11-SSH2.0 Commands
Chapters Download (100.78 KB)
Table of Contents
1 SSH2.0 Configuration Commands
SSH2.0 Server Configuration Commands
ssh server authentication-retries
ssh server authentication-timeout
ssh server compatible-ssh1x enable
SSH2.0 Client Configuration Commands
ssh client authentication server
Syntax
display ssh server { session | status }
View
Any view
Default Level
1: Monitor level
Parameters
session: Displays the session information of the SSH server.
status: Displays the status information of the SSH server.
Description
Use the display ssh server command on an SSH server to display SSH server status information or session information.
Related commands: ssh server authentication-retries, ssh server rekey-interval, ssh server authentication-timeout, ssh server enable, ssh server compatible-ssh1x enable.
This command is also available on an SFTP server.
Examples
# Display the SSH server status information.
<Sysname> display ssh server status
SSH server: Disable
SSH version : 1.99
SSH authentication-timeout : 60 second(s)
SSH server key generating interval : 0 hour(s)
SSH authentication retries : 3 time(s)
SFTP server: Disable
SFTP server Idle-Timeout: 10 minute(s)
Table 1-1 display ssh server status command output description
|
Field |
Description |
|
SSH server |
Whether the SSH server function is enabled |
|
SSH version |
SSH protocol version When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2.0. |
|
SSH authentication-timeout |
Authentication timeout period |
|
SSH server key generating interval |
SSH server key pair update interval |
|
SSH authentication retries |
Maximum number of SSH authentication attempts |
|
SFTP server |
Whether the SFTP server function is enabled |
|
SFTP server Idle-Timeout |
SFTP connection idle timeout period |
# Display the SSH server session information.
<Sysname> display ssh server session
Conn Ver Encry State Retry SerType Username
VTY 0 2.0 DES Established 0 SFTP client001
Table 1-2 display ssh server session command output description
|
Field |
Description |
|
Conn |
Connected VTY channel |
|
Ver |
SSH server protocol version |
|
Encry |
Encryption algorithm |
|
State |
Status of the session, including: Init, Ver-exchange, Keys-exchange, Auth-request, Serv-request, Established, Disconnected |
|
Retry |
Number of authentication attempts |
|
SerType |
Service type (SFTP, Stelnet) |
|
Username |
Name of a user for login |
Syntax
display ssh user-information [ username ]
View
Any view
Default Level
1: Monitor level
Parameters
username: SSH username, a string of 1 to 80 characters.
Description
Use the display ssh user-information command on an SSH server to display information about one or all SSH users.
Note that:
l This command displays only information about SSH users configured through the ssh user command on the SSH server.
l With the username argument not specified, the command displays information about all SSH users.
Related commands: ssh user.
This command is also available on an SFTP server.
Examples
# Display information about all SSH users.
<Sysname> display ssh user-information
Total ssh users : 2
Username Authentication-type User-public-key-name Service-type
yemx password null stelnet|sftp
test publickey pubkey sftp
Table 1-3 display ssh user-information command output description
|
Field |
Description |
|
Username |
Name of the user |
|
Authentication-type |
Authentication method. If this field has a value of password, the next field will have a value of null. |
|
User-public-key-name |
Public key of the user |
|
Service-type |
Service type |
Syntax
ssh server authentication-retries times
undo ssh server authentication-retries
View
System view
Default Level
2: System level
Parameters
times: Maximum number of authentication attempts, in the range 1 to 5.
Description
Use the ssh server authentication-retries command to set the maximum number of SSH connection authentication attempts.
Use the undo ssh server authentication-retries command to restore the default.
By default, the maximum number of SSH connection authentication attempts is 3.
Note that:
l This configuration takes effect only for users trying to log in after the configuration.
l Authentication will fail if the number of authentication attempts (including both publickey and password authentication) exceeds that specified in the ssh server authentication-retries command.
l If the authentication method of SSH users is password-publickey, the maximum number of SSH connection authentication attempts must be at least 2. This is because SSH2.0 users must pass both password and publickey authentication.
Related commands: display ssh server.
Examples
# Set the maximum number of SSH connection authentication attempts to 4.
<Sysname> system-view
[Sysname] ssh server authentication-retries 4
Syntax
ssh server authentication-timeout time-out-value
undo ssh server authentication-timeout
View
System view
Default Level
2: System level
Parameters
time-out-value: Authentication timeout period in seconds, in the range 1 to 120.
Description
Use the ssh server authentication-timeout command to set the SSH user authentication timeout period on the SSH server.
Use the undo ssh server authentication-timeout command to restore the default.
By default, the authentication timeout period is 60 seconds.
Related commands: display ssh server.
Examples
# Set the SSH user authentication timeout period to 10 seconds.
<Sysname> system-view
[Sysname] ssh server authentication-timeout 10
Syntax
ssh server compatible-ssh1x enable
undo ssh server compatible-ssh1x
View
System view
Default Level
2: System level
Parameters
None
Description
Use the ssh server compatible-ssh1x enable command to enable the SSH server to support SSH1 clients.
Use the undo ssh server compatible-ssh1x command to disable the SSH server from supporting SSH1 clients.
By default, the SSH server supports SSH1 clients.
This configuration takes effect only for users logging in after the configuration.
Related commands: display ssh server.
Examples
# Enable the SSH server to support SSH1 clients.
<Sysname> system-view
[Sysname] ssh server compatible-ssh1x enable
Syntax
ssh server enable
undo ssh server enable
View
System view
Default Level
2: System level
Parameters
None
Description
Use the ssh server enable command to enable the SSH server function.
Use the undo ssh server enable command to disable the SSH server function.
By default, the SSH server function is disabled.
Examples
# Enable the SSH server function.
<Sysname> system-view
[Sysname] ssh server enable
Syntax
ssh server rekey-interval hours
undo ssh server rekey-interval
View
System view
Default Level
2: System level
Parameters
hours: Server key pair update interval in hours, in the range 1 to 24.
Description
Use the ssh server rekey-interval command to set the interval for updating the RSA server key.
Use the undo ssh server rekey-interval command to restore the default.
By default, the update interval of the RSA server key is 0, that is, the RSA server key is not updated.
Related commands: display ssh server.
l This command is only available to SSH users using SSH1 client software.
l The system does not update any DSA key pair periodically.
Examples
# Set the RSA server key pair update interval to 3 hours.
<Sysname> system-view
[Sysname] ssh server rekey-interval 3
Syntax
ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname }
ssh user username service-type { all | sftp } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname work-directory directory-name }
undo ssh user username
View
System view
Default Level
2: System level
Parameters
username: SSH username, a case-sensitive string of 1 to 80 characters.
service-type: Specifies the service type of an SSH user, which can be one of the following:
l all: Specifies both secure Telnet and secure FTP.
l sftp: Specifies the service type as secure FTP.
l stelnet: Specifies the service type of secure Telnet.
authentication-type: Specifies the authentication method of an SSH user, which can be one the following:
l password: Performs password authentication.
l any: Performs either password authentication or publickey authentication.
l password-publickey: Specifies that SSH2.0 clients perform both password authentication and publickey authentication and that SSH1 clients perform either type of authentication.
l publickey: Performs publickey authentication.
assign publickey keyname: Assigns an existing public key to an SSH user. keyname indicates the name of the client public key and is a string of 1 to 64 characters.
work-directory directory-name: Specifies the working directory for an SFTP user. directory-name indicates the name of the working directory and is a string of 1 to 135 characters.
Description
Use the ssh user command to create an SSH user and specify the service type and authentication method.
Use the undo ssh user command to delete an SSH user.
Note that:
l For a publickey authentication user, you must configure the username and the public key on the device. For a password authentication user, you can configure the account information on either the device or the remote authentication server such as a RADIUS server.
l If you use the ssh user command to configure a public key for a user who has already had a public key, the new one overwrites the old one.
l Authentication method and public key configuration takes effect only for users logging in after the configuration.
l If an SFTP user has been assigned a public key, it is necessary to set a working directory for the user.
l The working directory of an SFTP user is subject to the user authentication method. For a user using only password authentication, the working directory is the AAA authorized one. For a user using only publickey authentication or using both publickey authentication and password authentication, the working directory is the one set by using the ssh user command.
Related commands: display ssh user-information.
Examples
# Create an SSH user named user1, setting the service type as sftp, the authentication method as publickey, the working directory of the SFTP server as flash, and assigning a public key named key1 to the user.
<Sysname> system-view
[Sysname] ssh user user1 service-type sftp authentication-type publickey assign publickey key1 work-directory flash:
Syntax
display ssh client source
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display ssh client source command to display the source IP address or source interface currently set for the SSH client.
If neither source IP address nor source interface is specified for the SSH client, the system displays such a message: “Neither source IP address nor source interface was specified for the STelnet client.”
Related commands: ssh client source.
Examples
# Display the source IP address of the SSH client.
<Sysname> display ssh client source
The source IP address you specified is 192.168.0.1
Syntax
display ssh server-info
View
Any view
Default Level
1: Monitor level
Parameters
None
Description
Use the display ssh server-info command on a client to display mappings between SSH servers and their host public keys saved on the client.
When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to check the public key of the server saved on the client.
Related commands: ssh client authentication server.
This command is also available on an SFTP client.
Examples
# Display the mappings between host public keys and SSH servers saved on the client.
<Sysname> display ssh server-info
Server Name(IP) Server public key name
______________________________________________________
192.168.0.1 abc_key01
192.168.0.2 abc_key02
Table 1-4 display ssh server-info command output description
|
Field |
Description |
|
Server Name(IP) |
Name or IP address of the server |
|
Server public key name |
Name of the host public key of the server |
Syntax
ssh client authentication server server assign publickey keyname
undo ssh client authentication server server assign publickey
View
System view
Default Level
2: System level
Parameters
server: IP address or name of the server, a string of 1 to 80 characters.
assign publickey keyname: Specifies the name of the host public key of the server, a string of 1 to 64 characters.
Description
Use the ssh client authentication server command on a client to configure the host public key of a server so that the client can determine whether the server is trustworthy.
Use the undo ssh authentication server command to remove the configuration.
By default, the host public key of the server is not configured, and when logging into the server, the client uses the IP address or host name used for login as the public key name.
If the client does not support first-time authentication, it will reject unauthenticated servers. In this case, you need to configure the public keys of the servers and specify the mappings between public keys and servers on the client, so that the client uses the correct public key of a server to authenticate the server.
Note that the specified host public key of the server must already exist.
Related commands: ssh client first-time enable.
Examples
# Configure the public key of the server with the IP address of 192.168.0.1 to be key1.
<Sysname> system-view
[Sysname] ssh client authentication server 192.168.0.1 assign publickey key1
Syntax
ssh client first-time enable
undo ssh client first-time
View
System view
Default Level
2: System level
Parameters
None
Description
Use the ssh client first-time enable command to enable the first-time authentication function.
Use the undo ssh client first-time command to disable the function.
By default, the function is enabled.
With first-time authentication, when an SSH client not configured with the server host public key accesses the server for the first time, the user can continue accessing the server, and save the host public key on the client. When accessing the server again, the client will use the saved server host public key to authenticate the server.
Without first-time authentication, a client not configured with the server host public key will deny to access the server. To access the server, a user must configure in advance the server host public key locally and specify the public key name for authentication.
Note that as the server may update its key pairs periodically, clients must obtain the most recent public keys of the server for successful authentication of the server.
Examples
# Enable the first-time authentication function.
<Sysname> system-view
[Sysname] ssh client first-time enable
Syntax
ssh client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number }
undo ssh client ipv6 source
View
System view
Default Level
3: Manage level
Parameters
ipv6 ipv6-address: Specifies a source IPv6 address.
interface interface-type interface-number: Specifies a source interface by its type and number.
Description
Use the ssh client ipv6 source command to specify the source IPv6 address or source interface for the SSH client.
Use the undo ssh client ipv6 source command to remove the configuration.
By default, the client uses the source address specified by the route of the device to access the SSH server.
Related commands: display ssh client source.
Examples
# Specify the source IPv6 address as 2:2::2:2 for the SSH client.
<Sysname> system-view
[Sysname] ssh client ipv6 source ipv6 2:2::2:2
Syntax
ssh client source { ip ip-address | interface interface-type interface-number }
undo ssh client source
View
System view
Default Level
3: Manage level
Parameters
ip ip-address: Specifies a source IPv4 address.
interface interface-type interface-number: Specifies a source interface by its type and number.
Description
Use the ssh client source command to specify the source IPv4 address or source interface of the SSH client.
Use the undo ssh client source command to remove the configuration.
By default, an SSH client uses the IP address of the interface specified by the route of the device to access the SSH server.
Related commands: display ssh client source.
Examples
# Specify the source IPv4 address of the SSH client as 192.168.0.1.
<Sysname> system-view
[Sysname] ssh client source ip 192.168.0.1
Syntax
ssh2 server [ port-number ] [vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *
View
User view
Default Level
0: Visit level
Parameters
server: IPv4 address or host name of the server, a case-insensitive string of 1 to 20 characters.
port-number: Port number of the server, in the range 0 to 65535. The default is 22.
vpn-instance vpn-instance-name: Specifies the VPN instance to which the server belongs. vpn-instance-name is a case-sensitive string of 1 to 31 characters.
identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.
prefer-ctos-cipher: Preferred encryption algorithm from client to server, defaulted to aes128.
l 3des: Encryption algorithm 3des-cbc.
l aes128: Encryption algorithm aes128-cbc
l des: Encryption algorithm des-cbc.
prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1-96.
l md5: HMAC algorithm hmac-md5.
l md5-96: HMAC algorithm hmac-md5-96.
l sha1: HMAC algorithm hmac-sha1.
l sha1-96: HMAC algorithm hmac-sha1-96.
prefer-kex: Preferred key exchange algorithm, defaulted to dh-group-exchange.
l dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1.
l dh-group1: Key exchange algorithm diffie-hellman-group1-sha1.
l dh-group14: Key exchange algorithm diffie-hellman-group14-sha1.
prefer-stoc-cipher: Preferred encryption algorithm from server to client, defaulted to aes128.
prefer-stoc-hmac: Preferred HMAC algorithm from server to client, defaulted to sha1-96.
Description
Use the ssh2 command to establish a connection to an IPv4 SSH server and specify the public key algorithm, the preferred key exchange algorithm, and the preferred encryption algorithms and preferred HMAC algorithms between the client and server.
Note that when the client’s authentication method is publickey, the client needs to get the local private key for validation. As the publickey authentication includes RSA and DSA algorithms, you must specify an algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. By default, the encryption algorithm is DSA.
Examples
# Log in to remote SSH2.0 server 10.214.50.51, using the following algorithms:
l Preferred key exchange algorithm: DH-group1
l Preferred encryption algorithm from server to client: AES128
l Preferred HMAC algorithm from client to server: MD5
l Preferred HMAC algorithm from server to client: SHA1-96.
<Sysname> ssh2 10.214.50.51 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96
Syntax
ssh2 ipv6 server [ port-number ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *
View
User view
Default Level
0: Visit level
Parameters
server: IPv6 address or host name of the server, a case-insensitive string of 1 to 46 characters.
port-number: Port number of the server, in the range 0 to 65535. The default is 22.
identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.
prefer-ctos-cipher: Preferred encryption algorithm from client to server, defaulted to aes128.
l 3des: Encryption algorithm 3des-cbc.
l aes128: Encryption algorithm aes128-cbc.
l des: Encryption algorithm des-cbc.
prefer-ctos-hmac: Preferred HMAC algorithm from client to server, defaulted to sha1-96.
l md5: HMAC algorithm hmac-md5.
l md5-96: HMAC algorithm hmac-md5-96.
l sha1: HMAC algorithm hmac-sha1.
l sha1-96: HMAC algorithm hmac-sha1-96.
prefer-kex: Preferred key exchange algorithm, default to dh-group-exchange.
l dh-group-exchange: Key exchange algorithm diffie-hellman-group-exchange-sha1.
l dh-group1: Key exchange algorithm diffie-hellman-group1-sha1.
l dh-group14: Key exchange algorithm diffie-hellman-group14-sha1
prefer-stoc-cipher: Preferred encryption algorithm from server to client, defaulted to aes128.
prefer-stoc-hmac: Preferred HMAC algorithm from server to client, defaulted to sha1-96.
Description
Use the ssh2 ipv6 command to establish a connection to an IPv6 SSH server and specify public key algorithm, the preferred key exchange algorithm, and the preferred encryption algorithms and preferred HMAC algorithms between the client and server.
Note that when the client’s authentication method is publickey, the client needs to get the local private key for validation. As the publickey authentication includes RSA and DSA algorithms, you must specify an algorithm (by using the identity-key keyword) in order to get the correct data for the local private key. By default, the encryption algorithm is DSA.
Examples
# Login to remote SSH2.0 server 2000::1, setting the algorithms as follows:
l Preferred key exchange algorithm: DH-group1
l Preferred encryption algorithm from server to client: AES128
l Preferred HMAC algorithm from client to server: MD5
l Preferred HMAC algorithm from server to client: SHA1-96.
<Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96
