntax
ssh client authentication server server assign publickey keyname
undo ssh client authentication server server assign publickey
View
System view
Default Level
2: System level
Parameters
server: IP address or name of the server, a string of 1 to 80 characters.
keyname: Name of the host public key of the server, a string of 1 to 64 characters.
Description
Use the ssh client authentication server command on a client to configure the host public key of the server so that the client can determine whether the server is trustworthy.
Use the undo ssh authentication server command to remove the configuration.
By default, the host public key of the server is not configured, and when logging into the server, the client uses the IP address or host name used for login as the public key name.
If the client does not support first authentication, it will reject unauthenticated servers. In this case, you need to configure the public keys of the servers and specify the mappings between public keys and servers on the client, so that the client uses the correct public key of a server to authenticate the server.
Note that the specified host public key of the server must already exist.
Related commands: ssh client first-time enable.
Examples
# Configure the public key of the server with the IP address of 192.168.0.1 to be key1.
<Sysname> system-view
[Sysname] ssh client authentication server 192.168.0.1 assign publickey key1
ssh client first-time enable
Syntax
ssh client first-time enable
undo ssh client first-time
View
System view
Default Level
2: System level
Parameters
None
Description
Use the ssh client first-time enable command to enable the first authentication function.
Use the undo ssh client first-time command to disable the function.
By default, the function is enabled.
With first-time authentication, when an SSH client not configured with the server host public key accesses the server for the first time, the user can continue accessing the server, and save the host public key on the client. When accessing the server again, the client will use the saved server host public key to authenticate the server.
Without first-time authentication, a client not configured with the server host public key will deny to access the server. To access the server, a user must configure in advance the server host public key locally and specify the public key name for authentication.
Note that as the server may update its key pairs periodically, clients must obtain the most recent public keys of the server for successful authentication of the server.
Examples
# Enable the first authentication function.
<Sysname> system-view
[Sysname] ssh client first-time enable
ssh client ipv6 source
Syntax
ssh client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number }
undo ssh client ipv6 source
View
System view
Default Level
3: Manage level
Parameters
ipv6 ipv6-address: Specifies a source IPv6 address.
interface interface-type interface-number: Specifies a source interface by its type and number.
Description
Use the ssh client ipv6 source command to specify the source IPv6 address or source interface for the SSH client.
Use the undo ssh client ipv6 source command to remove the configuration.
By default, the client uses the source address specified by the route of the device to access the SSH server.
Examples
# Specify the source IPv6 address as 2:2::2:2 for the SSH client.
<Sysname> system-view
[Sysname] ssh client ipv6 source ipv6 2:2::2:2
ssh client source
Syntax
ssh client source { ip ip-address | interface interface-type interface-number }
undo ssh client source
View
System view
Default Level
3: Manage level
Parameters
ip ip-address: Specifies a source IPv4 address.
interface interface-type interface-number: Specifies a source interface by its type and number.
Description
Use the ssh client source command to specify the source IPv4 address or source interface of the SSH client.
Use the undo ssh client source command to remove the configuration.
By default, an SSH client uses the IP address of the interface specified by the route to access the SSH server.
Related commands: display ssh client source.
Examples
# Specify the source IPv4 address of the SSH client as 192.168.0.1.
<Sysname> system-view
[Sysname] ssh client source ip 192.168.0.1
ssh server authentication-retries
Syntax
ssh server authentication-retries times
undo ssh server authentication-retries
View
System view
Default Level
2: System level
Parameters
times: Maximum number of authentication attempts, in the range 1 to 5.
Description
Use the ssh server authentication-retries command to set the maximum number of SSH connection authentication attempts, which takes effect at next login.
Use the undo ssh server authentication-retries command to restore the default.
By default, the maximum number of SSH connection authentication attempts is 3.
Note that:
l Authentication will fail if the number of authentication attempts (including both publickey and password authentication) exceeds that specified in the ssh server authentication-retries command.
l If the authentication method of SSH users is password-publickey, the maximum number of SSH connection authentication attempts must be at least 2. This is because SSH2.0 users must pass both password and publickey authentication.
Related commands: display ssh server.
Examples
# Set the maximum number of SSH connection authentication attempts to 4.
<Sysname> system-view
[Sysname] ssh server authentication-retries 4
ssh server authentication-timeout
Syntax
ssh server authentication-timeout time-out-value
undo ssh server authentication-timeout
View
System view
Default Level
2: System level
Parameters
time-out-value: Authentication timeout period in seconds, in the range 1 to 120.
Description
Use the ssh server authentication-timeout command to set the SSH user authentication timeout period on the SSH server.
Use the undo ssh server authentication-timeout command to restore the default.
By default, the authentication timeout period is 60 seconds.
Related commands: display ssh server.
Examples
# Set the SSH user authentication timeout period to 10 seconds.
<Sysname> system-view
[Sysname] ssh server authentication-timeout 10
ssh server compatible-ssh1x enable
Syntax
ssh server compatible-ssh1x enable
undo ssh server compatible-ssh1x
View
System view
Default Level
2: System level
Parameters
None
Description
Use the ssh server compatible-ssh1x command to enable the SSH server to work with SSH1 clients.
Use the undo ssh server compatible-ssh1x command to disable the SSH server from working with SSH1 clients.
By default, the SSH server can work with SSH1 clients.
This configuration takes effect only for users logging in after the configuration.
Related commands: display ssh server.
Examples
# Enable the SSH server to work with SSH1 clients.
<Sysname> system-view
[Sysname] ssh server compatible-ssh1x enable
ssh server enable
Syntax
ssh server enable
undo ssh server enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the ssh server enable command to enable SSH server.
Use the undo ssh server enable command to disable SSH server.
By default, SSH server is disabled.
Examples
# Enable SSH server.
<Sysname> system-view
[Sysname] ssh server enable
ssh server rekey-interval
Syntax
ssh server rekey-interval hours
undo ssh server rekey-interval
View
System view
Default Level
2: System level
Parameters
hours: Server key pair update interval in hours, in the range 1 to 24.
Description
Use the ssh server rekey-interval command to set the interval for updating the RSA server key.
Use the undo ssh server rekey-interval command to remove the configuration.
By default, the update interval of the RSA server key is 0, that is, the RSA server key is not updated.
Related commands: display ssh server.
This command is only available to SSH users using SSH1 client software.
Examples
# Set the RSA server key pair update interval to 3 hours.
<Sysname> system-view
[Sysname] ssh server rekey-interval 3
ssh user
Syntax
ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname }
ssh user username service-type { all | sftp } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname work-directory directory-name }
undo ssh user username
View
System view
Default Level
2: System level
Parameters
username: SSH username, a string of 1 to 80 characters.
service-type: Specifies the service type of an SSH user, which can be one of the following:
l all: Specifies both secure Telnet and secure FTP.
l sftp: Specifies the service type as secure FTP.
l stelnet: Specifies the service type of secure Telnet.
authentication-type: Specifies the authentication mode of an SSH user, which can be one the following:
l password: Performs password authentication.
l any: Performs either password authentication or publickey authentication.
l password-publickey: Performs both password authentication and publickey authentication. A client running SSH1 client only needs to pass either type of authentication while a client running SSH2.0 client must pass both types of authentication to log in.
l publickey: Performs publickey authentication.
assign publickey keyname: Assigns an existing public key to an SSH user. keyname indicates the name of the client public key and is a string of 1 to 64 characters.
work-directory directory-name: Specifies the working folder for an SFTP user. directory-name indicates the name of the working folder and is a string of 1 to 135 characters.
Description
Use the ssh user command to create an SSH user and specify the service type and authentication mode.
Use the undo ssh user command to delete an SSH user.
Note that:
l For a publickey authentication user, you must configure the username and the public key on the device. For a password authentication user, you can configure the account information on either the device or the remote authentication server such as a RADIUS server.
l If you use the ssh user command to configure a public key for a user who has already had a public key, the new one overwrites the old one.
l Authentication mode and public key configuration takes effect only for users logging in after the configuration..
l If an SFTP user has been assigned a public key, it is necessary to set a working folder for the user.
l The working folder of an SFTP user is subject to the user authentication mode. For a user using only password authentication, the working folder is the AAA authorized one. For a user using only publickey authentication or using both the publickey and password authentication modes, the working folder is the one set by using the ssh user command.
Related commands: display ssh user-information.
Examples
# Create an SSH user named user1, setting the service type as sftp, the authentication mode as publickey, the work folder of the SFTP server as flash, and assigning a public key named key1 to the user.
<Sysname> system-view
[Sysname] ssh user user1 service-type sftp authentication-type publickey assign publickey key1 work-directory flash:
ssh2
Syntax
ssh2 server [ port-number ] [ prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *
View
User view
Default Level
0: Visit level
Parameters
server: IPv4 address or name of the server, a string of 1 to 20 characters.
port-number: Port number of the server, in the range 0 to 65535. The default is 22.
prefer-ctos-cipher: Preferred encryption algorithm from client to server, defaulted to aes128.
l 3des: Encryption algorithm 3des-cbc.
l aes128: Encryption algorithm aes128-cbc
l des: Encryption algorithm des-cbc.
prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1.
l md5: HMAC algorithm hmac-md5.
l md5-96: HMAC algorithm hmac-md5-96.
l sha1: HMAC algorithm hmac-sha1.
l sha1-96: HMAC algorithm hmac-sha1-96.
prefer-kex: Preferred key exchange algorithm, defaulted to dh-group-exchange.
l dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1.
l dh-group1: Key exchange algorithm diffie-hellman-group1-sha1.
l dh-group14: Key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Preferred encryption algorithm from server to client, defaulted to aes128.
prefer-stoc-hmac: Preferred HMAC algorithm from server to client, defaulted to sha1.
Description
Use the ssh2 command to establish a connection to an IPv4 SSH server, and specify the public key algorithm, the preferred key exchange algorithm, the preferred encryption algorithms and HMAC algorithms of the client and the server.
Examples
# Log in to remote SSH2.0 server 10.214.50.51, setting the algorithms as follows:
l Preferred key exchange algorithm: DH-group1
l Preferred encryption algorithm from server to client: AES128
l Preferred HMAC algorithm from client to server: MD5
l Preferred HMAC algorithm from server to client: SHA1-96.
<Sysname> ssh2 10.214.50.51 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96
ssh2 ipv6
Syntax
ssh2 ipv6 server [ port-number ] [ prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *
View
User view
Default Level
0: Visit level
Parameters
server: IPv6 address or name of the server, a string of 1 to 46 characters.
port-number: Port number of the server, in the range 0 to 65535. The default is 22.
prefer-ctos-cipher: Preferred encryption algorithm from client to server, defaulted to aes128.
l 3des: Encryption algorithm 3des-cbc.
l aes128: Encryption algorithm aes128-cbc.
l des: Encryption algorithm des-cbc.
prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1.
l md5: HMAC algorithm hmac-md5.
l md5-96: HMAC algorithm hmac-md5-96.
l sha1: HMAC algorithm hmac-sha1.
l sha1-96: HMAC algorithm hmac-sha1-96.
prefer-kex: Preferred key exchange algorithm, default to dh-group-exchange.
l dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1.
l dh-group1: Key exchange algorithm diffie-hellman-group1-sha1.
l dh-group14: Key exchange algorithm diffie-hellman-group14-sha1
prefer-stoc-cipher: Preferred encryption algorithm from server to client, defaulted to aes128.
prefer-stoc-hmac: Preferred HMAC algorithm from server to client, defaulted to sha1.
Description
Use the ssh2 ipv6 command to establish a connection to an IPv6 SSH server and specify public key algorithm, the preferred key exchange algorithm, the preferred encryption algorithms, and preferred HMAC algorithms of the client and the server.
Examples
# Login to remote SSH2.0 server 2000::1, setting the algorithms as follows:
l Preferred key exchange algorithm: DH-group1
l Preferred encryption algorithm from server to client: AES128
l Preferred HMAC algorithm from client to server: MD5
l Preferred HMAC algorithm from server to client: SHA1-96.
<Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96
SFTP Client Configuration Commands
bye
Syntax
bye
View
SFTP client view
Default Level
3: Manage level
Parameters
None
Description
Use the bye command to terminate the connection with a remote SFTP server and return to user view.
This command functions as the exit and quit commands.
Examples
# Terminate the connection with the remote SFTP server.
sftp-client> bye
Bye
<Sysname>
cd
Syntax
cd [ remote-path ]
View
SFTP client view
Default Level
3: Manage level
Parameters
remote-path: Name of a path on the server.
Description
Use the cd command to change the working path on a remote SFTP server. With the argument not specified, the command displays the current working path.
l You can use the cd .. command to return to the upper-level directory.
l You can use the cd / command to return to the root directory of the system.
Examples
# Change the working path to new1.
sftp-client> cd new1
Current Directory is:
/new1
cdup
Syntax
cdup
View
SFTP client view
Default Level
3: Manage level
Parameters
None
Description
Use the cdup command to return to the upper-level directory.
Examples
# From the current working directory /new1, return to the upper-level directory.
sftp-client> cdup
Current Directory is:
/
delete
Syntax
delete remote-file&<1-10>
View
SFTP client view
Default Level
3: Manage level
Parameters
remote-file&<1-10>: Name of a file on the server. &<1-10> means that you can provide up to 10 filenames, which are separated by space.
Description
Use the delete command to delete the specified file(s) from a server.
This command functions as the remove command.
Examples
# Delete file temp.c from the server.
sftp-client> delete temp.c
The following files will be deleted:
/temp.c
Are you sure to delete it? [Y/N]:y
This operation may take a long time.Please wait...
File successfully Removed
dir
Syntax
dir [ -a | -l ] [ remote-path ]
View
SFTP client view
Default Level
3: Manage level
Parameters
-a: Displays the filenames or the folder names of the specified directory.
-l: Displays in a list form detailed information of the files and folders of the specified directory.
remote-path: Name of the directory to be queried.
Description
Use the dir command to display file and folder information under a specified directory.
With the –a and –l keyword not specified, the command displays detailed information of files and folders under the specified directory in a list form.
With the remote-path not specified, the command displays the file and folder information of the current working directory.
This command functions as the ls command.
Examples
# Display in a list form detailed file and folder information under the current working directory.
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2
exit
Syntax
exit
View
SFTP client view
Default Level
3: Manage level
Parameters
None
Description
Use the exit command to terminate the connection with a remote SFTP server and return to user view.
This command functions as the bye and quit commands.
Examples
# Terminate the connection with the remote SFTP server.
sftp-client> exit
Bye
<Sysname>
get
Syntax
get remote-file [ local-file ]
View
SFTP client view
Default Level
3: Manage level
Parameters
remote-file: Name of a file on the remote SFTP server.
local-file: Name for the local file.
Description
Use the get command to download a file from a remote SFTP server and save it locally.
If you do not specify the local-file argument, the file will be saved locally with the same name as that on the remote SFTP server.
Examples
# Download file temp1.c and save it as temp.c locally.
sftp-client> get temp1.c temp.c
Remote file:/temp1.c ---> Local file: temp.c
Downloading file successfully ended
help
Syntax
help [ all | command-name ]
View
SFTP client view
Default Level
3: Manage level
Parameters
all: Displays a list of all commands.
command-name: Name of a command.
Description
Use the help command to display a list of all commands or the help information of an SFTP client command.
With neither the argument nor the keyword specified, the command displays a list of all commands.
Examples
# Display the help information of the get command.
sftp-client> help get
get remote-path [local-path] Download file.Default local-path is the same
as remote-path
ls
Syntax
ls [ -a | -l ] [ remote-path ]
View
SFTP client view
Default Level
3: Manage level
Parameters
-a: Displays the filenames or the folder names of the specified directory.
-l: Displays in a list form detailed information of the files and folders of the specified directory
remote-path: Name of the directory to be queried.
Description
Use the ls command to display file and folder information under a specified directory.
With the –a and –l keyword not specified, the command displays detailed information of files and folders under the specified directory in a list form.
With the remote-path not specified, the command displays the file and folder information of the current working directory.
This command functions as the dir command.
Examples
# Display in a list form detailed file and folder information under the current working directory.
sftp-client> ls
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1
drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2
-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2
mkdir
Syntax
mkdir remote-path
View
SFTP client view
Default Level
3: Manage level
Parameters
remote-path: Name for the directory on a remote SFTP server.
Description
Use the mkdir command to create a directory on a remote SFTP server.
Examples
# Create a directory named test on the remote SFTP server.
sftp-client> mkdir test
New directory created
put
Syntax
put local-file [ remote-file ]
View
SFTP client view
Default Level
3: Manage level
Parameters
local-file: Name of a local file.
remote-file: Name for the file on a remote SFTP server.
Description
Use the put command to upload a local file to a remote SFTP server.
If you do not specify the remote-file argument, the file will be saved remotely with the same name as the local one.
Examples
# Upload local file temp.c to the remote SFTP server and save it as temp1.c.
sftp-client> put temp.c temp1.c
Local file:temp.c ---> Remote file: /temp1.c
Uploading file successfully ended
pwd
Syntax
pwd
View
SFTP client view
Default Level
3: Manage level
Parameters
None
Description
Use the pwd command to display the current working directory of a remote SFTP server.
Examples
# Display the current working directory of the remote SFTP server.
sftp-client> pwd
/
quit
Syntax
quit
View
SFTP client view
Default Level
3: Manage level
Parameters
None
Description
Use the quit command to terminate the connection with a remote SFTP server and return to user view.
This command functions as the bye and exit commands.
Examples
# Terminate the connection with the remote SFTP server.
sftp-client> quit
Bye
<Sysname>
remove
Syntax
remove remote-file&<1-10>
View
SFTP client view
Default Level
3: Manage level
Parameters
remote-file&<1-10>: Name of a file on an SFTP server. &<1-10> means that you can provide up to 10 filenames, which are separated by space.
Description
Use the remove command to delete the specified file(s) from a remote server.
This command functions as the delete command.
Examples
# Delete file temp.c from the server.
sftp-client> remove temp.c
The following files will be deleted:
/temp.c
Are you sure to delete it? [Y/N]:y
This operation may take a long time.Please wait...
File successfully Removed
rename
Syntax
rename oldname newname
View
SFTP client view
Default Level
3: Manage level
Parameters
oldname: Original file name or directory name.
newname: New file name or directory name.
Description
Use the rename command to change the name of a specified file or directory on an SFTP server.
Examples
# Change the name of a file on the SFTP server from temp1.c to temp2.c.
sftp-client> rename temp1.c temp2.c
File successfully renamed
rmdir
Syntax
rmdir remote-path&<1-10>
View
SFTP client view
Default Level
3: Manage level
Parameters
remote-path&<1-10>: Name of the directory on the remote SFTP server. &<1-10> means that you can provide up to 10 directory names that are separated by space.
Description
Use the rmdir command to delete the specified directories from an SFTP server.
Examples
# On the SFTP server, delete directory temp1 in the current directory.
sftp-client> rmdir temp1
Directory successfully removed
