H3C S3100-52P Ethernet Switch Operation Manual-Release 1500(V1.02)

HomeSupportResource CenterSwitchesH3C S3100 Switch SeriesH3C S3100 Switch SeriesTechnical DocumentsConfigure & DeployConfiguration GuidesH3C S3100-52P Ethernet Switch Operation Manual-Release 1500(V1.02)
26-SSH Terminal Service Operation
Title Size Download
26-SSH Terminal Service Operation 5.86 MB

Chapter 1  SSH Terminal Service

1.1  SSH Terminal Service

1.1.1  Introduction to SSH

Secure shell (SSH) provides secure communication and powerful authentication for remote user login to a switch over an insecure network, thus preventing assaults such as IP address spoofing, plain-text password interception.

Currently, the S3100-52P Ethernet Switches support SSH2.0. Acting as an SSH server, a switch allows for the connections of multiple SSH clients. Through SSH Client, a user can establish a connection to a switch or UNIX host running SSH Server.

Figure 1-1 and Figure 1-2 shows two ways to establish SSH connection between client and server.

l           Establishing SSH connection through a LAN

Figure 1-1 Establish SSH connection through a LAN

l           Establishing SSH connection through a WAN

Figure 1-2 Establish SSH connection through a WAN

The communication process between a SSH client and server goes through the following five stages.

1)         Version negotiation stage:

l           The client sends a TCP connection request to the server.

l           When a TCP connection is established, the two ends begin to negotiate an SSH version.

l           If they get a successful negotiation, they go to the key negotiation stage. Otherwise the server terminates the TCP connection.

2)         Key negotiation stage:

l           The server sends the public key in a randomly generated RSA key pair to the client.

l           The client calculates a session key by using the public key received from the server and a random number it generates randomly.

l           The client encrypts the random number with the public key from the server and sends the result data to the server.

l           The server then decrypts the received data with the private key in the RSA key pair to get the random number on the client.

l           The server calculates a session key by using the public key and the random number through the same algorithm as the client.

Then, the server and the client get the same session key, and use it for data encryption and decryption to secure their subsequent communication.

3)         Authentication negotiation stage:

l           The client sends its username information to the server.

l           The server starts to authenticate the user. If the user is configured as having no authentication on the server, the following step is skipped and the session request stage starts directly.

l           The server authenticates the user in some way (see the following note), till the authentication succeeds or the connection is terminated due to authentication timeout.

 

&  Note:

SSH provides two kinds of authentication: password authentication and RSA authentication.

(1) Password authentication works as follows:

l      The client sends the username and password to the server.

l      The server compares the received username and password against those configured locally. The user passes the authentication if the server finds a match for both username and password.

(2) RSA authentication works as follows:

l      Configure the RSA public key of the client at the server.

l      The client sends the member module of its RSA public key to the server.

l      The server checks the validity of the member module. If it is valid, the server generates a random number, which is sent to the client after being encrypted with RSA public key of the client.

l      Both the server and the client calculate authentication data by using the random number and session ID.

l      The client sends the authentication data it calculates to the server.

l      The server compares the received authentication data with the authentication data on itself. If they are identical, the authentication succeeds.

 

4)         Session request stage. The client sends a session request to the server, which processes the request and establish a session.

5)         Interactive session stage. Both ends exchange data till the session ends.

1.1.2  SSH Server Configuration

The following table describes SSH Server configuration tasks.

Table 1-1 SSH2.0 Server configuration tasks

Operation

Command

Related section

Configure user interface(s) to support specified protocol(s)

protocol inbound

Section “Configuring user interface(s) to support specified protocol(s)"

Generate local RSA key pair

rsa local-key-pair create

Section “Generating or destroying local RSA key pair"

Destroy local RSA key pair

rsa local-key-pair destroy

Specify a default authentication type for SSH users

ssh authentication-type default

Section "Configuring authentication type for a user"

Configure authentication type for an SSH user

ssh user username authentication-type

Set SSH authentication timeout time

ssh server timeout

Section “Configuring SSH management

Set SSH authentication retry times

ssh server authentication-retries

Configure a client public key for an SSH user

ssh user username assign rsa-key keyname

Section “Configuring a client public key for a user"

 

I. Configuring user interface(s) to support specified protocol(s)

Table 1-2 Configure user interface(s) to support specified protocol(s)

Operation

Command

Description

Enter system view

system-view

Enter the view of one or multiple user interfaces

user-interface [ type-keyword ] number [ ending-number ]

Required

Configure the user interface(s) to support specified protocol(s)

protocol inbound { all |ssh | telnet }

Optional

By default, both Telnet and SSH are supported.

 

  Caution:

l      If you have configured a user interface to support SSH protocol, to ensure a successful login to the user interface, you must configure AAA authentication for the user interface by using the authentication-mode scheme command.

l      For a user interface, if you have executed the authentication-mode password or authentication-mode none command, the protocol inbound ssh command cannot be executed; if you have executed the protocol inbound ssh command, neither of the authentication-mode password and authentication-mode none commands can be executed.

 

II. Generating or destroying local RSA key pair

This configuration task is used to generate or destroy an RSA key pair on the server, which is named in the format of switch name plus "_Host", for example, H3C_host.

After you issue the rsa local-key-pair create command, the system prompts you to input a key length.

In SSH2.0, the key length is in the range of 512 to 2,048 (bits).

Table 1-3 Generate or destroy local RSA key pair

Operation

Command

Description

Enter system view

system-view

Generate local RSA key pair

rsa local-key-pair create

Required

Destroy local RSA key pair

rsa local-key-pair destroy

Optional

 

  Caution:

l      For a successful SSH login, you must first generate the RSA key pair of the server.

l      You just need to execute the rsa local-key-pair create command once, and need not execute the command again after the system is rebooted.

l      If you re-execute the rsa local-key-pair create command, the system will ask whether you want to replace the original key pair with a new one.

 

&  Note:

After the rsa local-key-pair create command is executed, you can execute the display rsa local-key-pair public command to display information about the public key (in H3C_host, for example).

 

III. Configuring authentication type for a user

For a new user, you must specify the authentication type. Otherwise, the user cannot access the switch.

Table 1-4 Configure authentication type for a user

Operation

Command

Description

Enter system view

system-view

Specify a default authentication type for SSH users

ssh authentication-type default { password | rsa | password-publickey | all }

At least one required;

By default, no authentication type is specified for an SSH user, and the user can not access the switch.

Configure authentication type for an SSH user

ssh user username authentication-type { password | password-publickey | rsa| all }

 

Note that:

l           The ssh authentication-type default command is used to configure the default authentication type for all SSH users.

l           The ssh user username authentication-type command is used to configure an authentication type for a specific SSH user.

l           When both commands are configured with different authentication types, for the specific user (user specified by the username argument), the authentication type specified by the ssh user username authentication-type command will take effect instead of that specified for all SSH users.

 

  Caution:

l      If RSA authentication type is configured for a user, the RSA public key of the client user must be configured on the switch.

l      By default, no authentication type is specified for a new user, and the new user cannot access the switch.

l      For the password-publickey authentication type, users can access the switch only when they pass both kinds of authentications.

l      For the password authentication type, username should be consistent with the valid user name defined in AAA; for the RSA authentication type, username is the SSH local user name, so that there is no need to configure a local user in AAA.

l      If the default authentication type for SSH users is password and local AAA authentication is adopted, you need not use the ssh user command to create an SSH user. Instead, you can use the local-user command to create a user name and its password and then set the service type of the user to SSH.

l      If the default authentication type for SSH users is password and remote authentication (RADIUS authentication, for example) is adopted, you need not use the ssh user command to create an SSH user, because it is created on the remote server. And the user can use its username and password configured on the remote server to access the network.

 

IV. Configuring SSH management

The configuration of SSH management includes the setting of authentication timeout time, and authentication retry times. After the configuration, the SSH management function is able to prevent illegal activities such as malicious password guessing, thus ensure the security of SSH connections.

Table 1-5 Configure SSH management

Operation

Command

Description

Enter system view

system-view

Set SSH authentication timeout time

ssh server timeout seconds

Optional

By default, the timeout time is 60 seconds.

Set SSH authentication retry times

ssh server authentication-retries times

Optional

By default, the number of retry times is 3.

 

V. Configuring a client public key for a user

On the switch, you can configure a client public key (generated randomly on a client) for a client user. This configuration is not required for password authentication type.

There are two methods to configure a client public key for a user.

1)         Manual configuration

First, perform the following operations on a client:

l           Use the SSH2.0 client software to randomly generate a RSA key pair.

l           Use the SSHKEY.exe program to transform the public key in the RSA key pair to PKCS (public-key cryptography standards) format.

Then, perform the following operations on the server:

Table 1-6 Configure client public key for a user

Operation

Command

Description

Enter system view

system-view

Enter public key view

rsa peer-public-key key-name

Required

Enter public key edit view to input a client public key

public-key-code begin

When you input the key data, spaces are allowed between the characters you input (because the system can remove the spaces automatically); you can also press <Enter> to continue your input at the next line. But the key you input should be a hexadecimal digit string coded in the public key format.

Return to public key view from public key edit view

public-key-code end

The system saves the public key data you input when exiting public key edit view.

Return to system view from public key view

peer-public-key end

Assign a client public key to an SSH user

ssh user username assign rsa-key keyname

Required

Keyname is the name of an existing public key. If the user has already been assigned with a public key, the newly assigned public key overwrites the old one.

 

&  Note:

The above method requires you to transform the format of the public key on the client, and then manually configure the transformed public key on the server. So, the method is relatively more complex.

 

2)         Automatic configuration

First, perform the following operations on a client:

l           Use the SSH2.0 client software to randomly generate a RSA key pair.

l           Use FTP/TFTP to transfer the corresponding public key file to the Flash memory of the server.

Then, perform the following operations on the server:

Table 1-7 Automatic configuration

Operation

Command

Description

Enter system view

system-view

Transform the format of the key in a client public key file and automatically configure a client public key on the server

rsa peer-public-key key-name import sshkey file-name

filename must be consistent with the name of a public key file in the Flash memory.

 

&  Note:

The above method does not require you to manually configure a public key. So the method is relatively simple and is the recommended method.

 

VI. Specifying a source IP address/interface for the SSH server

You can perform the following configurations to specify a source IP address or a source interface for the SSH server, thus enhancing traffic manageability.

Table 1-8 Specify a source IP address/interface for the SSH server

Operation

Command

Description

Enter system view

system-view

Specify a source IP address for the SSH server

ssh-server source-ip ip-address

Optional

Specify a source interface for the SSH server

ssh-server source-interface interface-type interface-number

Optional

 

1.1.3  SSH Client Configuration

A variety of SSH client software are available, such as PuTTY and FreeBSD. For an SSH client to establish a connection with an SSH server, you must complete these configuration tasks:

l           Specifying the IP address of the server

l           Selecting the protocol for remote connection Usually, a client can use a variety of remote connection protocols, such as Telnet, Rlogin, SSH. To establish an SSH connection, you must select SSH.

l           Selecting the SSH version Since the device supports SSH Server 2.0 now, select 2.0 or lower for the client.

l           Specifying the RSA private key file. The RSA keys for an SSH user include a public key and a private key, which are generated by the tool accompanied with the client software. The public key must be configured on the server, while the private key must be configured on the client.

The following takes the client software of PuTTY, PuTTYGen and SSHKEY as examples to illustrate how to configure the SSH client:

I. Generating the Client Key

To generate the client key pair, run PuTTYGen.exe, choose “SSH2(RSA)” in the parameter field and click “Generate”.

Figure 1-3 Generating the client key (1)

While generating the key pair, you must move the mouse continuously. The mouse should be restricted off the green process bar in the blue box of Figure 1-4. Otherwise, the process bar does not move and the key pair cannot be generated.

Figure 1-4 Generating the client key (2)

After the key pair is generated, click “Save public key” and enter the file name (public for here) to save the key pair.

Figure 1-5 Generating the client key (3)

Likewise, to save a private key, click “Save private key” and a warning window pops up to prompt you whether to save a private key without any precautions. Click “Yes” and enter a name (private for here) to save the private key.

Figure 1-6 Generating the client key (4)

To generate RSA public key in PKCS format, run SSHKEY.exe, click “Browse” and select the public key file, and then click “Convert”.

Figure 1-7 Generating the client key (5)

II. Specifying the IP address of the server

Launch PuTTY.exe and the following window appears.

Figure 1-8 SSH client interface 1

In the [Host Name (or IP address)] text box, enter the IP address of the server, for example, 10.110.28.10. Note that the IP address can be the IP address of any interface on the server that has SSH in the state of up and a route to the client.

III. Selecting the protocol for remote connection

As shown in Figure 1-8, select the [SSH] option from the [Protocol] section.

IV. Selecting the SSH version

From the category on the left of the window, click [Connection/SSH]. The window as shown in Figure 1-9 appears.

Figure 1-9 SSH client interface 2

In the [Protocol options] field, select [2] from the [Preferred SSH protocol version] section.

V. Open an SSH Connection with RSA

If the client needs to use RSA authentication, you must specify the RSA private key file. If the client needs to use password authentication, this is not required.

From the category on the left of the window, click [Connection/SSH/Auth]. The following window appears.

Figure 1-10 SSH client interface 3

Click <Browse…> to bring up the file selection window, navigate to the private key file and click <OK>.

VI. Open an SSH Connection with Password

1)         Click <Open>. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 1-11.

Figure 1-11 SSH client interface

2)         Enter the username and password to create an SSH connection.

3)         To log out, enter the quit command.

1.1.4  Configuring the Device as an SSH Client

The following table describes SSH Client configuration tasks.

Table 1-9 SSH Client configuration tasks

Operation

Command

Description

Enter system view

system-view

Enable the client to run initial authentication

ssh client first-time enable

Optional

By default, the client is enabled to run initial authentication.

If the client is disabled from running initial authentication, you must assign a public key to the server on the client.

Assign a public key to a server

ssh client server-ip assign rsa-key keyname

Optional

This command is used to configure the public key of a server on the client, so that the client can regard the server as a reliable server when it connects to the server.

Start the client to establish a connection with an SSH server

ssh2 { host-ip | host-name } [ port-num ] [ prefer_kex { dh_group1 | dh_exchange_group } ] [ prefer_ctos_cipher { des | aes128 } ] [ prefer_stoc_cipher { des | aes128 } ] [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]

Required

In this command, you can also specify the preferred key exchange algorithm, encryption algorithms and HMAC algorithms between the server and client.

HMAC: Hash-based message authentication code

 

&  Note:

If an SSH client is enabled to run initial authentication, when the SSH client accesses an SSH server for the first time and it does not have the public key of the server, the client allows you to select to continue the access and save the public key of the server to local device; when the client accesses the server at the next time, it authenticates the server against the public key saved locally.

 

I. Specifying a source IP address/interface for the SSH client

You can perform the following configuration to specify a source IP address or a source interface for the SSH2.0 client, thus enhancing traffic manageability.

Table 1-10 Specify a source IP address/interface for the SSH client

Operation

Command

Description

Enter system view

system-view

Specify a source IP address for the SSH2.0 client.

ssh2 source-ip ip-address

Optional

Specify a source interface for the SSH2.0 client

ssh2 source-interface interface-type interface-number

Optional

 

1.1.5  Displaying SSH Configuration

After the above configuration, you can execute the display command in any view to display the configuration information and running status of SSH, so as to verify your configuration.

Table 1-11 Display SSH configuration

Operation

Command

Description

Display host and server public keys

display rsa local-key-pair public

You can execute the display command in any view.

Display client RSA public key(s)

display rsa peer-public-key [ brief | name keyname ]

Display SSH status and session information

display ssh server { status | session }

Display SSH user information

display ssh user-information [ username ]

Display the current source IP address or the IP address of the source interface specified for the SSH server.

display ssh-server source-ip

Display the current source IP address specified for the SSH2.0 Client.

display ssh2 source-ip

 

1.1.6  SSH Server Configuration Example

I. Network requirements

As shown in Figure 1-12, The PC (SSH Client) running an SSH2.0-supported client software, establish a local connection with the switch (SSH Server) to ensure the security of data exchange.

II. Network diagram

Figure 1-12 Network diagram for SSH server configuration

III. Configuration procedure

1)         Generate local RSA key pair.

<H3C>system-view

[H3C] rsa local-key-pair create

 

&  Note:

If local RSA key pair has already been generated previously, you can skip this step.

 

2)         Set user authentication method.

Settings for the two authentication types are described respectively in the following:

l           Password authentication

# Set AAA authentication on user interfaces.

[H3C] user-interface vty 0 4

[H3C-ui-vty0-4] authentication-mode scheme

# Configure the user interfaces to support SSH.

[H3C-ui-vty0-4] protocol inbound ssh

# Set login protocol to SSH, authentication type to password, and authentication password to "abc" for user clinet001.

[H3C] local-user client001

[H3C-luser-client001] password simple abc

[H3C-luser-client001] service-type ssh

[H3C-luser-client001] quit

[H3C] ssh user client001 authentication-type password

 

&  Note:

You can use the default SSH authentication timeout time and authentication retry times. After the above settings, run the SSH2.0-supported client software on a host connected to the switch, and log into the switch with the username client001 and password "abc".

 

l           RSA public key authentication

# Set AAA authentication on the user interfaces.

[H3C] user-interface vty 0 4

[H3C-ui-vty0-4] authentication-mode scheme

# Set the user interfaces to support SSH.

[H3C-ui-vty0-4] protocol inbound ssh

# Set login protocol to SSH and authentication type to RSA for user client002.

[H3C] ssh user client002 authentication-type rsa

# On the SSH2.0 client, make the client software generate a random RSA key pair, and transfer the public key in the pair from the client to the server.

# Configure the client public key on the server, with a key name of H3C002.

[H3C] rsa peer-public-key H3C002

[H3C-rsa-public-key] public-key-code begin

[H3C-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463

[H3C-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913

[H3C-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4

[H3C-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC

[H3C-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16

[H3C-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125

[H3C-rsa-key-code] public-key-code end

[H3C-rsa-public-key] peer-public-key end

[H3C] ssh user client002 assign rsa-key H3C002

# Make corresponding configuration on the host keeping the RSA private key and start the SSH client software to establish an SSH connection.

1.1.7  Configuring the Device as an SSH Client Configuration Example

I.  Network requirements

As shown in Figure 1-13:

l           Switch A serves as an SSH client, with a user name of client003.

l           Switch B serves as an SSH server, with an IP address of 10.165.87.136.

II. Network diagram

Figure 1-13 Network diagram for SSH client configuration

III. Configuration procedure

1)         Enable the client to run initial authentication.

[H3C] ssh client first-time enable

2)         Configure the server's public key on the client.

[H3C] rsa peer-public-key public

[H3C-rsa-public-key] public-key-code begin

[H3C-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463

[H3C-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913

[H3C-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4

[H3C-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC

[H3C-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16

[H3C-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125

[H3C-rsa-key-code] public-key-code end

[H3C-rsa-public-key] peer-public-key end

[H3C] ssh client 10.165.87.136 assign rsa-key public

3)         Start SSH Client.

Settings for the two authentication types are described respectively in the following:

l           Password authentication

# Start SSH Client with default encryption algorithms.

[H3C] ssh2 10.165.87.136

username: client003

Trying 10.165.87.136

Press CTRL+K to abort

Connected to 10.165.87.136...

The Server is not autherncated.Do you continue access it?(Y/N):y

Do you want to save the server's public key?(Y/N):y

Enter password:     

**************************************************************************

* Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                              *

* no decompiling or reverse-engineering shall be allowed.                 *

**************************************************************************

 

<H3C>

l           RSA public key authentication

# Start SSH Client with defined encryption algorithms.

[H3C] ssh2 10.165.87.136 22 perfer_kex dh_group1 perfer_ctos_cipher des perfer_ctos_hmac md5 perfer_stoc_hmac md5

username: client003

Trying 10.165.87.136...

Press CTRL+K to abort

Connected to 10.165.87.136...

The Server is not autherncated.Do you continue access it?(Y/N):y

Do you want to save the server's public key?(Y/N):y

**************************************************************************

* Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved.*

* Without the owner's prior written consent,                              *

* no decompiling or reverse-engineering shall be allowed.                 *

**************************************************************************

 

<H3C>

1.2  SFTP Service

1.2.1  Introduction to SFTP

Secure FTP (SFTP) is a new feature introduced in SSH2.0.

Since SFTP is based on SSH, it can provides security for remote users to log into the switch and perform file management and transfer operations (such as system update), thus providing more security for data transfer. Through the SFTP client function, you can securely log into a remote device and perform file transfer operations securely.

1.2.2  SFTP Server Configuration

The following sections describe SFTP Server configuration tasks:

l           Configuring service type for an SSH user

l           Enabling SFTP Server

l           Setting connection idle timeout

I. Configuring service type for an SSH user

Table 1-12 Configure service type for an SSH user

Operation

Command

Description

Enter system view

system-view

Configure service type for an SSH user

ssh user username service-type { stelnet | sftp | all }

Optional

By default, the service type available for a user is stelnet.

 

II. Enabling SFTP Server

Table 1-13 Enable SFTP Server

Operation

Command

Description

Enter system view

system-view

Enable SFTP Server

sftp server enable

Required

By default, SFTP Server is disabled.

 

III. Setting connection idle timeout time

You can set the idle timeout time for SFTP connections, so that the system can automatically release a user connection when the user connection is idle for a time longer than the time threshold you set.

Table 1-14 Set connection idle timeout time

Operation

Command

Description

Enter system view

system-view

Set idle timeout time for SFTP connections

sftp timeout time-out-value

Required

By default, the connection idle timeout time is 10 minutes.

 

1.2.3  SFTP Client Configuration on the Switch

The following table describes SFTP Client configuration tasks on the switch:

Table 1-15 SFTP Client configuration tasks

Operation

Command Keyword

View

Description

Start SFTP Client

sftp

System view

Required

Stop SFTP Client

bye

SFTP client view

Optional

exit

quit

SFTP directory operations

Change the current directory

cd

SFTP client view

Optional

Return to the upper directory

cdup

Display the current directory

pwd

Display the file list in a directory

dir

ls

Create a new directory

mkdir

Delete a directory

rmdir

SFTP file operations

Rename a file on the remote SFTP server

rename

SFTP client view

Optional

Download a file from the remote SFTP server

get

Upload a local file to the remote SFTP server

put

Display the file list in a directory

dir

ls

Delete a file from the SFTP server

delete

remove

Get help information about SFTP client commands

help

SFTP client view

Optional

 

I. Starting SFTP Client

You can start SFTP Client to establish a connection to a remote SFTP server and enter STP client view.

Table 1-16 Start SFTP Client

Operation

Command

Description

Enter system view

system-view

Start SFTP Client

sftp { host-ip | host-name } [ port-num ] [ prefer_kex { dh_group1 | dh_exchange_group } ] [ prefer_ctos_cipher { des | aes128 } ] [ prefer_stoc_cipher { des | aes128 } ] [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ]

Required

 

II. Stopping SFTP Client

Table 1-17 Stop SFTP Client

Operation

Command

Description

Enter system view

system-view

Enter SFTP client view

sftp { host-ip | host-name }

Stop SFTP Client

bye

The three commands have the same function.

exit

quit

 

III. Performing SFTP directory operations

SFTP directory operations include: changing or displaying the current directory, creating or deleting a directory, displaying file or directory information in a specific directory.

Table 1-18 Perform SFTP directory operation

Operation

Command

Description

Enter system view

system-view

Enter SFTP client view

sftp { host-ip | host-name }

Change the current directory

cd remote-path

Optional

Return to the upper directory

cdup

Display the current directory

pwd

Display the file list of a directory

dir [ remote-path ]

Optional

The dir and ls commands have the same function.

ls [ remote-path ]

Create a directory on the SFTP server

mkdir remote-path

Optional

Delete a directory from the SFTP server

rmdir remote-path

 

IV. Performing SFTP file operations

SFTP file operations include: renaming a file, downloading a file, uploading a file, displaying the file list, and deleting a file.

Table 1-19 Performing SFTP file operations

Operation

Command

Description

Enter system view

system-view

Optional

Enter SFTP client view

sftp { host-ip | host-name }

Rename a file on the remote SFTP server

rename old-name new-name

Download a file from the remote SFTP server

get remote-file [ local-file ]

Upload a file to the remote SFTP server

put local-file [ remote-file ]

Display the file list of a directory

dir [ remote-path ]

Optional

The dir and ls commands have the same function.

ls [ remote-path ]

Delete a file from the SFTP server

delete remote-file

Optional

The delete and remove commands have the same function.

remove remote-file

 

V. Displaying help information

You can use the command here to display help information (such as syntax and parameters) about an SFTP client command.

Table 1-20 Display help information about an SFTP client command

Operation

Command

Description

Enter system view

system-view

Enter SFTP client view

sftp { host-ip | host-name }

Display help information about one or all SFTP client commands

help [ command-name ]

Optional

 

VI. Specifying a source IP address or source interface for the SFTP client

You can use the command here to specify a source IP address or source interface for the SFTP client, thus enhancing traffic manageability.

Table 1-21 Specify a source IP address/interface for the SFTP client

Operation

Command

Description

Enter system view

system-view

Specify a source IP address for the SFTP client

sftp source-ip ip-address

Optional

Specify a source interface for the SFTP client

sftp source-interface interface-type interface-number

Optional

Display the current source IP address or the IP address of the source interface specified for the SFTP client

display sftp source-ip

Optional

You can execute this command in any view.

 

1.2.4  SFTP Configuration Example

I. Network requirements

As shown in Figure 1-14:

l           Suppose SSH-related configuration has been performed on Switch A and Switch B.

l           Suppose an SSH user named "abc" with password "hello" already exists.

l           Switch B serves as an SFTP server, with IP address 10.111.27.91.

l           Switch A serves as an SFTP client.

II. Network diagram

Figure 1-14 Network diagram for SFTP configuration

III. Configuration procedure

1)         Configure Switch B (SFTP server)

# Enable SFTP Server.

[H3C] sftp server enable

# Specify SFTP service for SSH user abc.

[H3C] ssh user abc service-type sftp

2)         Configure Switch A (SFTP client)

# Establish a connection to the remote SFTP server and enter SFTP client view.

[H3C] sftp 10.111.27.91

# Display the current directory on the SFTP server, delete file z and verify the operation.

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg

-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2

-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey1

drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new

-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub

-rwxrwxrwx   1 noone    nogroup         0 Sep 01 08:00 z

sftp-client> delete z

The following File will be deleted:

flash:/z

Are you sure to delete it?(Y/N):y

This operation may take a long time.Please wait...

 

File successfully Removed

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg

-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2

-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey1

drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new

-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub

# Create directory new1 and verify the operation.

sftp-client> mkdir new1

New directory created

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg

-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2

-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey1

drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new

-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub

drwxrwxrwx   1 noone    nogroup         0 Sep 02 06:30 new1

# Rename directory new1 to new2 and verify the operation.

sftp-client> rename new1 new2

File successfully renamed

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg

-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2

-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey1

drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new

-rwxrwxrwx   1 noone    nogroup       225 Sep 01 06:55 pub

drwxrwxrwx   1 noone    nogroup         0 Sep 02 06:33 new2

# Download file pubkey2 and rename it to public.

sftp-client> get pubkey2 public

Remote  file:flash:/pubkey2 --->  Local file: public..

Downloading file successfully ended

# Upload the file pu to the SFTP server and rename it to puk. Verify the operations.

sftp-client> put pu puk

Local file: pu --->  Remote file: flash:/puk

Uploading file successfully ended

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      1759 Aug 23 06:52 config.cfg

-rwxrwxrwx   1 noone    nogroup       225 Aug 24 08:01 pubkey2

-rwxrwxrwx   1 noone    nogroup       283 Aug 24 07:39 pubkey1

drwxrwxrwx   1 noone    nogroup         0 Sep 01 06:22 new

drwxrwxrwx   1 noone    nogroup         0 Sep 02 06:33 new2

-rwxrwxrwx   1 noone    nogroup       283 Sep 02 06:35 pub

-rwxrwxrwx   1 noone    nogroup       283 Sep 02 06:36 puk

sftp-client>

# Stop SFTP Client.

sftp-client> quit

Bye

[H3C]