Login
- Table of Contents
-
- 07-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05-Port Security Commands
- 06-User Profile Commands
- 07-Password Control Commands
- 08-Public Key Commands
- 09-PKI Commands
- 10-SSH Commands
- 11-SSL Commands
- 12-SSL VPN Commands
- 13-TCP Attack Protection Commands
- 14-ARP Attack Protection Commands
- 15-IPsec Commands
- 16-ALG Commands
- 17-Firewall Commands
- 18-Session Management Commands
- 19-Web Filtering Commands
- 20-User Isolation Commands
- 21-Source IP Address Verification Commands
- 22-FIPS Commands
- 23-Protocol Packet Rate Limit Commands
- 24-Attack detection and protection commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 08-Public Key Commands | 63.79 KB |
Public key configuration commands
display public-key local public
Use display public-key local public to display the public key information of local asymmetric key pairs.
Syntax
display public-key local { dsa | rsa } public [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
dsa: Specifies the DSA key pair type.
rsa: Specifies the RSA key pair type.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Examples
# Display the public key information of the local RSA key pairs.
<Sysname> display public-key local rsa public
=====================================================
Time of Key pair created: 19:59:16 2007/10/25
Key name: HOST_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100BC4C392A97734A633BA0F1DB01F
84EB51228EC86ADE1DBA597E0D9066FDC4F04776CEA3610D2578341F5D049143656F1287502C06D39D39F
28F0F5CBA630DA8CD1C16ECE8A7A65282F2407E8757E7937DCCDB5DB620CD1F471401B711713970234844
4A2D8900497A87B8D5F13D61C4DEFA3D14A7DC07624791FC1D226F62DF30203010001
=====================================================
Time of Key pair created: 19:59:17 2007/10/25
Key name: SERVER_KEY
Key type: RSA Encryption Key
=====================================================
Key code:
307C300D06092A864886F70D0101010500036B003068026100C51AF7CA926962284A4654B2AACC7B2AE12
B2B1EABFAC1CDA97E42C3C10D7A70D1012BF23ADE5AC4E7AAB132CFB6453B27E054BFAA0A85E113FBDE75
1EE0ECEF659529E857CF8C211E2A03FD8F10C5BEC162B2989ABB5D299D1E4E27A13C7DD10203010001
Table 1 Command output
|
Field |
Description |
|
Time of Key pair created |
Date and time when the local asymmetric key pair was created. |
|
Key name |
Key name: · HOST_KEY—Host public key. · SERVER_KEY—Server public key. This value is available only for RSA key pairs. |
|
Key type |
Key type: · RSA Encryption Key—RSA key pair. · DSA Encryption Key—DSA key pair. |
|
Key code |
Public key data. |
Related commands
public-key local create
display public-key peer
Use display public-key peer to display information about the specified or all peer host public keys on the local device.
Syntax
display public-key peer [ brief | name publickey-name ] [ | { begin | exclude | include } regular-expression ]
Views
Any view
Default command level
1: Monitor level
Parameters
brief: Displays brief information about all peer host public keys.
name publickey-name: Displays information about a peer host public key. publickey-name represents a public key by its name, a case-sensitive string of 1 to 64 characters.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Usage guidelines
If you do not specify the brief keyword or the name publickey-name option, this command displays detailed information about all locally saved peer host public keys.
You can use the public-key peer command or the public-key peer import sshkey command to get a local copy of a peer host public key.
Examples
# Display detailed information about the peer host public key named idrsa.
<Sysname> display public-key peer name idrsa
=====================================
Key Name : idrsa
Key Type : RSA
Key Module: 1024
=====================================
Key Code:
30819D300D06092A864886F70D010101050003818B00308187028181009C46A8710216CEC0C01C7CE136B
A76C79AA6040E79F9E305E453998C7ADE8276069410803D5974F708496947AB39B3F39C5CE56C95B6AB74
42D56393BF241F99A639DD02D9E29B1F5C1FD05CC1C44FBD6CFFB58BE6F035FAA2C596B27D1231D159846
B7CB9A7757C5800FADA9FD72F65672F4A549EE99F63095E11BD37789955020123
Table 2 Command output
|
Field |
Description |
|
Key Name |
Name of the public key. |
|
Key Type |
Key type: RSA or DSA. |
|
Key Module |
Key modulus length in bits. |
|
Key Code |
Public key data. |
# Display brief information about all locally saved peer host public keys.
<Sysname> display public-key peer brief
Type Module Name
---------------------------
RSA 1024 idrsa
Table 3 Command output
|
Field |
Description |
|
Type |
Key type: RSA or DSA. |
|
Module |
Key modulus length in bits. |
|
Name |
Name of the public key. |
Related commands
· public-key peer
· public-key peer import sshkey
peer-public-key end
Use peer-public-key end to return from public key view to system view.
Syntax
peer-public-key end
Views
Public key view
Default command level
2: System level
Related commands
public-key peer
Examples
# Exit public key view.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key] peer-public-key end
[Sysname]
public-key-code begin
Use public-key-code begin to enter public key code view. Then, enter the key data in the correct format to specify the peer host public key. Spaces and carriage returns are allowed between characters, but are not saved.
Syntax
public-key-code begin
Views
Public key view
Default command level
2: System level
Usage guidelines
If the peer device is an H3C device, input the key data displayed by the display public-key local public command so that the key is format compliant.
Examples
# Enter public key code view and input the key.
[Sysname] public-key peer key1
[Sysname-pkey-public-key] public-key-code begin
[Sysname-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC8014F82515F6335A0A
[Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D1643135877E13B1C531B4
[Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6B80EB5F52698FCF3D6
[Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1DDE675AC30CB020301
[Sysname-pkey-key-code]0001
Related commands
· public-key peer
· public-key-code end
public-key-code end
Use public-key-code end to return from public key code view to public key view and to save the configured public key.
Syntax
public-key-code end
Views
Public key code view
Default command level
2: System level
Usage guidelines
The system verifies the key before saving it. If the key is not in the correct format, the system discards the key and displays an error message. If the key is valid, the system saves the key.
Examples
# Exit public key code view and save the configured public key.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key] public-key-code begin
[Sysname-pkey-key-code]30819F300D06092A864886F70D010101050003818D0030818902818100C0EC8014F82515F6335A0A
[Sysname-pkey-key-code]EF8F999C01EC94E5760A079BD73E4F4D97F3500EDB308C29481B77E719D1643135877E13B1C531B4
[Sysname-pkey-key-code]FF1877A5E2E7B1FA4710DB0744F66F6600EEFE166F1B854E2371D5B952ADF6B80EB5F52698FCF3D6
[Sysname-pkey-key-code]1F0C2EAAD9813ECB16C5C7DC09812D4EE3E9A0B074276FFD4AF2050BD4A9B1DDE675AC30CB020301
[Sysname-pkey-key-code]0001
[Sysname-pkey-key-code] public-key-code end
[Sysname-pkey-public-key]
Related commands
· public-key peer
· public-key-code begin
public-key local create
Use public-key local create to create local asymmetric key pairs. The created local key pairs are automatically saved, and can survive a reboot.
Syntax
public-key local create { dsa | rsa }
Default
No asymmetric key pair exists.
Views
System view
Default command level
2: System level
Parameters
dsa: Specifies the DSA key pair type.
rsa: Specifies the RSA key pair type.
Usage guidelines
After you use this command to create DSA or RSA key pairs, enter an appropriate key modulus length at prompt (see Table 4).
If the type of the key pair to be created already exists, the system asks you whether you want to overwrite the existing key pair.
The created key pairs are automatically saved and can survive system reboots.
Table 4 A comparison of different types of asymmetric key algorithms
|
Type |
Number of key pairs |
Modulus length |
|
RSA |
One server key pair and one host key pair. NOTE: Only SSH 1.5 uses the RSA server key pair. |
· In non-FIPS mode: 512 to 2048 bits and defaults to 1024 bits. · In FIPS mode: 2048 bits. |
|
DSA |
One host key pair. |
· In non-FIPS mode: 512 to 2048 bits and defaults to 1024 bits. · In FIPS mode: 2048 bits. |
# Create local RSA key pairs.
<Sysname> system-view
[Sysname] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:
Generating Keys...
++++++++++++++++
+++++++
+++++++++
+++
· public-key local destroy
· display public-key local public
public-key local destroy
Use public-key local destroy to destroy a local asymmetric key pair.
Syntax
public-key local destroy { dsa| rsa }
Views
System view
Default command level
2: System level
Parameters
dsa: Specifies the DSA key pair type.
rsa: Specifies the RSA key pair type.
Examples
# Destroy the local RSA key pairs.
<Sysname> system-view
[Sysname] public-key local destroy rsa
Warning: Confirm to destroy these keys? [Y/N]:y
Related commands
public-key local create
public-key local export dsa
Use public-key local export dsa to export a local DSA host public key.
Syntax
public-key local export dsa { openssh | ssh2 } [ filename ]
Views
System view
Default command level
2: System level
Parameters
openssh: Exports the host public key in OpenSSH format.
ssh2: Exports the host public key in SSH2.0 format.
filename: Specifies the name of the file for saving the local host public key. For more information about file name, see Fundamentals Configuration Guide. If you do not specify a file name, this command does not export the key to a file but displays the key on the monitor screen.
Usage guidelines
SSH2.0 and OpenSSH are different public key formats. Choose the correct format that is supported on the device where you import the host public key.
Examples
# Export the host public key of the local DSA key pair with the default name in OpenSSH format to a file named key.pub.
<Sysname> system-view
[Sysname] public-key local export dsa openssh key.pub
# Display the host public key of the local DSA key pair with the default name in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export dsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-20070625"
AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatpRjxsSrhXFVIdRjxw59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOLo2/RyGqDJIqB4FQwmrkwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local DSA key pair with the default name in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export dsa openssh
ssh-dss AAAAB3NzaC1kc3MAAACBANdXJixFhMRMIR8YvZbl8GHE8KQj9/5ra4WzTO9yzhSg06UiL+CM7OZb5sJlhUiJ3B7b0T7IsnTan3W6Jsy5h3I2Anh+kiuoRCHyLDyJy5sG/WD+AZQd3Xf+axKJPadu68HRKNl/BnjXcitTQchQbzWCFLFqL6xLNolQOHgRx9ozAAAAFQDHcyGMc37I7pk7Ty3tMPSO2s6RXwAAAIEAgiaQCeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8AAACBANVcLNEKdDt6xcatpRjxsSrhXFVIdRjxw59qZnKhl87GsbgP4ccUp3KmcRzuqpz1qNtfgoZOLzHnG1YGxPp7Q2k/uRuuHN0bJfBkOLo2/RyGqDJIqB4FQwmrkwJuauYGqQy+mgE6dmHn0VG4gAkx9MQxDIBjzbZRX0bvxMdNKR22 dsa-key
Related commands
· public-key local create
· public-key local destroy
public-key local export rsa
Use public-key local export rsa to export a local RSA host public key.
Syntax
In non-FIPS mode:
public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ]
In FIPS mode:
public-key local export rsa { openssh | ssh2 } [ filename ]
Views
System view
Default command level
2: System level
Parameters
openssh: Exports the host public key in OpenSSH format.
ssh1: Exports the host public key in SSH1.5 format.
ssh2: Exports the host public key in SSH2.0 format.
filename: Specifies the name of the file for storing the host public key. For more information about file name, see Fundamentals Configuration Guide. If you do not specify a file name, this command does not export the key to a file but displays the key on the monitor screen.
Usage guidelines
SSH1, SSH2.0 and OpenSSH are different public key formats. Choose the correct public key format that is supported on the device where you import the host public key.
Examples
# Export the host public key of the local RSA key pairs in OpenSSH format to the file named key.pub.
<Sysname> system-view
[Sysname] public-key local export rsa openssh key.pub
# Display the host public key of the local RSA key pairs in SSH2.0 format.
<Sysname> system-view
[Sysname] public-key local export rsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "rsa-key-20070625"
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6ut5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j+o0MpOpzh3W768/+u1riz+1LcwVTs51Q==
---- END SSH2 PUBLIC KEY ----
# Display the host public key of the local RSA key pairs in OpenSSH format.
<Sysname> system-view
[Sysname] public-key local export rsa openssh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDAo0dVYR1S5f30eLKGNKuqb5HU3M0TTSaGlER2GmcRI2sgSegbo1x6ut5NIc5+jJxuRCU4+gMc76iS8d+2d50FqIweEkHHkSG/ddgXt/iAZ6cY81bdu/CKxGiQlkUpbw4vSv+X5KeE7j+o0MpOpzh3W768/+u1riz+1LcwVTs51Q== rsa-key
Related commands
· public-key local create
· public-key local destroy
public-key peer
Use public-key peer to specify a name for the peer host public key and enter public key view.
Use undo public-key peer to remove the public key.
Syntax
public-key peer keyname
undo public-key peer keyname
Views
System view
Default command level
2: System level
Parameters
keyname: Specifies a name for the peer host public key on the local device, a case-sensitive string of 1 to 64 characters.
Usage guidelines
To manually configure the peer host public key on the local device, obtain the public key in hexadecimal from the peer device beforehand, and perform the following configurations on the local device:
1. Execute the public-key peer command, and then the public-key-code begin command to enter public key code view.
2. Type the peer host public key.
3. Execute the public-key-code end command to save the public key and return to public key view.
4. Execute the peer-public-key end command to return to system view.
Examples
# Specify the name for the peer host public key as key1 and enter public key view.
<Sysname> system-view
[Sysname] public-key peer key1
[Sysname-pkey-public-key]
Related commands
· public-key-code begin
· public-key-code end
· peer-public-key end
· display public-key peer
public-key peer import sshkey
Use public-key peer import sshkey to import a peer host public key from the public key file.
Use undo public-key peer to remove a peer host public key.
Syntax
public-key peer keyname import sshkey filename
undo public-key peer keyname
Views
System view
Default command level
2: System level
Parameters
keyname: Specifies a public key name, a case-sensitive string of 1 to 64 characters.
filename: Specifies the name of the file that saves the peer host public key. For more information about file name, see Fundamentals Configuration Guide.
Usage guidelines
After execution of this command, the system automatically transforms the peer host public key to the PKCS format, and imports the key. This operation requires that you get a copy of the public key file from the peer device through FTP or TFTP in binary mode in advance.
The device supports importing public keys in the format of SSH1.5, SSH2.0, and OpenSSH.
Examples
# Import the peer host public key named key2 from the public key file key.pub.
<Sysname> system-view
[Sysname] public-key peer key2 import sshkey key.pub
Related commands
display public-key peer
