Login
- Table of Contents
-
- 10-Security Configuration Examples
- 00-S12500_AAA_Configuration_Examples
- 01-S12500_MAC_Authentication_Configuration_Examples
- 02-S12500_Portal_Configuration_Examples
- 03-S12500_IPv6_Portal_Authentication_Configuration_Examples
- 04-S12500_SSH_Configuration_Examples
- 05-S12500_IP_Source_Guard_Configuration_Examples
- 06-S12500_Attack_Protection_Configuration_Examples
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-S12500_SSH_Configuration_Examples | 2.17 MB |
Contents
Example: Configuring the switch as an Stelnet server using password authentication
Configuration restrictions and guidelines
Example: Configuring the switch as an Stelnet server using publickey authentication
Configuration restrictions and guidelines
Example: Configuring the switch as an Stelnet client for password authentication
Configuration restrictions and guidelines
Example: Configuring the switch as an Stelnet client for publickey authentication
Configuration restrictions and guidelines
Example: Configuring the switch as an SFTP server using password authentication
Configuration restrictions and guidelines
Example: Configuring the switch as an SFTP client for publickey authentication
Configuration restrictions and guidelines
Introduction
This document provides examples of configuring SSH for Stelnet and SFTP applications. Authentication methods used in this document are password authentication and publickey authentication..
Secure Shell (SSH) provides a secure remote login method. By using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception.
When acting as an SSH server, the switch supports SSH and SSH1. When acting as an SSH client, the switch supports SSH2 only.
Prerequisites
The configuration examples in this document were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
This document assumes that you have basic knowledge of H3C SSH.
Example: Configuring the switch as an Stelnet server using password authentication
Network requirements
As shown in Figure 1, you can log in to the switch through the Stelnet client that runs on the host. After login, you can use all commands and perform secure data exchange. The switch uses local password authentication. The username (client001) and password (aabbcc) of the client are saved on the switch.
Requirements analysis
To perform local authentication, you must create a local user account and configure a password for the user on the Stelnet server. For password authentication, you do not need to create an SSH user.
After login, an SSH user using local password authentication can use commands based on the command privilege level of the local user. To enable an SSH user to use all commands after login, specify the user command privilege level to 3 (manage level). By default, the command privilege level of a local user is 0 (monitor level).
Software version used
The configuration examples were created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
When you configure the switch as an Stelnet server using password authentication, follow these restrictions and guidelines:
· The authentication mode for SSH user interface must be AAA (scheme).
· To ensure correct SSH version and algorithm negotiation, generate both RSA and DSA key pairs on the server.
Configuration procedures
1. Configuring the Stelnet server:
# Generate RSA and DSA key pairs, and enable the SSH server function.
<Switch> system-view
[Switch] public-key local create rsa
[Switch] public-key local create dsa
[Switch] ssh server enable
# Assign an IP address to VLAN-interface 1. The Stelnet client uses the IP address as the destination for SSH connection.
[Switch] interface vlan-interface 1
[Switch-Vlan-interface1] undo shutdown
[Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0
[Switch-Vlan-interface1] quit
# Set the authentication mode for the user interface to AAA (scheme).
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] protocol inbound ssh
[Switch-ui-vty0-15] quit
# Create a local user named client001 with the password aabbcc, the service type ssh, and command privilege level 3.
[Switch] local-user client001
[Switch-luser-client001] password simple aabbcc
[Switch-luser-client001] service-type ssh
[Switch-luser-client001] authorization-attribute level 3
[Switch-luser-client001] quit
2. Configure the Stelnet client:
There are different types of Stelnet client software, such as PuTTY and OpenSSH. This example uses an Stelnet client that runs Putty version 0.58.
To configure the Stelnet client:
a. Launch PuTTY.exe to enter the interface shown in Table 1.
b. In the Host Name (or IP address) text box, enter the IP address 192.168.1.40 of the Stelnet server.
Table 1 Specifying the host name (or IP address)
c. Click Open to connect to the server.
d. Enter the username (client001) and password (aabbcc) to log in to the Stelnet server.
Verifying the configuration
Verify that you can use the correct username (client001) and password (aabbcc) to access the Stelnet server's CLI, with a user privilege level of 3.
Configuration files
#
local-user client001
password cipher $c$3$o71Exx1XIKs9gJoxqSodHGl1uT9rlZEd4w==
authorization-attribute level 3
service-type ssh
#
interface Vlan-interface1
ip address 192.168.1.40 255.255.255.0
#
ssh server enable
ssh user client001 service-type stelnet authentication-type password
#
user-interface vty 0 15
authentication-mode scheme
protocol inbound ssh
#
Example: Configuring the switch as an Stelnet server using publickey authentication
Network requirements
As shown in Figure 2, you can log in to the switch through the Stelnet client that runs on the host. After login, you can use all commands and perform secure data exchange. The switch uses publickey authentication and the RSA public key algorithm. The login username is client002. The public key of the client is imported to the server.
Requirements analysis
For successful authentication, configure the client's RSA host public key on the server, and specify the paired RSA host private key for the SSH user on the client.
After login, an SSH user using publickey authentication can use the commands based on the command privilege level configured for the user interface. To enable an SSH user to use all commands after login, you must specify the user command privilege level to 3 (manage level). By default, the user command privilege level is 0 (visit level).
Software version used
The configuration examples were created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
When you configure the switch as an Stelnet server using publickey authentication, follow these restrictions and guidelines:
· The authentication mode for SSH user interface must be AAA (scheme).
· To enable an Stelnet server to authenticate clients by using publickey authentication, you must create SSH users on the server.
· To support Stelnet clients that use different types of key pairs, generate both DSA and RSA key pairs on the Stelnet server.
Configuration procedures
1. Configure the Stelnet server:
# Generate RSA and DSA key pairs, and enable the SSH server function.
<Switch> system-view
[Switch] public-key local create rsa
[Switch] public-key local create dsa
[Switch] ssh server enable
# Assign an IP address to VLAN-interface 1. The Stelnet client uses this IP address as the destination for SSH connection.
[Switch] interface vlan-interface 1
[Switch-Vlan-interface1] undo shutdown
[Switch-Vlan-interface1] ip address 192.168.1.40 255.255.255.0
[Switch-Vlan-interface1] quit
# Set the authentication mode for the user interface to AAA (scheme).
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
# Configure the user interface to support SSH login.
[Switch-ui-vty0-15] protocol inbound ssh
# Set the user privilege level to 3.
[Switch-ui-vty0-15] user privilege level 3
[Switch-ui-vty0-15] quit
|
|
IMPORTANT: Before performing the following tasks, you must use the client software to generate an RSA key pair on the client, save the public key to file key.pub, and then upload the file to the Stelnet server through FTP or TFTP. For more information, see step 2 "Configure the SSH client." |
# Import the client's public key from file key.pub, and name the public key Switch001.
[Switch] public-key peer Switch001 import sshkey key.pub
# Specify the authentication type for user client002 as publickey, and assign the public key Switch001 to the user.
[Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001
a. Run PuTTYGen.exe, select SSH-2 RSA, and click Generate.
Figure 3 Generating a key pair on the client
b. Continuously move the mouse and do not place the mouse over the green process bar shown in Figure 4. Otherwise, the process bar stops moving and the key pair generating process stops.
c. After the key pair is generated, click Save public key and specify the file name as key.pub to save the public key.
Figure 5 Saving a key pair on the client
d. Click Save private key to save the private key.
A confirmation dialog box appears.
e. Click Yes and enter the name of the file for saving the key (private).
f. Transmit the saved public key file to the server through FTP or TFTP.
3. After the configurations on the server and the client are complete, establish a connection between the Stelnet client and the Stelnet server:
a. Launch PuTTY.exe to enter the interface shown in Figure 6.
b. In the Host Name (or IP address) text box, enter the IP address 192.168.1.40 of the Stelnet server.
Figure 6 Specifying the host name (or IP address)
c. Select Connection > SSH/Auth from the navigation tree.
The window shown in Figure 7 appears.
d. Click Browse… to bring up the file selection window, navigate to the private key file, and click OK.
Figure 7 Specifying the private key file
e. Click Open.
f. Enter the username (client002) to log in to the Stelnet server.
Verifying the configuration
Verify that you can use the username (client002) to access the Stelnet server's CLI.
Configuration files
#
interface Vlan-interface1
ip address 192.168.1.40 255.255.255.0
#
ssh server enable
ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001
#
user-interface vty 0 15
authentication-mode scheme
user privilege level 3
protocol inbound ssh
#
Example: Configuring the switch as an Stelnet client for password authentication
Network requirements
As shown in Figure 8, you can log in to Switch B through the Stelnet client that runs on Switch A. After login, you can use all commands and perform secure data exchange. Switch B uses local password authentication. The username (client001) and password (aabbcc) are saved on Switch B.
To enhance system security, configure Switch A to not support first-time authentication.
Requirements analysis
To perform local authentication, you must create a local user account and configure a password for the user on the server. For password authentication, you do not need to create an SSH user.
After login, an SSH user using local password authentication can use commands based on the command privilege level of the local user. To enable an SSH user to use all commands after login, you must specify the user command privilege level to 3 (manage level). By default, the command privilege level of a local user is 0 (visit level).
Because Switch A does not support first-time authentication, you must configure the host public key of Switch B on Switch A, and specify the public key name.
Software version used
The configuration examples were created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
When you configure the switch as an Stelnet client for password authentication, follow these restrictions and guidelines:
· The authentication mode for SSH user interface must be AAA (scheme).
· To ensure correct SSH version negotiation and algorithm negotiation, generate both RSA and DSA key pairs on the server.
Configuration procedures
1. Configure the Stelnet server:
For information about how to configure an Stelnet server using password authentication, see "Example: Configuring the switch as an Stelnet server using password authentication."
2. Configure the Stelnet client:
# Create VLAN interface 1 and assign an IP address to it.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] undo shutdown
[SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0
[SwitchA-Vlan-interface1] quit
[SwitchA] quit
# Disable first-time authentication.
[SwitchA] undo ssh client first-time
# Configure the host public key of the Stelnet server. You can get the server's host public key by using the display public-key local dsa public command on the server.
[SwitchA]public-key peer key1
Public key view: return to System View with "peer-public-key end".
[SwitchA-pkey-public-key]public-key-code begin
Public key code view: return to last view with "public-key-code end".
[SwitchA-pkey-key-code]308201B73082012C06072A8648CE3804013082011F02818100D757262C458
4C44C211F18BD96E5F061C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65B
[SwitchA-pkey-key-code]E6C265854889DC1EDBD13EC8B274DA9F75BA26CCB987723602787E922BA84
421F22C3C89CB9B06FD60FE01941DDD77FE6B12893DA76EEBC1D128D97F0678D7722B53
[SwitchA-pkey-key-code]41C8506F358214B16A2FAC4B368950387811C7DA33021500C773218C737EC
8EE993B4F2DED30F48EDACE915F0281810082269009E14EC474BAF2932E69D3B1F18517
[SwitchA-pkey-key-code]AD9594184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02492B3959
EC6499625BC4FA5082E22C5B374E16DD00132CE71B020217091AC717B612391C76C1FB2
[SwitchA-pkey-key-code]E88317C1BD8171D41ECB83E210C03CC9B32E810561C21621C73D6DAAC028F
4B1585DA7F42519718CC9B09EEF038184000281804F123E6FB60EAAD74E169155138806
[SwitchA-pkey-key-code]388DFE92F205416AF7071A1BCD07DBEE2F84FEDC92FFFBF24051DB613B125
B001C2C52D3EA3082FECA02135BE9CBE9F383389FC92B472B08621ED85654FB5A11187F
[SwitchA-pkey-key-code]5E384A2E6BE82EFDCF089CCA8632229E4EF50F22206EF5BED7EBD2784C6FB
3A036DB68CB84FCAFACB75A3A3845FAB7
[SwitchA-pkey-key-code]public-key-code end
[SwitchA-pkey-public-key]peer-public-key end
# Specify the host public key for the SSH server 10.165.87.136 as key1.
[SwitchA] ssh client authentication server 10.165.87.136 assign publickey key1
[SwitchA] quit
# Establish an SSH connection to the server 10.165.87.136.
<SwitchA> ssh2 10.165.87.136
Username: client001
Trying 10.165.87.136
Press CTRL+K to abort
Connected to 10.165.87.136...
Enter password:
Verifying the configuration
# Execute the following command on Switch A:
<SwitchA> ssh2 10.165.87.136
After you enter the correct username (client001) and password (aabbcc), you can log in to Switch B successfully.
Configuration files
· Switch A:
#
vlan 1
#
interface Vlan-interface1
ip address 10.165.87.137 255.255.255.0
#
· Switch B:
#
vlan 1
#
local-user client001
password cipher $c$3$o71Exx1XIKs9gJoxqSodHGl1uT9rlZEd4w==
authorization-attribute level 3
service-type ssh
#
interface Vlan-interface1
ip address 10.165.87.136 255.255.255.0
#
ssh server enable
ssh user client001 service-type stelnet authentication-type password
#
user-interface vty 0 15
authentication-mode scheme
protocol inbound ssh
#
Example: Configuring the switch as an Stelnet client for publickey authentication
Network requirements
As shown in Figure 9, you can log in to Switch B through the Stelnet client that runs on Switch A. After login, you can use all commands and perform secure data exchange. Switch B uses publickey authentication and the RSA public key algorithm. The login username is client002. The public key of the client is imported to the server.
Requirements analysis
For successful authentication, configure the client's RSA host public key on the server, and specify the paired RSA host private key for the SSH user on the client. To specify the RSA host private key, use the identity-key rsa keyword in the ssh2 command.
After login, an SSH user using publickey authentication can use commands based on the command privilege level configured for the user interface. To enable an SSH user to use all commands after login, you must specify the user command privilege level to 3 (manage level). By default, the user command privilege level is 0 (visit level).
Software version used
The configuration examples were created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
When you configure the switch as an Stelnet client for publickey authentication, follow these restrictions and guidelines:
· The authentication mode for SSH user interface must be AAA (scheme).
· To enable an Stelnet server to authenticate clients by using publickey authentication, you must create SSH users on the server.
· To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the SSH server.
Configuration procedures
1. Configure the Stelnet server:
For information about how to configure an Stelnet server using publickey authentication, see "Example: Configuring the switch as an Stelnet server using publickey authentication."
2. Configure the Stelnet client:
# Assign an IP address to VLAN interface 1.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] undo shutdown
[SwitchA-Vlan-interface1] ip address 10.165.87.137 255.255.255.0
[SwitchA-Vlan-interface1] quit
# Generate an RSA key pair.
[SwitchA] public-key local create rsa
# Export the RSA public key to file key.pub.
[SwitchA] public-key local export rsa ssh2 key.pub
[SwitchA] quit
# Transmit the saved public key file to the server through FTP or TFTP.
3. After the configurations on the server and the client are complete, establish a connection between the Stelnet client and the Stelnet server:
<SwitchA> ssh2 10.165.87.136 identity-key rsa
Username: client002
Trying 10.165.87.136 ...
Press CTRL+K to abort
Connected to 10.165.87.136 ...
The Server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
Verifying the configuration
# Execute the following command on Switch A:
<SwitchA> ssh2 10.165.87.136 identity-key rsa
After you enter the correct username (client002), you can log in to Switch B successfully.
Configuration files
· Switch A:
#
vlan 1
#
interface Vlan-interface1
ip address 10.165.87.137 255.255.255.0
#
· Switch B:
#
interface Vlan-interface1
ip address 10.165.87.136 255.255.255.0
#
ssh server enable
ssh user client001 service-type stelnet authentication-type publickey assign publickey Switch001
#
user-interface vty 0 15
authentication-mode scheme
user privilege level 3
protocol inbound ssh
#
Example: Configuring the switch as an SFTP server using password authentication
Network requirements
As shown in Figure 10, you can log in to the switch through the SFTP client that runs on the host. After login, you can use all commands and execute file management and transfer operations. The switch uses local password authentication. The username (client002) and password (aabbcc) of the client are saved on the switch.
Requirements analysis
To perform local authentication, you must create a local user account and configure a password for the user on the SFTP server. For password authentication, you do not need to create an SSH user.
After login, an SSH user using local password authentication can use commands based on the command privilege level of the local user. To enable an SSH user to use all commands after login, you must specify the user command privilege level to 3 (manage level). By default, the command privilege level of a local user is 0 (visit level).
Software version used
The configuration examples were created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
When you configure the switch as an SFTP server using password authentication, follow these restrictions and guidelines:
· The authentication mode for SSH user interface must be AAA (scheme).
· To ensure correct SSH version negotiation and algorithm negotiation, generate both RSA and DSA key pairs on the server.
Configuration procedures
# Generate RSA and DSA key pairs, and enable the SSH server function.
<Switch> system-view
[Switch] public-key local create rsa
[Switch] public-key local create dsa
[Switch] ssh server enable
# Enable the SFTP server function.
[Switch] sftp server enable
# Assign an IP address to VLAN interface 1. The client uses the IP address as the destination for SSH connection.
[Switch] interface vlan-interface 1
[Switch-Vlan-interface1] undo shutdown
[Switch-Vlan-interface1] ip address 192.168.1.45 255.255.255.0
[Switch-Vlan-interface1] quit
# Set the authentication mode for the user interfaces to AAA (scheme).
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] protocol inbound ssh
[Switch-ui-vty0-15] quit
# Create a local user named client002, set the password, and specify the service type and privilege level.
[Switch] local-user client002
[Switch-luser-client002] password simple aabbcc
[Switch-luser-client002] service-type ssh
[Switch-luser-client002] authorization-attribute level 3
[Switch-luser-client002] quit
2. Configure the SFTP client:
The following steps use the PSFTP of Putty version 0.58 as an example.
To configure the SFTP client:
a. Launch PSFTP.exe to enter the interface shown in Figure 11, and enter the following command:
open 192.168.1.45
b. Enter username client002 and password aabbcc as prompted to log in to the SFTP server.
Figure 11 SFTP client interface
Verifying the configuration
# Launch PSFTP.exe and execute the following command:
open 192.168.1.45
After you enter the correct username (client002) and password (aabbcc), you can log in to the SFTP server and perform PSFTP operations.
Configuration files
The client has no configuration files. The following displays the configuration files on the server:
#
local-user client002
password cipher $c$3$o71Exx1XIKs9gJoxqSodHGl1uT9rlZEd4w==
authorization-attribute level 3
service-type ssh
#
interface Vlan-interface1
ip address 192.168.1.45 255.255.255.0
#
ssh server enable
sftp server enable
ssh user client002 service-type sftp authentication-type password
#
user-interface vty 0 15
authentication-mode scheme
protocol inbound ssh
#
Example: Configuring the switch as an SFTP client for publickey authentication
Network requirements
As shown in Figure 12, you can log in to Switch B through the SFTP client that runs on Switch A. After login, you can use all commands and execute file management and transfer operations. Switch B uses publickey authentication and the RSA public key algorithm. The login username is client002. The public key of the client is imported to the server.
Requirements analysis
For successful authentication, configure the client's RSA host public key on the server, and specify the paired RSA host private key for the SSH user on the client. To specify the RSA host private key, use the identity-key rsa keyword in the sftp command.
Software version used
The configuration examples were created and verified on S12500-CMW520-R1825P01.
Configuration restrictions and guidelines
When you configure the switch as an SFTP client for publickey authentication, follow these restrictions and guidelines:
· The authentication mode for SSH user interface must be AAA (scheme).
· To enable an SFTP server to authenticate clients by using publickey authentication, you must create SSH users on the server.
· To support SFTP clients that use different types of key pairs, generate both DSA and RSA key pairs on the SFTP server.
· For publickey authentication in SFTP applications, the command privilege level of an SSH user is fixed to 3 (manage level).
Configuration procedures
1. Configure the SFTP server:
# Generate RSA and DSA key pairs.
<SwitchB> system-view
[SwitchB] public-key local create rsa
[SwitchB] public-key local create dsa
# Enable the SSH server function.
[SwitchB] ssh server enable
# Enable the SFTP server function.
[SwitchB] sftp server enable
# Assign an IP address to VLAN-interface 1. The SSH client uses this IP address as the destination for SSH connection.
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] undo shutdown
[SwitchB-Vlan-interface1] ip address 192.168.0.1 255.255.255.0
[SwitchB-Vlan-interface1] quit
# Set the authentication mode for the user interface to AAA (scheme).
[SwitchB] user-interface vty 0 15
[SwitchB-ui-vty0-15] authentication-mode scheme
# Configure the user interface to support SSH login.
[SwitchB-ui-vty0-15] protocol inbound ssh
[SwitchB-ui-vty0-15] quit
|
|
IMPORTANT: Before performing the following tasks, you must generate an RSA key pair on the client, save the public key to file pubkey, and then upload the file to the SFTP server through FTP or TFTP. For more information, see step 2 "Configure the SFTP client." |
# Import the client's public key from file pubkey, and name the public key Switch001.
[SwitchB] public-key peer Switch001 import sshkey pubkey
# Specify the service type as SFTP and authentication type as publickey for user client002, assign the public key Switch001 to the user, and specify the working folder as cfa0:/.
[SwitchB] ssh user client002 service-type sftp authentication-type publickey assign publickey Switch001 work-directory cfa0:/
2. Configure the SFTP client:
# Assign an IP address to VLAN-interface 1.
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] undo shutdown
[SwitchA-Vlan-interface1] ip address 192.168.0.2 255.255.255.0
[SwitchA-Vlan-interface1] quit
# Generate an RSA key pair.
[SwitchA] public-key local create rsa
# Export the host public key to file pubkey.
[SwitchA] public-key local export rsa ssh2 pubkey
[SwitchA] quit
# Transmit the saved public key file to the server through FTP or TFTP.
# Establish a connection to the remote SFTP server and enter SFTP client view.
<SwitchA> sftp 192.168.0.1 identity-key rsa
Input Username: client002
Trying 192.168.0.1 ...
Press CTRL+K to abort
Connected to 192.168.0.1 ...
The Server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
sftp-client>
# Display files under the current directory of the server, delete the file named z, and verify that the file has been deleted successfully.
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
-rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z
sftp-client> delete z
The following File will be deleted:
/z
Are you sure to delete it? [Y/N]:y
This operation may take a long time.Please wait...
File successfully Removed
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
# Add a directory named new1 and verify that it has been created successfully.
sftp-client> mkdir new1
New directory created
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1
# Rename directory new1 to new2 and verify that the directory has been renamed successfully.
sftp-client> rename new1 new2
File successfully renamed
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2
# Download the file pubkey2 from the server and change the name to public.
sftp-client> get pubkey2 public
Remote file:/pubkey2 ---> Local file: public
Downloading file successfully ended
# Upload the local file pu to the server, save it as puk, and verify that the file has been uploaded successfully.
sftp-client> put pu puk
Local file:pu ---> Remote file: /puk
Uploading file successfully ended
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg
-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2
-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey
drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new
drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2
-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub
-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk
sftp-client>
# Terminate the SSH connection.
sftp-client> quit
Bye
Connection closed.
<SwitchA>
Verifying the configuration
# Execute the following command on Switch A:
<SwitchA> sftp 192.168.0.1 identity-key rsa
After you enter the correct username (client002), you can log in to the SFTP server and perform operations, such as file management and file transfer.
Configuration files
· SwitchA
#
vlan 1
#
interface Vlan-interface1
ip address 192.168.0.2 255.255.255.0
#
· SwitchB
#
interface Vlan-interface1
ip address 192.168.0.1 255.255.255.0
#
ssh server enable
sftp server enable
ssh user client002 service-type sftp authentication-type publickey assign publickey Switch001 work-directory cf:/
#
user-interface vty 0 15
authentication-mode scheme
protocol inbound ssh
#
Related documentation
· H3C S12500 Routing Switch Series Security Configuration Guide
· H3C S12500 Routing Switch Series Security Command Reference
