Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network. Adopting the typical client/server model, SSH can establish a channel to protect data transfer based on TCP. SSH includes two versions: SSH1 and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security. The device can work as an SSH server to provide services to SSH clients, and can work as an SSH client to allow users to establish SSH connections with a remote SSH server. When acting as an SSH server, the device supports SSH2 and SSH1. When acting as an SSH client, the device supports SSH2 only.

The device supports the following SSH applications:

· Secure Telnet (Stelnet)—Provides secure and reliable network terminal access services. Through Stelnet, a user can log in to a remote server securely. Stelnet can protect devices against attacks such as IP spoofing and plain text password interception. The device can act as both the Stelnet server and Stelnet client.

· Secure FTP (SFTP)—Based on SSH, SFTP uses the SSH connection to provide secure file transfer. The device can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The device can also serve as an SFTP client, enabling a user to log in from the device to a remote device for secure file transfer.

· SCP—Based on SSH2, SCP offers a secure method to copying files. The device can act as the SCP server, allowing a user to log in to the device for file upload and download. The device can also act as an SCP client, enabling a user to log in from the device to a remote server for secure file transfer.

For more information about FIPS mode, see "Configuring FIPS."

SSH operation

This section uses SSH2 as an example.

To establish an SSH connection and communicate with each other through the connection, an SSH client and an SSH server go through the stages that Table 1 lists. For more information about these stages, see SSH Technology White Paper.

Table 1 Stages involved in secure session establishment

Stages	Description
Connection establishment	The SSH server listens to the connection requests on port 22. After a client initiates a connection request, the server and the client establish a TCP connection.
Version negotiation	The two parties determine a version to use after negotiation.
Algorithm negotiation	SSH supports multiple algorithms. Based on the local algorithms, the two parties determine the key exchange algorithm for generating session keys, the encryption algorithm for encrypting data, public key algorithm for digital signature and authentication, and the HMAC algorithm for protecting data integrity.
Key exchange	The two parties use the Diffie-Hellman (DH) exchange algorithm to dynamically generate the session key for protecting data transfer and the session ID for identifying the SSH connection.
Authentication	The SSH server authenticates the client in response to the client's authentication request.
Session request	After passing authentication, the client sends a session request to the server to request the establishment of a session (Stelnet or SFTP).
Interaction	After the server grants the request, the client and the server start to communicate with each other in the session. In this stage, you can paste commands in text format and execute them at the CLI. The text pasted at one time must be no more than 2000 bytes. H3C recommends that you paste commands in the same view. Otherwise, the server might not be able to execute the commands correctly. To execute more than 2000 bytes of command text, save the commands in a configuration file, upload it to the server through SFTP, and use it to restart the server.

SSH authentication

When the device acts as an SSH server, it supports the following authentication methods:

· Password authentication—The SSH server uses AAA for authentication of the client. During password authentication, the SSH client encrypts its username and password, encapsulates them into an authentication request, and sends the request to the server. After receiving the request, the SSH server decrypts the request to get the username and password in plain text, checks the validity of the username and password locally or by a remote AAA server, and then informs the client of the authentication result.

If the remote AAA server requires the user for a secondary password authentication, it sends the SSH server an authentication response with a prompt. The prompt is transparently transmitted to the client, and displayed on the client to notify the user to enter a specified password. After the user enters the correct password and passes validity check by the remote AAA server, the device returns an authentication success message to the client.

NOTE:

Only clients running SSH2 or a later version support secondary password authentication that is initiated by the AAA server.

· Publickey authentication—The server authenticates the client by the digital signature. During publickey authentication, the client sends the server a publickey authentication request that contains its username, public key, and public key algorithm information. The server checks whether the public key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates the client by the digital signature. Finally, the server informs the client of the authentication result. The device supports using the public key algorithms RSA and DSA for digital signature.

· Password-publickey authentication—The server requires clients that run SSH2 to pass both password authentication and publickey authentication. However, if the client runs SSH1, it only needs to pass either authentication.

· Any authentication—The server requires the client to pass either of password authentication or publickey authentication.

SSH support for MPLS L3VPN

With this function, you can configure the device as an SSH client to establish connections with SSH servers in different MPLS L3VPNs.

As shown in Figure 1, the hosts in VPN 1 and VPN 2 access the MPLS backbone through PEs, with the services of the two VPNs isolated. After a PE is enabled with the SSH client function, it can establish SSH connections with CEs in different VPNs that are enabled with the SSH server function to implement secure access to the CEs and secure transfer of log file.

Figure 1 Network diagram

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.

Configuring the device as an SSH server

You can configure the device as an Stelnet server, SFTP server or SCP server. Because the configuration procedures are similar, the SSH server represents the Stelnet server, SFTP server, and SCP server unless otherwise specified.

SSH server configuration task list

Task	Remarks
Generating local DSA or RSA key pairs	Required.
Enabling the SSH server function	Required for Stelnet, SFTP, and SCP servers.
Enabling the SFTP server function	Required.
Configuring the user interfaces for SSH clients	Required for SFTP server.
Configuring a client's host public key	Required for publickey authentication users.
Configuring an SSH user	Required for publickey authentication users and optional for password authentication users.
Setting the SSH management parameters	Optional.

Generating local DSA or RSA key pairs

DSA or RSA key pairs are required for generating the session key and session ID in the key and algorithm negotiation stage, and can also be used by a client to authenticate the server. When a client tries to communicate with a server, it compares the public key that it receives from the server with the server public key that it saved locally. If the keys are consistent, the client uses the public key to authenticate the digital signature that receives from the server. If the digital signatures are consistent, the authentication succeeds.

Configuration guidelines

· To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the SSH server.

· SSH1 does not support the DSA algorithm.

· The public-key local create rsa command generates a server key pair and a host key pair for RSA. Each of the key pairs consists of a public key and a private key. The public key in the server key pair of the SSH server is used in SSH1 to encrypt the session key for secure transmission of the key. As SSH2 uses the DH algorithm to generate the session keys both on the SSH server and client, no session key transmission is required in SSH2 and the server key pair is not used.

· The public-key local create dsa command generates only the host key pair.

Configuration procedure

To generate local DSA or RSA key pairs on the SSH server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Generate DSA or RSA key pairs.	public-key local create { dsa \| rsa }	Neither DSA nor RSA key pairs existing by default.

Enabling the SSH server function

The SSH server function on the device allows clients to communicate with the device through SSH.

When the device acts as an SCP server, only one SCP user is allowed to access to the SCP server at one time.

To enable the SSH server function:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the SSH server function.	ssh server enable	Disabled by default.

Enabling the SFTP server function

This SFTP server function enables clients to log in to the SFTP server through SFTP.

To enable the SFTP server function:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the SFTP server function.	sftp server enable	Disabled by default.

NOTE:

When the device functions as the SFTP server, only one client can access the SFTP server at a time.

Configuring the user interfaces for SSH clients

An SSH client accesses the device through a VTY user interface. You must configure the user interfaces for SSH clients to allow SSH login. The configuration takes effect only on the clients that try to log in after the configuration.

IMPORTANT:

Before you configure a user interface to support SSH, you must configure its authentication mode to scheme. Otherwise, the protocol inbound command fails.

To configure the user interfaces for SSH clients:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VTY user interface view.	user-interface vty number [ ending-number ]	N/A
3. Set the login authentication mode to scheme.	authentication-mode scheme	By default, the authentication mode is password. For more information about this command, see Fundamentals Command Reference.
4. Configure the user interface to support SSH login.	protocol inbound { all \| ssh }	Optional. By default, Telnet and SSH are supported. For more information about this command, see Fundamentals Command Reference.

Configuring a client's host public key

This configuration task is only necessary for SSH clients for passing publickey authentication.

If the server uses publickey authentication to authentication a client, it compares the SSH username and host public key that it receives from the client with those saved locally. If the information is consistent, it checks the digital signature that the client sends. The digital signature is calculated by the client according to the private key that corresponds to the host public key.

You must configure the client's DSA or RSA host public key on the server, and specify the corresponding host private key on the client to generate the digital signature, so that the client can pass publickey authentication with correct digital signature. If the device serves as a client, corresponding host private key is specified by the specified public key algorithm.

Configuration guidelines

You can manually configure the public key of an SSH client on the server, or import it from the public key file:

· Configure it manually—You can type or copy the client's host public key from the client to the SSH server. The host public key must be in the DER encoding format, which has not been converted.

Manually configured client host public keys must be in the specified format. If you use the device to act as the client, you can use the display public-key local public command to view the host public key and copy its contents to the server. A host public key obtained in other ways might be in incorrect format and cannot be saved on the server. H3C recommends that you import a client's host public key from the public key file of the client.

· Import it from the public key file—You can upload the client's public key file (in binary) to the server, for example, through FTP or TFTP, and import the host public key from the public key file. During the import process, the server automatically converts the public key in the public key file to a string in PKCS format.

You can configure up to twenty SSH client public keys on an SSH server.

For more information about client public key configuration, see "Managing public keys."

Configuration procedure

To configure a client's host public key manually:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter public key view.	public-key peer keyname	N/A
3. Enter public key code view.	public-key-code begin	N/A
4. Configure a client's host public key.	Enter the content of the host public key	Spaces and carriage returns are allowed between characters.
5. Return to public key view and save the configured host public key.	public-key-code end	When you exit public key code view, the system automatically saves the public key.
6. Return to system view.	peer-public-key end	N/A

To import a client's host public key from a public key file:

Step	Command
1. Enter system view.	system-view
2. Import a client's public key from a public key file.	public-key peer keyname import sshkey filename

Configuring an SSH user

If the authentication method is publickey, you must perform the procedure in this section.

If the authentication method is password-publickey or any, you must configure a local user account by using the local-user command for local authentication, or configure an SSH user account on an authentication server, for example, a RADIUS server, for remote authentication. For more information about the local-user command, see Security Command Reference.

If the authentication method is password, you do not need to perform the procedure in this section to configure them unless you want to use the display ssh user-information command to display all SSH users, including the password-only SSH users, for centralized management.

Configuration guidelines

When you configure an SSH user, follow these guidelines:

· You can set the service type to Stelnet or SFTP. For more information about Stelnet and SFTP, see "Overview."

· You can enable one of the following authentication modes for the SSH user:

¡ Password—The user must pass password authentication.

¡ Publickey authentication—The user must pass publickey authentication.

¡ Password-publickey authentication—As an SSH2 user, the user must pass both password and publickey authentication. As an SSH1 user, the user must pass either password or publickey authentication.

¡ Any—The user can use either password authentication or publickey authentication.

· All authentication methods, except password authentication, require a client's host public key or digital certificate to be specified.

¡ If a client directly sends the user's public key information to the server, the server must specify the client's public key and the specified public key must already exist. For more information about public keys, see "Configuring a client's host public key."

¡ If a client sends the user's public key information to the server through a digital certificate, the server must specify the PKI domain for verifying the client certificate. For more information about configuring a PKI domain, see "Configuring PKI." To make sure the authorized SSH users pass the authentication, the specified PKI domain must have the proper CA certificate.

· If the authentication method is publickey or password-publickey, the command level accessible to the user is set by the user privilege level command on the user interface. If the authentication method is password, the command level accessible to the user is authorized by AAA.

· SSH1 does not support SFTP or SCP. An SSH1 client cannot connect to the server through SFTP or SCP.

· For an SFTP user, the working folder depends on the authentication method:

¡ If the authentication method is password, the working folder is authorized by AAA.

¡ If the authentication method is publickey or password-publickey, the working folder is set by using the ssh user command.

If you change the authentication mode or public key for an SSH user that has been logged in, the change can take effect only at the next login of the user.

Configuration procedure

To configure an SSH user and specify the service type and authentication method:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an SSH user, and specify the service type and authentication method.	· Create an SSH user, and specify the service type and authentication method for Stelnet users: ssh user username service-type stelnet authentication-type { password \| { any \| password-publickey \| publickey } assign publickey keyname } · Create an SSH user, and specify the service type and authentication method for all users, SCP or SFTP users: ssh user username service-type { all \| scp\| sftp } authentication-type { password \| { any \| password-publickey \| publickey } assign publickey keyname work-directory directory-name }	Use either command. The any and publickey keywords are not available in FIPS mode.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an SSH user, and specify the service type and authentication method.

· Create an SSH user, and specify the service type and authentication method for Stelnet users:
ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname }

· Create an SSH user, and specify the service type and authentication method for all users, SCP or SFTP users:
ssh user username service-type { all | scp| sftp } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname work-directory directory-name }

Use either command.

The any and publickey keywords are not available in FIPS mode.

Setting the SSH management parameters

Setting the SSH management parameters can improve the security of SSH connections.

The SSH management parameters include:

· Whether the SSH server is compatible with SSH1 client.

· RSA server key pair update interval, applicable to users using SSH1 clients.

· SSH user authentication timeout period. You can set this parameter to reject a connection if the authentication for the connection has not been finished before the timeout period expires.

· Maximum number of SSH authentication attempts. You can set this parameter to prevent malicious password cracking.

· SFTP connection idle timeout period. Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down.

To set the SSH management parameters:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the SSH server to support SSH1 clients.	ssh server compatible-ssh1x enable	Optional. By default, the SSH server supports SSH1 clients.
3. Set the RSA server key pair update interval.	ssh server rekey-interval hours	Optional. 0 by default. That is, the RSA server key pair is not updated.
4. Set the SSH user authentication timeout period.	ssh server authentication-timeout time-out-value	Optional. 60 seconds by default.
5. Set the maximum number of SSH authentication attempts.	ssh server authentication-retries times	Optional. 3 by default.
6. Configure the SFTP connection idle timeout period.	sftp server idle-timeout time-out-value	Optional. 10 minutes by default.

NOTE:

Authentication fails if the total number of authentication attempts (including both publickey and password authentication attempts) exceeds the upper limit configured by the ssh server authentication-retries command.

Configuring the device as an Stelnet client

Stelnet client configuration task list

Task	Remarks
Specifying a source IP address or source interface for the Stelnet client	Optional.
Enabling and disabling first-time authentication	Optional.
Establishing a connection to an Stelnet server	Required.

Specifying a source IP address or source interface for the Stelnet client

By default, an Stelnet client uses the IP address of the outbound interface specified by the route to the Stelnet server when communicating with the Stelnet server. You can specify a source IP address or source interface for the client to communicate with the server. To make sure that the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, H3C recommends that you specify a loopback interface or dialer interface as the source interface.

To specify a source IP address or source interface for the Stelnet client:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify a source IP address or source interface for the Stelnet client.	· Specify a source IPv4 address or source interface for the Stelnet client: ssh client source { interface interface-type interface-number \| ip ip-address } · Specify a source IPv6 address or source interface for the Stelnet client: ssh client ipv6 source { interface interface-type interface-number \| ipv6 ipv6-address }	Select either command. By default, an Stelnet client uses the IP address of the outbound interface specified by the route to the Stelnet server when communicating with the Stelnet server.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify a source IP address or source interface for the Stelnet client.

· Specify a source IPv4 address or source interface for the Stelnet client:
ssh client source { interface interface-type interface-number | ip ip-address }

· Specify a source IPv6 address or source interface for the Stelnet client:
ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }

Select either command.

By default, an Stelnet client uses the IP address of the outbound interface specified by the route to the Stelnet server when communicating with the Stelnet server.

Enabling and disabling first-time authentication

When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication.

· If first-time authentication is not supported, a client not configured with the server host public key refuses to access the server. To enable the client to access the server, you must configure the server host public key locally and specify the public key name for authentication on the client in advance.

· If first-time authentication is supported, when a client not configured with the server host public key accesses the server for the first time, the user can continue accessing the server, and save the host public key on the client. When accessing the server again, the client will use the saved server host public key to authenticate the server. In a secure network, first-time authentication can simplify client configuration, but it is not reliable.

Enabling first-time authentication

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable first-time authentication.	ssh client first-time enable	Optional. Enabled by default.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable first-time authentication.

ssh client first-time enable

Optional.

Enabled by default.

Disabling first-time authentication

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Disable first-time authentication.	undo ssh client first-time	Enabled by default.
3. Configure the server host public key.	See "Configuring a client's host public key"	The method for configuring the server host public key on the client is similar to that for configuring client public key on the server.
4. Specify the host public key name of the server.	ssh client authentication server server assign publickey keyname	N/A

Establishing a connection to an Stelnet server

You can start the Stelnet client to establish a connect to an Stelnet server, and specify the public key algorithm, the preferred encryption algorithm, the preferred HMAC algorithm, and the preferred key exchange algorithm.

To establish a connection to an Stelnet server:

Task	Command	Remarks
Establish a connection to an IP server	· Establish a connection to an IPv4 server: ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa \| rsa } \| prefer-ctos-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] * · Establish a connection to an IPv6 server: ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa \| rsa } \| prefer-ctos-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] *	Use either command in user view. Algorithms dsa, 3des, des, md5, md5-96, dh-group-exchange, and dh-group1 are not available in FIPS mode. Only the algorithm aes256 is available in FIPS mode.

Task

Command

Remarks

Establish a connection to an IP server

· Establish a connection to an IPv4 server:
ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

· Establish a connection to an IPv6 server:
ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

Use either command in user view.

Algorithms dsa, 3des, des, md5, md5-96, dh-group-exchange, and dh-group1 are not available in FIPS mode.

Only the algorithm aes256 is available in FIPS mode.

Configuring the device as an SFTP client

SFTP client configuration task list

Task	Remarks
Specifying a source IP address or source interface for the SFTP client	Optional.
Enabling and disabling first-time authentication	Optional.
Establishing a connection to an SFTP server	Required.
Working with SFTP directories	Optional.
Working with SFTP files	Optional.
Displaying help information	Optional.
Terminating the connection with the SFTP server	Optional.

Specifying a source IP address or source interface for the SFTP client

By default, an SFTP client uses the IP address of the outbound interface specified by the route to the SFTP server when communicating with the SFTP server. You can specify a source IP address or source interface for the client to communicate with the server. To make sure that the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, H3C recommends that you specify a loopback interface or dialer interface as the source interface.

To specify a source IP address or interface for the SFTP client:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify a source IP address or interface for the SFTP client.	· Specify a source IPv4 address or interface for the SFTP client: sftp client source { ip ip-address \| interface interface-type interface-number } · Specify a source IPv6 address or interface for the SFTP client: sftp client ipv6 source { ipv6 ipv6-address \| interface interface-type interface-number }	Use either command. By default, an SFTP client uses the IP address of the outbound interface specified by the route to the SFTP server when communicating with the SFTP server.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify a source IP address or interface for the SFTP client.

· Specify a source IPv4 address or interface for the SFTP client:
sftp client source { ip ip-address | interface interface-type interface-number }

· Specify a source IPv6 address or interface for the SFTP client:
sftp client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number }

Use either command.

By default, an SFTP client uses the IP address of the outbound interface specified by the route to the SFTP server when communicating with the SFTP server.

Establishing a connection to an SFTP server

You can start the SFTP client to establish a connection to an SFTP server, and specify the public key algorithm, the preferred encryption algorithm, the preferred HMAC algorithm, and the preferred key exchange algorithm. After the connection is established, you can directly enter SFTP client view on the server to perform operations, such as working with directories or files.

To establish a connection to an SFTP server:

Task	Command	Remarks
Establish a connection to an SFTP server and enter SFTP client view	· Establish a connection to an IPv4 SFTP server and enter SFTP client view: sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa \| rsa } \| prefer-ctos-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] * · Establish a connection to an IPv6 SFTP server and enter SFTP client view: sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa \| rsa } \| prefer-ctos-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] *	Use either command in user view. Algorithms dsa, 3des, des, md5, md5-96, dh-group-exchange, and dh-group1 are not available in FIPS mode. Only the algorithm aes256 is available in FIPS mode.

Task

Command

Remarks

Establish a connection to an SFTP server and enter SFTP client view

· Establish a connection to an IPv4 SFTP server and enter SFTP client view:
sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

· Establish a connection to an IPv6 SFTP server and enter SFTP client view:
sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

Use either command in user view.

Algorithms dsa, 3des, des, md5, md5-96, dh-group-exchange, and dh-group1 are not available in FIPS mode.

Only the algorithm aes256 is available in FIPS mode.

Working with SFTP directories

Step	Command	Remarks
1. Enter SFTP client view.	For more information, see "Establishing a connection to an SFTP server."	N/A
2. Change the working directory on the SFTP server.	cd [ remote-path ]	Optional.
3. Return to the upper-level directory.	cdup	Optional.
4. Display the current working directory on the SFTP server.	pwd	Optional.
5. Display files under a specified directory.	· dir [ -a \| -l ] [ remote-path ] · ls [ -a \| -l ] [ remote-path ]	Optional. The dir command functions as the ls command.
6. Change the name of a specified directory on the SFTP server.	rename oldname newname	Optional.
7. Create a new directory on the SFTP server.	mkdir remote-path	Optional.
8. Delete one or more directories from the SFTP server.	rmdir remote-path&<1-10>	Optional.

Working with SFTP files

Step	Command	Remarks
1. Enter SFTP client view.	For more information, see "Establishing a connection to an SFTP server."	N/A
2. Change the name of a specified file on the SFTP server.	rename old-name new-name	Optional.
3. Download a file from the remote server and save it locally.	get remote-file [ local-file ]	Optional.
4. Upload a local file to the SFTP server.	put local-file [ remote-file ]	Optional.
5. Display the files under a specified directory.	· dir [ -a \| -l ] [ remote-path ] · ls [ -a \| -l ] [ remote-path ]	Optional. The dir command functions as the ls command.
6. Delete one or more directories from the SFTP server.	· delete remote-file&<1-10> · remove remote-file&<1-10>	Optional. The delete command functions as the remove command.

Displaying help information

This configuration task displays a list of all commands or the help information of an SFTP client command, such as the command format and parameters.

To display a list of all commands or the help information of an SFTP client command:

Step	Command
1. Enter SFTP client view.	For more information, see "Establishing a connection to an SFTP server."
2. Display a list of all commands or the help information of an SFTP client command.	help [ all \| command-name ]

Terminating the connection with the SFTP server

Step	Command	Remarks
1. Enter SFTP client view.	For more information, see "Establishing a connection to an SFTP server."	N/A
2. Terminate the connection with the SFTP server and return to user view.	· bye · exit · quit	Use one of the commands. These three commands function in the same way.

Step

Command

Remarks

1. Enter SFTP client view.

For more information, see "Establishing a connection to an SFTP server."

N/A

2. Terminate the connection with the SFTP server and return to user view.

· bye

· exit

· quit

Use one of the commands.

These three commands function in the same way.

Configuring the device as an SCP client

SCP client configuration task list

Task	Remarks
Enabling and disabling first-time authentication	Optional.
Transferring files with an SCP server	Required.

Transferring files with an SCP server

Task	Command	Remarks
Connect to the SCP server, and transfer files with the server.	· Upload a file to the SCP server: scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key { dsa \| rsa } \| prefer-ctos-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] * · Download a file from the SCP server: scp [ ipv6 ] server [ port-number ] get source-file-path [ destination-file-path ] [ identity-key { dsa \| rsa } \| prefer-ctos-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| aes256 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] *	Use either command. Only SSH users whose user privilege level is 3 can upload files to the SCP server. Algorithms dsa, 3des, des, md5, md5-96, dh-group-exchange, and dh-group1 are not available in FIPS mode. Only the algorithm aes256 is available in FIPS mode.

Task

Command

Remarks

Connect to the SCP server, and transfer files with the server.

· Upload a file to the SCP server:
scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

· Download a file from the SCP server:
scp [ ipv6 ] server [ port-number ] get source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | aes256 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | aes256 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

Use either command.

Only SSH users whose user privilege level is 3 can upload files to the SCP server.

Algorithms dsa, 3des, des, md5, md5-96, dh-group-exchange, and dh-group1 are not available in FIPS mode.

Only the algorithm aes256 is available in FIPS mode.

Displaying and maintaining SSH

Task	Command	Remarks
Display the source IP address or interface configured for the SFTP client.	display sftp client source [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display the source IP address or interface information configured for the Stelnet client.	display ssh client source [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display SSH server status information or session information on an SSH server.	display ssh server { status \| session } [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display the mappings between SSH servers and their host public keys on an SSH client.	display ssh server-info [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display information about one or all SSH users on an SSH server.	display ssh user-information [ username ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display the public keys of the local key pairs.	display public-key local { dsa \| rsa } public [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display the public keys of the SSH peers.	display public-key peer [ brief \| name publickey-name ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.

Stelnet configuration examples

IMPORTANT:

By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in the state of DOWN. To configure such an interface, use the undo shutdown command to bring it up first.

Password authentication enabled Stelnet server configuration example

Network requirements

As shown in Figure 2, you can log in to the switch through the Stelnet client (SSH2) that runs on the host. The switch acts as the Stelnet server and uses password authentication. The username and password of the client are saved on the switch.

Figure 2 Network diagram

Configuration procedure

1. Configure the Stelnet server:

# Generate the RSA key pairs.

<Switch> system-view

[Switch] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++

++++++++++++++

+++++

++++++++

# Generate a DSA key pair.

[Switch] public-key local create dsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++

# Enable the SSH server function.

[Switch] ssh server enable

# Configure an IP address for VLAN-interface 2, which the Stelnet client will use as the destination address of the SSH connection.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0

[Switch-Vlan-interface2] quit

# Set the authentication mode for the user interfaces to AAA.

[Switch] user-interface vty 0 4

[Switch-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[Switch-ui-vty0-4] protocol inbound ssh

[Switch-ui-vty0-4] quit

# Create a local user client001 with the password aabbcc and the service type ssh.

[Switch] local-user client001

[Switch-luser-client001] password simple aabbcc

[Switch-luser-client001] service-type ssh

[Switch-luser-client001] quit

# Create an SSH user client001, and specify the service type for the user as stelnet and the authentication method as password. (Optional. If an SSH user is not created, password authentication is used by default.)

[Switch] ssh user client001 service-type stelnet authentication-type password

2. Establish a connection to the Stelnet server:

The device supports different types of Stelnet client software, such as PuTTY and OpenSSH. The following is an example of configuring Stelnet client using PuTTY version 0.58.

To establish a connection to the Stelnet server:

a. Launch PuTTY.exe on the Stelnet client to enter the interface as shown in Figure 3.

b. In the Host Name (or IP address) field, enter the IP address of the Stelnet server (192.168.1.40).

Figure 3 Specifying the host name (or IP address)

c. Click Open to connect to the server.

If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the CLI of the server.

Publickey authentication enabled Stelnet server configuration example

Network requirements

As shown in Figure 4, you can log in to the switch through the Stelnet client (SSH2) that runs on the host. The switch acts as the Stelnet server and uses publickey authentication and the RSA public key algorithm.

Figure 4 Network diagram

Configuration procedure

In the server configuration, the client public key is required. Use the client software to generate the RSA key pairs on the client before configuring the Stelnet server.

The device supports different types of Stelnet client software, such as PuTTY and OpenSSH. The following is an example of configuring Stelnet client using PuTTY version 0.58.

The configuration procedure is as follows:

1. Generate the RSA key pairs on the Stelnet client:

a. Run PuTTYGen.exe, select SSH-2 RSA and click Generate.

Figure 5 Generating the key pair on the client

b. Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 6. Otherwise, the progress bar stops moving and the key pair generating progress stops.

Figure 6 Generating process

c. After the key pairs are generated, click Save public key and specify the file name as key.pub to save the public key.

Figure 7 Saving the key pair on the client

d. Click Save private key to save the private key.

A confirmation dialog box appears.

e. Click Yes and enter the name of the file for saving the key (private.ppk in this case).

f. Transmit the public key file to the server through FTP or TFTP. (Details not shown.)

2. Configure the Stelnet server:

# Generate the RSA key pairs.

<Switch> system-view

[Switch] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++

++++++++++++++

+++++

++++++++

# Generate a DSA key pair.

[Switch] public-key local create dsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++

# Enable the SSH server function.

[Switch] ssh server enable

# Configure an IP address for VLAN-interface 2, which the Stelnet client will use as the destination address of the SSH connection.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0

[Switch-Vlan-interface2] quit

# Set the authentication mode for the user interfaces to AAA.

[Switch] user-interface vty 0 4

[Switch-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[Switch-ui-vty0-4] protocol inbound ssh

# Set the user command privilege level to 3.

[Switch-ui-vty0-4] user privilege level 3

[Switch-ui-vty0-4] quit

# Import the client's public key from file key.pub and name it SwitchKey.

[Switch] public-key peer SwitchKey import sshkey key.pub

# Create an SSH user client002, and specify the authentication method for the user as publickey, and assign the public key SwitchKey to the user.

[Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey SwitchKey

3. Specify the private key file and establish a connection to the Stelnet server:

a. Launch PuTTY.exe on the Stelnet client to enter the interface as shown in Figure 8.

b. In the Host Name (or IP address) field, enter the IP address of the Stelnet server (192.168.1.40).

Figure 8 Specifying the host name (or IP address)

c. Select Connection > SSH > Auth from the navigation tree.

d. Click Browse… to bring up the file selection window, navigate to the private key file (private.ppk) and click OK.

Figure 9 Specifying the private key file

e. Click Open to connect to the server.

If the connection is successfully established, the system asks you to enter the username. After entering the username (client002), you can enter the CLI of the server.

Password authentication enabled Stelnet client configuration example

Network requirements

As shown in Figure 10, you can log in to Switch B through the Stelnet client that runs on Switch A. Switch B acts as the Stelnet server and uses password authentication. The username and password of Switch A are saved on Switch B.

Figure 10 Network diagram

Configuration procedure

1. Configure the Stelnet server:

# Generate the RSA key pairs.

<SwitchB> system-view

[SwitchB] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++

++++++++++++++

+++++

++++++++

# Generate a DSA key pair.

[SwitchB] public-key local create dsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++

# Enable the SSH server function.

[SwitchB] ssh server enable

# Configure an IP address for VLAN-interface 2, which the Stelnet client will use as the destination address of the SSH connection.

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0

[SwitchB-Vlan-interface2] quit

# Set the authentication mode for the user interfaces to AAA.

[SwitchB] user-interface vty 0 4

[SwitchB-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[SwitchB-ui-vty0-4] protocol inbound ssh

[SwitchB-ui-vty0-4] quit

# Create a local user client001 with the password aabbcc and service type ssh.

[SwitchB] local-user client001

[SwitchB-luser-client001] password simple aabbcc

[SwitchB-luser-client001] service-type ssh

[SwitchB-luser-client001] quit

# Create an SSH user client001, and specify the service type for the user as stelnet, and the authentication method as password. (Optional. If an SSH user is not created, password authentication is used by default.)

[SwitchB] ssh user client001 service-type stelnet authentication-type password

2. Establish a connection to the Stelnet server:

# Configure an IP address for VLAN-interface 2.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0

[SwitchA-Vlan-interface2] quit

[SwitchA] quit

# Establish a connection to the Stelnet server:

¡ If the client supports first-time authentication, you can directly establish a connection from the client to the server.

# Establish an SSH connection to server 192.168.1.40.

<SwitchA> ssh2 192.168.1.40

Username: client001

Trying 192.168.1.40 ...

Press CTRL+K to abort

Connected to 192.168.1.40 ...

The Server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

Enter password:

After you enter the correct password, you can log in to Switch B successfully.

¡ If the client does not support first-time authentication, perform the following configurations:

# Disable first-time authentication.

[SwitchA] undo ssh client first-time

# Configure the host public key of the SSH server. In public key code view, enter the host public key of server, which is displayed by using the display public-key local dsa public command on the server.

[SwitchA] public-key peer key1

[SwitchA-pkey-public-key] public-key-code begin

[SwitchA-pkey-key-code]308201B73082012C06072A8648CE3804013082011F0281810

0D757262C4584C44C211F18BD96E5F0

[SwitchA-pkey-key-code]61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE

65BE6C265854889DC1EDBD13EC8B274

[SwitchA-pkey-key-code]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B0

6FD60FE01941DDD77FE6B12893DA76E

[SwitchA-pkey-key-code]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B3

68950387811C7DA33021500C773218C

[SwitchA-pkey-key-code]737EC8EE993B4F2DED30F48EDACE915F0281810082269009E

14EC474BAF2932E69D3B1F18517AD95

[SwitchA-pkey-key-code]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02

492B3959EC6499625BC4FA5082E22C5

[SwitchA-pkey-key-code]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E

88317C1BD8171D41ECB83E210C03CC9

[SwitchA-pkey-key-code]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC

9B09EEF0381840002818000AF995917

[SwitchA-pkey-key-code]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D

F257523777D033BEE77FC378145F2AD

[SwitchA-pkey-key-code]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71

01F7C62621216D5A572C379A32AC290

[SwitchA-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E

8716261214A5A3B493E866991113B2D

[SwitchA-pkey-key-code]485348

[SwitchA-pkey-key-code] public-key-code end

[SwitchA-pkey-public-key] peer-public-key end

# Specify the host public key for the Stelnet server (192.168.1.40) as key1.

[SwitchA] ssh client authentication server 192.168.1.40 assign publickey key1

[SwitchA] quit

# Establish an SSH connection to the Stelnet server 192.168.1.40.

<SwitchA> ssh2 192.168.1.40

Username: client001

Trying 192.168.1.40

Press CTRL+K to abort

Connected to 192.168.1.40...

Enter password:

After you enter the correct password, you can log in to Switch B successfully.

Publickey authentication enabled Stelnet client configuration example

Network requirements

As shown in Figure 11, you can log in to Switch B through the Stelnet client that runs on Switch A. Switch B acts as the Stelnet server and uses publickey authentication and the DSA public key algorithm.

Figure 11 Network diagram

Configuration procedure

In the server configuration, the client public key is required. Use the client software to generate a DSA key pair on the client before configuring the Stelnet server.

1. Configure the Stelnet client:

# Create VLAN-interface 2 and assign an IP address to it.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0

[SwitchA-Vlan-interface2] quit

# Generate a DSA key pair.

[SwitchA] public-key local create dsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++

# Export the DSA public key to file key.pub.

[SwitchA] public-key local export dsa ssh2 key.pub

[SwitchA] quit

# Transmit the public key file to the server through FTP or TFTP. (Details not shown.)

2. Configure the Stelnet server:

# Generate the RSA key pairs.

<SwitchB> system-view

[SwitchB] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++

++++++++++++++

+++++

++++++++

# Generate a DSA key pair.

[SwitchB] public-key local create dsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++

# Enable the SSH server function.

[SwitchB] ssh server enable

# Configure an IP address for VLAN-interface 2, which the SSH client will use as the destination for SSH connection.

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0

[SwitchB-Vlan-interface2] quit

# Set the authentication mode for the user interfaces to AAA.

[SwitchB] user-interface vty 0 4

[SwitchB-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[SwitchB-ui-vty0-4] protocol inbound ssh

# Set the user command privilege level to 3.

[SwitchB-ui-vty0-4] user privilege level 3

[SwitchB-ui-vty0-4] quit

# Import the peer public key from the file key.pub, and name it SwitchKey.

[SwitchB] public-key peer SwitchKey import sshkey key.pub

# Create an SSH user client002, and specify the authentication method for the user as publickey, and assign the public key SwitchKey to the user.

[SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey SwitchKey

3. Establish a connection to the Stelnet server:

# Establish an SSH connection to the Stelnet server (192.168.1.40).

<SwitchA> ssh2 192.168.1.40

Username: client002

Trying 192.168.1.40 ...

Press CTRL+K to abort

Connected to 192.168.1.40 ...

The Server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

Later, you will find that you have logged in to Switch B successfully.

SFTP configuration examples

IMPORTANT:

By default, Ethernet interfaces, VLAN interfaces, and aggregate interfaces are in the state of DOWN. To configure such an interface, use the undo shutdown command to bring it up first.

Password authentication enabled SFTP server configuration example

Network requirements

As shown in Figure 12, you can log in to the switch through the SFTP client that runs on the host. The switch acts as the SFTP server and uses password authentication. The username and password of the client are saved on the switch.

Figure 12 Network diagram

Configuration procedure

1. Configure the SFTP server:

# Generate the RSA key pairs.

<Switch> system-view

[Switch] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++

++++++++++++++

+++++

++++++++

# Generate a DSA key pair.

[Switch] public-key local create dsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++

# Enable the SSH server function.

[Switch] ssh server enable

# Enable the SFTP server.

[Switch] sftp server enable

# Configure an IP address for VLAN-interface 2, which the client will use as the destination for SSH connection.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.45 255.255.255.0

[Switch-Vlan-interface2] quit

# Set the authentication mode of the user interfaces to AAA.

[Switch] user-interface vty 0 4

[Switch-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[Switch-ui-vty0-4] protocol inbound ssh

[Switch-ui-vty0-4] quit

# Configure a local user named client002 with the password aabbcc and service type ssh.

[Switch] local-user client002

[Switch-luser-client002] password simple aabbcc

[Switch-luser-client002] service-type ssh

[Switch-luser-client002] quit

# Create an SSH user client002, and specify the user authentication method as password and service type as sftp.

[Switch] ssh user client002 service-type sftp authentication-type password

2. Establish a connection between the SFTP client and the SFTP server:

The device supports different types of SFTP client software. The following example uses the PSFTP of PuTTy version 0.58.

NOTE:

The PSFTP supports only password authentication.

To establish a connection to the SFTP server:

a. Run the psftp.exe to launch the client interface as shown in Figure 13, and enter the following command:

open 192.168.1.45

b. Enter username client002 and password aabbcc as prompted to log in to the SFTP server.

Figure 13 SFTP client interface

Publickey authentication enabled SFTP client configuration example

Network requirements

As shown in Figure 14, you can log in to Switch B through the SFTP client that runs on Switch A. Switch B acts as the SFTP server and uses publickey authentication and the RSA public key algorithm.

Figure 14 Network diagram

Configuration procedure

In the server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before configuring the SFTP server.

1. Configure the SFTP client:

# Create VLAN-interface 2 and assign an IP address to it.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0

[SwitchA-Vlan-interface2] quit

# Generate the RSA key pairs.

[SwitchA] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++

++++++++++++++

+++++

++++++++

# Export the host public key to file pubkey.

[SwitchA] public-key local export rsa ssh2 pubkey

[SwitchA] quit

# Transmit the public key file to the server through FTP or TFTP. (Details not shown.)

2. Configure the SFTP server:

# Generate the RSA key pairs.

<SwitchB> system-view

[SwitchB] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++

++++++++++++++

+++++

++++++++

# Generate a DSA key pair.

[SwitchB] public-key local create dsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++

# Enable the SSH server function.

[SwitchB] ssh server enable

# Enable the SFTP server function.

[SwitchB] sftp server enable

# Configure an IP address for VLAN-interface 2, which the SSH client uses as the destination for SSH connection.

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0

[SwitchB-Vlan-interface2] quit

# Set the authentication mode on the user interfaces to AAA.

[SwitchB] user-interface vty 0 4

[SwitchB-ui-vty0-4] authentication-mode scheme

# Set the protocol that a remote user uses to log in as ssh.

[SwitchB-ui-vty0-4] protocol inbound ssh

[SwitchB-ui-vty0-4] quit

# Import the peer public key from the file pubkey, and name it SwitchKey.

[SwitchB] public-key peer SwitchKey import sshkey pubkey

# Create an SSH user client001, and specify the service type as SFTP, authentication method as publickey, public key as SwitchKey, and working folder as cfa0:/.

[SwitchB] ssh user client001 service-type sftp authentication-type publickey assign publickey SwitchKey work-directory cfa0:/

3. Establish a connection to the SFTP server:

# Establish a connection to the SFTP server and enter SFTP client view.

<SwitchA> sftp 192.168.0.1 identity-key rsa

Input Username: client001

Trying 192.168.0.1 ...

Press CTRL+K to abort

Connected to 192.168.0.1 ...

The Server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

sftp-client>

# Display files under the current directory of the server, delete the file named z, and verify the result.

sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey

drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new

-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub

-rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z

sftp-client> delete z

The following File will be deleted:

Are you sure to delete it? [Y/N]:y

This operation might take a long time.Please wait...

File successfully Removed

sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey

drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new

-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub

# Add a directory named new1 and verify the result.

sftp-client> mkdir new1

New directory created

sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey

drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new

-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub

drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1

# Rename directory new1 to new2 and verify the result.

sftp-client> rename new1 new2

File successfully renamed

sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey

drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new

-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub

drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2

# Download the pubkey2 file from the server and save it as local file public.

sftp-client> get pubkey2 public

Remote file:/pubkey2 ---> Local file: public

Downloading file successfully ended

# Upload the local file pu to the server, save it as puk, and verify the result.

sftp-client> put pu puk

Local file:pu ---> Remote file: /puk

Uploading file successfully ended

sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey

drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new

drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2

-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub

-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk

sftp-client>

# Exit SFTP client view.

sftp-client> quit

Bye

Connection closed.

File transfer with password authentication

Network requirements

As shown in Figure 15, Switch A acts as the SCP client, and Switch B acts as the SCP server. A user can securely transfer files with Switch B through Switch A. Switch B uses the password authentication method and the client 's username and password are saved on Switch B.

Figure 15 Network diagram

Configuration procedure

1. Configure the SCP server:

<SwitchB> system-view

[SwitchB] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++

++++++++++++++

+++++

++++++++

# Generate a DSA key pair.

[SwitchB] public-key local create dsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:

Generating Keys...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++

# Enable the SSH server function.

[SwitchB] ssh server enable

# Configure an IP address for VLAN-interface 2, which the client will use as the destination for SSH connection.

[SwitchB] interface vlan-interface 2

[SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0

[SwitchB-Vlan-interface2] quit

# Set the authentication mode of the user interfaces to AAA.

[SwitchB] user-interface vty 0 4

[SwitchB-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[SwitchB-ui-vty0-4] protocol inbound ssh

[SwitchB-ui-vty0-4] quit

# Create a local user named client001 with the password as aabbcc and service type as ssh.

[SwitchB] local-user client001

[SwitchB-luser-client001] password simple aabbcc

[SwitchB-luser-client001] service-type ssh

[SwitchB-luser-client001] quit

# Create an SSH user client001 with service type as scp and authentication method as password. (Optional. If an SSH user is not created, password authentication is used by default.)

[SwitchB] ssh user client001 service-type scp authentication-type password

2. Configure an IP address for VLAN-interface 2 on the SCP client.

<SwitchA> system-view

[SwitchA] interface vlan-interface 2

[SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0

[SwitchA-Vlan-interface2] quit

[SwitchA] quit

3. Connect to the SCP server, download the file remote.bin from the server, and save it locally with the name local.bin.

<SwitchA> scp 192.168.0.1 get remote.bin local.bin

Username: client001

Trying 192.168.0.1 ...

Press CTRL+K to abort

Connected to 192.168.0.1 ...

The Server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

Enter password:

18471 bytes transfered in 0.001 seconds.

11-Security Configuration Guide

Configuring SSH

Overview

SSH operation

SSH authentication

SSH support for MPLS L3VPN

FIPS compliance

Generating local DSA or RSA key pairs

Configuration guidelines

Configuration procedure

Enabling the SSH server function

Enabling the SFTP server function

Configuring a client's host public key

Configuration guidelines

Configuration procedure

Configuring an SSH user

Configuration guidelines

Configuration procedure

Setting the SSH management parameters

Configuring the device as an Stelnet client

Disabling first-time authentication

Configuring the device as an SFTP client

Terminating the connection with the SFTP server

Configuring the device as an SCP client

Stelnet configuration examples

Network requirements

Configuration procedure

Network requirements

Configuration procedure

Password authentication enabled Stelnet client configuration example

Network requirements

Configuration procedure

Publickey authentication enabled Stelnet client configuration example

Network requirements

Configuration procedure

SFTP configuration examples

Network requirements

Configuration procedure

Publickey authentication enabled SFTP client configuration example

Network requirements

Configuration procedure

Network requirements

Configuration procedure

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us