The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

SSH server configuration commands

display ssh server

Use the display ssh server command on an SSH server to display the SSH server status or sessions.

Syntax

display ssh server { session | status } [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

session: Displays the SSH server sessions.

status: Displays the SSH server status.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Examples

# Display the SSH server status.

<Sysname> display ssh server status

SSH Server: Disable

SSH version : 1.99

SSH authentication-timeout : 60 second(s)

SSH server key generating interval : 0 hour(s)

SSH Authentication retries : 3 time(s)

SFTP Server: Disable

SFTP Server Idle-Timeout: 10 minute(s)

Table 1 Command output

Field	Description
SSH Server	Whether the SSH server is enabled.
SSH version	SSH protocol version. When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2.
SSH authentication-timeout	Authentication timeout timer.
SSH server key generating interval	SSH server key pair update interval.
SSH Authentication retries	Maximum number of SSH authentication attempts.
SFTP Server	Whether the Secure FTP (SFTP) server is enabled.
SFTP Server Idle-Timeout	SFTP connection idle timeout timer.

# Display the SSH server session information.

<Sysname> display ssh server session

Conn Ver Encry State Retry SerType Username

VTY 0 2.0 DES Established 0 SFTP client001

Table 2 Command output

Field	Description
Conn	Connected VTY channel.
Ver	SSH server protocol version.
Encry	Encryption algorithm.
State	Status of the session: · Init—Initialization. · Ver-exchange—Version negotiation. · Keys-exchange—Keys exchange. · Auth-request—Authentication request. · Serv-request—Session service request. · Established—The session is established. · Disconnected—The session is disconnected.
Retry	Number of authentication failures.
SerType	Service type: SFTP, Secure Telnet (Stelnet), or secure copy (SCP).
Username	Name of a user for login.

Related commands

· ssh server authentication-retries

· ssh server authentication-timeout

· ssh server compatible-ssh1x enable

· ssh server enable

· ssh server rekey-interval

display ssh user-information

Use the display ssh user-information command on an SSH server to display information about SSH users.

Syntax

display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

username: Specifies an SSH username, a string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command displays only information about SSH users configured by using the ssh user command on the SSH server.

Examples

# Display information about all SSH users.

<Sysname> display ssh user-information

Total ssh users : 2

Username Authentication-type User-public-key-name Service-type

yemx password null stelnet

test publickey pubkey sftp

Table 3 Command output

Field	Description
Username	Name of the user.
Authentication-type	Authentication method: · Password authentication. · Publickey authentication. · Password-publickey authentication. · Any authentication.
User-public-key-name	Public key of the user or name of the PKI domain which verifies the client certificate. If the authentication method is password, this field displays null.
Service-type	Service type: SFTP, Stelnet, SCP, or all. If all authentication methods are supported, this field displays all.

Related commands

ssh user

sftp server enable

Use sftp server enable to enable the SFTP server.

Use undo sftp server enable to restore the default.

Syntax

sftp server enable

undo sftp server enable

Default

The SFTP server is disabled.

Views

System view

Default command level

3: Manage level

Examples

# Enable the SFTP server.

<Sysname> system-view

[Sysname] sftp server enable

Related commands

display ssh server

sftp server idle-timeout

Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections.

Use undo sftp server idle-timeout to restore the default.

Syntax

sftp server idle-timeout time-out-value

undo sftp server idle-timeout

Default

The idle timeout timer is 10 minutes.

Views

System view

Default command level

3: Manage level

Parameters

time-out-value: Specifies a timeout timer in minutes, in the range of 1 to 35791.

Usage guidelines

If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. If many SFTP connections are established, you can set a smaller value so that the connection resources can be promptly released.

Examples

# Set the idle timeout timer for SFTP user connections to 500 minutes.

<Sysname> system-view

[Sysname] sftp server idle-timeout 500

Related commands

display ssh server

ssh server authentication-retries

Use ssh server authentication-retries to set the maximum number of SSH connection authentication attempts.

Use undo ssh server authentication-retries to restore the default.

Syntax

ssh server authentication-retries times

undo ssh server authentication-retries

Default

The maximum number of SSH connection authentication attempts is 3.

Views

System view

Default command level

3: Manage level

Parameters

times: Specifies the maximum number of authentication attempts, in the range of 1 to 5.

Usage guidelines

You can set this limit to prevent malicious hacking of usernames and passwords.

This configuration takes effect only on the users at next login.

Authentication fails if the number of authentication attempts (including both publickey and password authentication) exceeds the upper limit configured by this command.

If the authentication method is password-publickey, the server first uses publickey authentication, and then uses password authentication to authenticate SSH users. The process is considered as one authentication attempt.

Examples

# Set the maximum number of SSH connection authentication attempts to 4.

<Sysname> system-view

[Sysname] ssh server authentication-retries 4

Related commands

display ssh server

ssh server authentication-timeout

Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server.

Use undo ssh server authentication-timeout to restore the default.

Syntax

ssh server authentication-timeout time-out-value

undo ssh server authentication-timeout

Default

The authentication timeout timer is 60 seconds.

Views

System view

Default command level

3: Manage level

Parameters

time-out-value: Specifies an authentication timeout timer in seconds, in the range of 1 to 120.

Usage guidelines

If a user does not finish the authentication when the timeout timer expires, the connection cannot be established.

You can set a small value for this timer to prevent malicious occupation of TCP connections.

Examples

# Set the SSH user authentication timeout timer to 10 seconds.

<Sysname> system-view

[Sysname] ssh server authentication-timeout 10

Related commands

display ssh server

ssh server compatible-ssh1x enable

Use ssh server compatible-ssh1x enable to enable the SSH server to support SSH1 clients.

Use undo ssh server compatible-ssh1x to disable the SSH server from supporting SSH1 clients.

Syntax

ssh server compatible-ssh1x enable

undo ssh server compatible-ssh1x

Default

The SSH server supports SSH1 clients.

Views

System view

Default command level

3: Manage level

Usage guidelines

The configuration takes effect only on the clients at next login.

Examples

# Enable the SSH server to support SSH1 clients.

<Sysname> system-view

[Sysname] ssh server compatible-ssh1x enable

Related commands

display ssh server

ssh server enable

Use ssh server enable to enable the SSH server.

Use undo ssh server enable to restore the default.

Syntax

ssh server enable

undo ssh server enable

Default

The SSH server is disabled.

Views

System view

Default command level

3: Manage level

Examples

# Enable the SSH server.

<Sysname> system-view

[Sysname] ssh server enable

Related commands

display ssh server

ssh server rekey-interval

Use ssh server rekey-interval to set the interval for updating the RSA server key pair.

Use undo ssh server rekey-interval to restore the default.

Syntax

ssh server rekey-interval hours

undo ssh server rekey-interval

Default

The interval for updating the RSA server key pair is 0. The system does not update the RSA server key pair.

Views

System view

Default command level

3: Manage level

Parameters

hours: Specifies an interval for updating the server key pair, in the range of 1 to 24.

Usage guidelines

Periodically updating the RSA server key pair can prevent malicious hacking of the key and enhance security of the SSH connections.

This command is only available to SSH1 clients.

The system does not update the DSA key pair periodically.

Examples

# Set the RSA server key pair update interval to 3 hours.

<Sysname> system-view

[Sysname] ssh server rekey-interval 3

Related commands

display ssh server

ssh user

Use ssh user to create an SSH user and specify the service type and authentication method.

Use undo ssh user to delete an SSH user.

Syntax

ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign { pki-domain pkiname | publickey keyname } }

ssh user username service-type { all | scp | sftp } authentication-type { password | { any | password-publickey | publickey } assign { pki-domain pkiname | publickey keyname } work-directory directory-name }

undo ssh user username

Views

System view

Default command level

3: Manage level

Parameters

username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters.

service-type: Specifies the service type for an SSH user:

· all: Specifies Stelnet, SFTP, and SCP.

· scp: Specifies the service type as SCP.

· sftp: Specifies the service type as SFTP.

· stelnet: Specifies the service type of Stelnet.

authentication-type: Specifies the authentication method of an SSH user.

· password: Specifies password authentication. This authentication method features easy and fast encryption, but it is vulnerable. It can work with AAA to implement user authentication, authorization, and accounting.

· any: Specifies either password authentication or publickey authentication.

· password-publickey: Specifies both password authentication and publickey authentication (featuring higher security) if the client runs SSH2, and specifies either type of authentication if the client runs SSH1.

· publickey: Specifies publickey authentication. This authentication method has the complicated and slow encryption, but it provides strong authentication that can defend against brute-force attacks. This authentication method is easy to use. If this method is configured, the authentication process completes automatically without the need of entering any password.

assign: Specifies parameters that are used to verify the client.

· pki-domain pkiname: Specifies the PKI domain that verifies the client certificate. The pkiname argument is a case-insensitive string of 1 to 15 characters. The server uses the CA certificate that is saved in the PKI domain to verify one or multiple client certificates without saving clients' public keys in advance.

· publickey keyname: Specifies the public key of the SSH user. The keyname argument represents an existing public key to an SSH user, and is a case-sensitive string of 1 to 64 characters. The server checks the validity of the user through the user's public key that has been locally saved. If the public key file on the client changes, the server needs to update the local configuration properly.

work-directory directory-name: Specifies the working directory for an SFTP or SCP user. The directory-name argument is a string of 1 to 135 characters.

Usage guidelines

If the SSH server uses publickey authentication, you must create an SSH user account on the device. If the SSH server uses password authentication, you do not need to create the user account on the device, but you must configure the user account information on the device for local authentication, or on the remote authentication server (such as a RADIUS server) for remote authentication.

If you use the ssh user command to specify a public key or PKI domain for a user multiple times, the most recent configuration takes effect.

You can change parameters for an SSH user that has logged in, but your changes take effect only on the user at next login.

If an SFTP or SCP user has been assigned a public key or PKI domain, it is necessary to set a working folder for the user.

The working folder of an SFTP or SCP user depends on the user authentication method:

· If the authentication method is password, the working folder is the AAA authorized one.

· If the authentication method is publickey or password-publickey, the working folder is the one set by using the ssh user command.

Examples

# Create an SSH user named user1, setting the service type as sftp, the authentication method as publickey, assigning a public key named key1 to the client, and the work folder of the SFTP server as flash:

<Sysname> system-view

[Sysname] ssh user user1 service-type sftp authentication-type publickey assign publickey key1 work-directory flash:

Related commands

· display ssh user-information

· pki domain

SSH client configuration commands

bye

Use bye to terminate the connection with the SFTP server and return to user view.

Syntax

bye

Views

SFTP client view

Default command level

3: Manage level

Usage guidelines

This command functions as the exit and quit commands.

Examples

# Terminate the connection with the SFTP server.

sftp-client> bye

Bye

Connection closed.

cd

Use cd to change the working path on an SFTP server.

Syntax

cd [ remote-path ]

Views

SFTP client view

Default command level

3: Manage level

Parameters

remote-path: Specifies the name of a path on the server. If this argument is not specified, this command displays the current working path.

Usage guidelines

You can use the cd .. command to return to the upper-level directory.

You can use the cd / command to return to the root directory of the system.

Examples

# Change the working path to new1.

sftp-client> cd new1

Current Directory is:

/new1

cdup

Use cdup to return to the upper-level directory.

Syntax

cdup

Views

SFTP client view

Default command level

3: Manage level

Examples

# Return to the upper-level directory.

sftp-client> cdup

Current Directory is:

delete

Use delete to delete files from a server.

Syntax

delete remote-file&<1-10>

Views

SFTP client view

Default command level

3: Manage level

Parameters

remote-file&<1-10>: Specifies the names of files on the server. &<1-10> means that you can provide up to 10 file names, which are separated by spaces.

Usage guidelines

This command functions as the remove command.

Examples

# Delete the file temp.c from the server.

sftp-client> delete temp.c

The following files will be deleted:

/temp.c

Are you sure to delete it? [Y/N]:y

This operation might take a long time. Please wait...

File successfully Removed

dir

Use dir to display information about the files and subdirectories under a directory.

Syntax

dir [ -a | -l ] [ remote-path ]

Views

SFTP client view

Default command level

3: Manage level

Parameters

-a: Displays the names of the files and subdirectories under the specified directory.

-l: Displays the detailed information about the files and subdirectories under the specified directory in the form of a list.

remote-path: Specifies the name of the directory to be queried.

Usage guidelines

If none of the –a and –l keywords are specified, the command displays detailed information about the files and subdirectories under the specified directory in the form of a list.

If the remote-path argument is not specified, the command displays information about the files and subdirectories under the current working directory.

This command functions as the ls command.

Examples

# Display detailed information about the files and subdirectories under the current working directory in the form of a list.

sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

display sftp client source

Use display sftp client source to display the source IP address or source interface set for the SFTP client.

Syntax

display sftp client source [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If neither source IP address nor source interface is specified for the SFTP client, the system displays the message "Neither source IP address nor source interface was specified for the SFTP client."

Examples

# Display the source IP address set for the SFTP client.

<Sysname> display sftp client source

The source IP address you specified is 192.168.0.1

Related commands

sftp client source

display ssh client source

Use display ssh client source to display the source IP address or source interface information set for the Stelnet client.

Syntax

display ssh client source [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If neither source IP address nor source interface is specified for the Stelnet client, the system displays the message "Neither source IP address nor source interface was specified for the Stelnet client."

Examples

# Display the source IP address or source interface set for the Stelnet client.

<Sysname> display ssh client source

The source IP address you specified is 192.168.0.1

Related commands

ssh client source

display ssh server-info

Use display ssh server-info on a client to display mappings between SSH servers and their host public keys on an SSH client.

Syntax

display ssh server-info [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command is also available on an SFTP client.

When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to check the public key of the server saved on the client.

Examples

# Display the mappings between SSH servers and their host public keys on the client.

<Sysname> display ssh server-info

Server Name(IP) Server public key name

______________________________________________________

192.168.0.1 abc_key01

192.168.0.2 abc_key02

Table 4 Command output

Field	Description
Server Name(IP)	Name or IP address of the server.
Server public key name	Name of the host public key of the server.

Related commands

ssh client authentication server

exit

Use exit to terminate the connection with the remote SFTP server and return to user view.

Syntax

exit

Views

SFTP client view

Default command level

3: Manage level

Usage guidelines

This command functions as the bye and quit commands.

Examples

# Terminate the connection with the SFTP server.

sftp-client> exit

Bye

Connection closed.

get

Use get to download a file from the SFTP server and save it locally.

Syntax

get remote-file [ local-file ]

Views

SFTP client view

Default command level

3: Manage level

Parameters

remote-file: Specifies the name of a file on the SFTP server.

local-file: Name for the local file. If this argument is not specified, the file will be saved locally with the same name as that on the SFTP server.

Examples

# Download file temp1.c and save it as temp.c locally.

sftp-client> get temp1.c temp.c

Remote file:/temp1.c ---> Local file: temp.c

Downloading file successfully ended

help

Use help to display all commands or the help information of an SFTP client command.

Syntax

help [ all | command-name ]

Views

SFTP client view

Default command level

3: Manage level

Parameters

all: Displays all commands.

command-name: Specifies a command.

Usage guidelines

If none of the keyword and the argument are specified, the command displays a list of all commands.

Examples

# Display the help information of the get command.

sftp-client> help get

get remote-path [local-path] Download file.Default local-path is the same

as remote-path

ls

Use ls to display file and folder information under a directory.

Syntax

ls [ -a | -l ] [ remote-path ]

Views

SFTP client view

Default command level

3: Manage level

Parameters

-a: Displays the file names and folder names of the specified directory.

-l: Displays in a list form detailed information of the files and folders of the specified directory.

remote-path: Specifies the name of the directory to be queried.

Usage guidelines

If none of the –a and –l keywords are specified, the command displays detailed information of files and folders under the specified directory in the form of a list.

If the remote-path argument are not specified, the command displays the file and folder information under the current working directory.

This command functions as the dir command.

Examples

# Display detailed information about files and folders under the current working directory in the form of a list.

sftp-client> ls

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

mkdir

Use mkdir to create a directory on the SFTP server.

Syntax

mkdir remote-path

Views

SFTP client view

Default command level

3: Manage level

Parameters

remote-path: Specified the name for the directory on the SFTP server.

Examples

# Create a directory named test on the SFTP server.

sftp-client> mkdir test

New directory created

put

Use put to upload a local file to an SFTP server.

Syntax

put local-file [ remote-file ]

Views

SFTP client view

Default command level

3: Manage level

Parameters

local-file: Specifies the name of a local file.

remote-file: Specifies the name for the file on an SFTP server. If this argument is not specified, the file will be saved remotely with the same name as the local one.

Examples

# Upload local file temp.c to the SFTP server and save it as temp1.c.

sftp-client> put temp.c temp1.c

Local file:temp.c ---> Remote file: /temp1.c

Uploading file successfully ended

pwd

Use pwd to display the current working directory of an SFTP server.

Syntax

pwd

Views

SFTP client view

Default command level

3: Manage level

Examples

# Display the current working directory of the SFTP server.

sftp-client> pwd

quit

Use quit to terminate the connection with an SFTP server and return to user view.

Syntax

quit

Views

SFTP client view

Default command level

3: Manage level

Usage guidelines

This command functions as the bye and exit commands.

Examples

# Terminate the connection with the SFTP server.

sftp-client> quit

Bye

Connection closed.

remove

Use remove to delete files from a remote server.

Syntax

remove remote-file&<1-10>

Views

SFTP client view

Default command level

3: Manage level

Parameters

remote-file&<1-10>: Specifies the names of files on an SFTP server. &<1-10> means that you can provide up to 10 file names, which are separated by spaces.

Usage guidelines

This command functions as the delete command.

Examples

# Delete file temp.c from the server.

sftp-client> remove temp.c

The following files will be deleted:

/temp.c

Are you sure to delete it? [Y/N]:y

This operation might take a long time.Please wait...

File successfully Removed

rename

Use rename to change the name of the specified file or directory on an SFTP server.

Syntax

rename oldname newname

Views

SFTP client view

Default command level

3: Manage level

Parameters

oldname: Specifies the name of an existing file or directory.

newname: Specifies a new name for the file or directory.

Examples

# Change the name of a file on the SFTP server from temp1.c to temp2.c.

sftp-client> rename temp1.c temp2.c

File successfully renamed

rmdir

Use rmdir to delete the specified directories from an SFTP server.

Syntax

rmdir remote-path&<1-10>

Views

SFTP client view

Default command level

3: Manage level

Parameters

remote-path&<1-10>: Specifies the names of directories on the remote SFTP server. &<1-10> means that you can provide up to 10 directory names that are separated by spaces.

Examples

# On the SFTP server, delete directory temp1 in the current directory.

sftp-client> rmdir temp1

Directory successfully removed

scp

Use scp to transfer files with an SCP server.

Syntax

In non-FIPS mode:

scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

In FIPS mode:

scp [ ipv6 ] server [ port-number ] { get | put } source-file-path [ destination-file-path ] [ identity-key rsa | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *

Views

User view

Default command level

3: Manage level

Parameters

ipv6: Specifies the type of the server as IPv6. If this keyword is not specified, the server is an IPv4 server.

server: Specifies a server by its IPv4 or IPv6 address or host name, a case-insensitive string of 1 to 255 characters.

port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.

get: Downloads the file.

put: Uploads the file.

source-file-path: Specifies the directory of the source file.

destination-file-path: Specifies the directory of the target file. If this argument is not specified, the directory names of the source and target files are same.

identity-key: Specifies the public key algorithm for the client, either dsa or rsa.

· dsa: Specifies the public key algorithm dsa. This keyword is not supported in FIPS mode.

· rsa: Specifies the public key algorithm rsa.

prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used.

· zlib: Specifies the compression algorithm zlib.

· zlib-openssh: Specifies the compression algorithm [email protected].

prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.

· 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not supported in FIPS mode.

· aes128: Specifies the encryption algorithm aes128-cbc.

· aes256: Specifies the encryption algorithm aes256-cbc. This keyword is only supported in FIPS mode.

· des: Specifies the encryption algorithm des-cbc. This keyword is not supported in FIPS mode.

prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96.

· md5: Specifies the HMAC algorithm hmac-md5. This keyword is not supported in FIPS mode.

· md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not supported in FIPS mode.

· sha1: Specifies the HMAC algorithm hmac-sha1.

· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange.

· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not supported in FIPS mode.

· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not supported in FIPS mode.

· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.

prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96.

Usage guidelines

When the client's authentication method is publickey, the client must get the local private key for digital signature. In non-FIPS mode, because the publickey authentication uses either RSA or DSA algorithm, you must specify an algorithm (by using the identity-key keyword) in order to get the correct data for the local private key.

The following table shows the default algorithms used in FIPS and non-FIPS modes:

Preferred algorithm	In non-FIPS mode	In FIPS mode
Public key algorithm	dsa	rsa
Preferred client-to-server encryption algorithm	aes128	aes128
Preferred client-to-server HMAC algorithm	sha1-96	sha1-96
Preferred key exchange algorithm	dh-group-exchange	dh-group14
Preferred server-to-client encryption algorithm	aes128	aes128
Preferred server-to-client HMAC algorithm	sha1-96	sha1-96

Examples

# Connect to the SCP server 192.168.0.1, download the file remote.bin from the server, and save it locally to the file local.bin

<Sysname> scp 192.168.0.1 get remote.bin local.bin

sftp

Use sftp to establish a connection to an IPv4 SFTP server and enter SFTP client view.

Syntax

In non-FIPS mode:

sftp server [ port-number ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

In FIPS mode:

sftp server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *

Views

User view

Default command level

3: Manage level

Parameters

server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 20 characters.

port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.

identity-key: Specifies the public key algorithm for the client, either dsa or rsa.

· dsa: Specifies the public key algorithm dsa. This keyword is not supported in FIPS mode.

· rsa: Specifies the public key algorithm rsa.

prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used.

· zlib: Specifies the compression algorithm zlib.

· zlib-openssh: Specifies the compression algorithm [email protected].

prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.

· 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not supported in FIPS mode.

· aes128: Specifies the encryption algorithm aes128-cbc.

· aes256: Specifies the encryption algorithm aes256-cbc. This keyword is only supported in FIPS mode.

· des: Specifies the encryption algorithm des-cbc. This keyword is not supported in FIPS mode.

prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96.

· md5: Specifies the HMAC algorithm hmac-md5. This keyword is not supported in FIPS mode.

· md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not supported in FIPS mode.

· sha1: Specifies the HMAC algorithm hmac-sha1.

· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode.

· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not supported in FIPS mode.

· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not supported in FIPS mode.

· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.

prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96.

Usage guidelines

The following table shows the default algorithms used in FIPS and non-FIPS modes:

Preferred algorithm	In non-FIPS mode	In FIPS mode
Public key algorithm	dsa	rsa
Preferred client-to-server encryption algorithm	aes128	aes128
Preferred client-to-server HMAC algorithm	sha1-96	sha1-96
Preferred key exchange algorithm	dh-group-exchange	dh-group14
Preferred server-to-client encryption algorithm	aes128	aes128
Preferred server-to-client HMAC algorithm	sha1-96	sha1-96

Examples

# Connect to SFTP server 10.1.1.2, using the following connection scheme:

· Preferred key exchange algorithm: dh-group1.

· Preferred server-to-client encryption algorithm: aes128.

· Preferred client-to-server HMAC algorithm: md5.

· Preferred server-to-client HMAC algorithm: sha1-96.

<Sysname> sftp 10.1.1.2 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96

Input Username:

sftp client ipv6 source

Use sftp client ipv6 source to specify the source IPv6 address or source interface for the SFTP client.

Use undo sftp client ipv6 source to remove the configuration.

Syntax

sftp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }

undo sftp client ipv6 source

Default

An SFTP client uses the IPv6 address of the interface specified by the route of the device to access the SFTP server.

Views

System view

Default command level

3: Manage level

Parameters

interface interface-type interface-number: Specifies a source interface by its type and number.

ipv6 ipv6-address: Specifies a source IPv6 address.

Usage guidelines

To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, H3C recommends that you specify a loopback interface or dialer interface as the source interface.

Examples

# Specify the source IPv6 address of the SFTP client as 2:2::2:2.

<Sysname> system-view

[Sysname] sftp client ipv6 source ipv6 2:2::2:2

Related commands

display sftp client source

sftp client source

Use sftp client source to specify the source IPv4 address or interface of an SFTP client.

Use undo sftp client source to remove the configuration.

Syntax

sftp client source { interface interface-type interface-number | ip ip-address }

undo sftp client source

Default

An SFTP client uses the IP address of the interface specified by the route of the device to access the SFTP server.

Views

System view

Default command level

3: Manage level

Parameters

interface interface-type interface-number: Specifies a source interface by its type and number.

ip ip-address: Specifies a source IPv4 address.

Usage guidelines

Examples

# Specify the source IP address of the SFTP client as 192.168.0.1.

<Sysname> system-view

[Sysname] sftp client source ip 192.168.0.1

Related commands

display sftp client source

sftp ipv6

Use sftp ipv6 to establish a connection to an IPv6 SFTP server and enter SFTP client view.

Syntax

In non-FIPS mode:

sftp ipv6 server [ port-number ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

In FIPS mode:

sftp ipv6 server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *

Views

User view

Default command level

3: Manage level

Parameters

server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 46 characters.

port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.

identity-key: Specifies the public key algorithm for the client, either dsa or rsa.

· dsa: Specifies the public key algorithm dsa. This keyword is not supported in FIPS mode.

· rsa: Specifies the public key algorithm rsa.

prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used.

· zlib: Specifies the compression algorithm zlib.

· zlib-openssh: Specifies the compression algorithm [email protected].

prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.

· 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not supported in FIPS mode.

· aes128: Specifies the encryption algorithm aes128-cbc.

· aes256: Specifies the encryption algorithm aes256-cbc. This keyword is only supported in FIPS mode.

· des: Specifies the encryption algorithm des-cbc. This keyword is not supported in FIPS mode.

prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96.

· md5: Specifies the HMAC algorithm hmac-md5. This keyword is not supported in FIPS mode.

· md5-96: HMAC algorithm hmac-md5-96. This keyword is not supported in FIPS mode.

· sha1: Specifies the HMAC algorithm hmac-sha1.

· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode.

· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not supported in FIPS mode.

· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not supported in FIPS mode.

· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.

prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96.

Usage guidelines

The following table shows the default algorithms used in FIPS and non-FIPS modes:

Preferred algorithm	In non-FIPS mode	In FIPS mode
Public key algorithm	dsa	rsa
Preferred client-to-server encryption algorithm	aes128	aes128
Preferred client-to-server HMAC algorithm	sha1-96	sha1-96
Preferred key exchange algorithm	dh-group-exchange	dh-group14
Preferred server-to-client encryption algorithm	aes128	aes128
Preferred server-to-client HMAC algorithm	sha1-96	sha1-96

Examples

# Connect to server 2:5::8:9, using the following connection scheme:

· Preferred key exchange algorithm: dh-group1.

· Preferred server-to-client encryption algorithm: aes128.

· Preferred client-to-server HMAC algorithm: md5.

· Preferred server-to-client HMAC algorithm: sha1-96.

<Sysname> sftp ipv6 2:5::8:9 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96

Input Username:

ssh client authentication server

Use ssh client authentication server on the client to configure the host public key of a server so that the client can determine whether the server is trustworthy.

Use undo ssh client authentication server to remove the configuration.

Syntax

ssh client authentication server server assign publickey keyname

undo ssh client authentication server server assign publickey

Default

No host public key of a server is configured. When the client logs into a server, it uses the IP address or host name of the server as the public key name.

Views

System view

Default command level

2: System level

Parameters

server: Specifies a server by IP address or host name, a string of 1 to 80 characters.

assign publickey keyname: Specifies the name of the host public key of the server, a string of 1 to 64 characters.

Usage guidelines

If the client does not support first-time authentication, it will reject unauthenticated servers. In this case, you need to configure the public keys of the servers and specify the mappings between public keys and servers on the client, so that the client uses the correct public key of a server to authenticate the server.

The specified host public key of the server must already exist.

Examples

# Configure the public key of the server at 192.168.0.1 to be key1.

<Sysname> system-view

[Sysname] ssh client authentication server 192.168.0.1 assign publickey key1

Related commands

ssh client first-time enable

Use ssh client first-time enable to enable the first-time authentication function.

Use undo ssh client first-time to disable the function.

Syntax

ssh client first-time enable

undo ssh client first-time

Default

The function is enabled.

Views

System view

Default command level

2: System level

Usage guidelines

Without first-time authentication, a client not configured with the server's host public key does not access the server. To access the server, a user must configure in advance the server's host public key locally and specify the public key name for authentication.

With first-time authentication, when an SSH client not configured with the server's host public key accesses the server for the first time, the user can continue accessing the server and save the server's host public key on the client. When accessing the server again, the client uses the saved server host public key to authenticate the server.

Because the server might update its key pairs periodically, a client must obtain the most recent host public key of the server for successful authentication of the server.

Examples

# Enable the first-time authentication function.

<Sysname> system-view

[Sysname] ssh client first-time enable

ssh client ipv6 source

Use ssh client ipv6 source to specify the source IPv6 address or source interface for the Stelnet client.

Use undo ssh client ipv6 source to remove the configuration.

Syntax

ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }

undo ssh client ipv6 source

Default

An Stelnet client uses the IPv6 address of the interface specified by the route of the device to access the Stelnet server.

Views

System view

Default command level

3: Manage level

Parameters

interface interface-type interface-number: Specifies a source interface by its type and number.

ipv6 ipv6-address: Specifies a source IPv6 address.

Usage guidelines

To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, H3C recommends that you specify a loopback interface or dialer interface as the source interface.

Examples

# Specify the source IPv6 address as 2:2::2:2 for the Stelnet client.

<Sysname> system-view

[Sysname] ssh client ipv6 source ipv6 2:2::2:2

Related commands

display ssh client source

ssh client source

Use ssh client source to specify the source IPv4 address or source interface of the Stelnet client.

Use undo ssh client source to remove the configuration.

Syntax

ssh client source { interface interface-type interface-number | ip ip-address }

undo ssh client source

Default

An Stelnet client uses the IP address of the interface specified by the route of the device to access the Stelnet server.

Views

System view

Default command level

3: Manage level

Parameters

interface interface-type interface-number: Specifies a source interface by its type and number.

ip ip-address: Specifies a source IPv4 address.

Usage guidelines

Examples

# Specify the source IPv4 address of the Stelnet client as 192.168.0.1.

<Sysname> system-view

[Sysname] ssh client source ip 192.168.0.1

Related commands

display ssh client source

ssh2

Use ssh2 to establish a connection to an IPv4 Stelnet server and specify the public key algorithm, the preferred key exchange algorithm, and the preferred encryption algorithms and preferred HMAC algorithms between the client and server.

Syntax

In non-FIPS mode:

ssh2 server [ port-number ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

In FIPS mode:

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *

Views

User view

Default command level

0: Visit level

Parameters

server: Specifies a server by its IPv4 address or host name, a case-insensitive string of 1 to 20 characters.

port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.

identity-key: Specifies the public key algorithm for the client, either dsa or rsa.

· dsa: Specifies the public key algorithm dsa. This keyword is not supported in FIPS mode.

· rsa: Specifies the public key algorithm rsa.

prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used.

· zlib: Specifies the compression algorithm zlib.

· zlib-openssh: Specifies the compression algorithm [email protected].

prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.

· 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not supported in FIPS mode.

· aes128: Specifies the encryption algorithm aes128-cbc.

· aes256: Specifies the encryption algorithm aes256-cbc. This keyword is only supported in FIPS mode.

· des: Specifies the encryption algorithm des-cbc. This keyword is not supported in FIPS mode.

prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96.

· md5: Specifies the HMAC algorithm hmac-md5. This keyword is not supported in FIPS mode.

· md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not supported in FIPS mode.

· sha1: Specifies the HMAC algorithm hmac-sha1.

· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode.

· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not supported in FIPS mode.

· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not supported in FIPS mode.

· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.

prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96.

Usage guidelines

The following table shows the default algorithms used in FIPS and non-FIPS modes:

Preferred algorithm	In non-FIPS mode	In FIPS mode
Public key algorithm	dsa	rsa
Preferred client-to-server encryption algorithm	aes128	aes128
Preferred client-to-server HMAC algorithm	sha1-96	sha1-96
Preferred key exchange algorithm	dh-group-exchange	dh-group14
Preferred server-to-client encryption algorithm	aes128	aes128
Preferred server-to-client HMAC algorithm	sha1-96	sha1-96

Examples

# Log in to Stelnet server 10.214.50.51, using the following connection scheme:

· Preferred key exchange algorithm: dh-group1.

· Preferred server-to-client encryption algorithm: aes128.

· Preferred client-to-server HMAC algorithm: md5.

· Preferred server-to-client HMAC algorithm: sha1-96.

<Sysname> ssh2 10.214.50.51 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96

ssh2 ipv6

Use ssh2 ipv6 to establish a connection to an IPv6 Stelnet server and specify public key algorithm, the preferred key exchange algorithm, and the preferred encryption algorithms and preferred HMAC algorithms between the client and server.

Syntax

In non-FIPS mode:

ssh2 ipv6 server [ port-number ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

In FIPS mode:

ssh2 ipv6 server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *

Views

User view

Default command level

0: Visit level

Parameters

server: Specifies a server by its IPv6 address or host name, a case-insensitive string of 1 to 46 characters.

port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.

identity-key: Specifies the public key algorithm for the client, either dsa or rsa.

· dsa: Specifies the public key algorithm dsa. This keyword is not supported in FIPS mode.

· rsa: Specifies the public key algorithm rsa.

prefer-compress: Specifies the preferred compression algorithm. By default, the compression algorithm is not used.

· zlib: Specifies the compression algorithm zlib.

· zlib-openssh: Specifies the compression algorithm [email protected].

prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm. The default is aes128.

· 3des: Specifies the encryption algorithm 3des-cbc. This keyword is not supported in FIPS mode.

· aes128: Specifies the encryption algorithm aes128-cbc.

· aes256: Specifies the encryption algorithm aes256-cbc. This keyword is only supported in FIPS mode.

· des: Specifies the encryption algorithm des-cbc. This keyword is not supported in FIPS mode.

prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm. The default is sha1-96.

· md5: Specifies the HMAC algorithm hmac-md5. This keyword is not supported in FIPS mode.

· md5-96: Specifies the HMAC algorithm hmac-md5-96. This keyword is not supported in FIPS mode.

· sha1: Specifies the HMAC algorithm hmac-sha1.

· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm. The default is dh-group-exchange in non-FIPS mode and dh-group14 in FIPS mode.

· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1. This keyword is not supported in FIPS mode.

· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1. This keyword is not supported in FIPS mode.

· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is aes128.

prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is sha1-96.

Usage guidelines

The following table shows the default algorithms used in FIPS and non-FIPS modes:

Preferred algorithm	In non-FIPS mode	In FIPS mode
Public key algorithm	dsa	rsa
Preferred client-to-server encryption algorithm	aes128	aes128
Preferred client-to-server HMAC algorithm	sha1-96	sha1-96
Preferred key exchange algorithm	dh-group-exchange	dh-group14
Preferred server-to-client encryption algorithm	aes128	aes128
Preferred server-to-client HMAC algorithm	sha1-96	sha1-96

Examples

# Log in to Stelnet server 2000::1, using the following connection scheme:

· Preferred key exchange algorithm: dh-group1.

· Preferred server-to-client encryption algorithm: aes128.

· Preferred client-to-server HMAC algorithm: md5.

· Preferred server-to-client HMAC algorithm: sha1-96.

<Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96

07-Security Command Reference

SSH configuration commands

display ssh server

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us