Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH implements remote login and file transfer securely over an insecure network.

SSH uses the typical client/server model, establishing a channel to protect data transfer based on TCP.

SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.

The device can work as an SSH server to provide services to SSH clients and can also work as an SSH client to allow users to establish SSH connections with a remote SSH server. When acting as an SSH server, the device supports SSH and SSH1 in non-FIPS mode and supports only SSH2 in FIPS mode. When acting as an SSH client, the device supports SSH2 only.

The device supports the following SSH applications:

· Stelnet—Provides secure and reliable network terminal access services. Through Stelnet, a user can log in to a remote server securely. Stelnet protects devices against attacks such as IP spoofing and plain text password interception. The device can act as both the Stelnet server and Stelnet client.

· SFTP—Based on SSH2, SFTP uses the SSH connection to provide secure file transfer. The device can serve as the SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The device can also serve as an SFTP client, enabling a user to log in from the device to a remote device for secure file transfer.

· SCP—Based on SSH2, SCP offers a secure approach to copying files. The device can act as the SCP server, allowing a user to log in to the device for file upload and download. The device can also act as an SCP client, enabling a user to log in from the device to a remote server for secure file transfer.

How SSH works

This section uses SSH2 as an example.

To establish an SSH connection and communicate with each other through the connection, an SSH client and an SSH server go through the stages listed in Table 1. For more information about these stages, see SSH Technology White Paper.

Table 1 Stages of secure session establishment

Stages	Description
Connection establishment	The SSH server listens to the connection requests on port 22. After a client initiates a connection request, the server and the client establish a TCP connection.
Version negotiation	The two parties determine a version to use after negotiation.
Algorithm negotiation	SSH supports multiple algorithms. Based on the local algorithms, the two parties determine the key exchange algorithm for generating session keys, the encryption algorithm for encrypting data, the public key algorithm for digital signature and authentication, and the HMAC algorithm for protecting data integrity.
Key exchange	The two parties use the Diffie-Hellman (DH) exchange algorithm to dynamically generate the session key for protecting data transfer and the session ID for identifying the SSH connection. In this stage, the client also authenticates the server.
Authentication	The SSH server authenticates the client in response to the client's authentication request.
Session request	After passing authentication, the client sends a session request to the server to request the establishment of a session (Stelnet, SFTP, or SCP).
Interaction	After the server grants the request, the client and the server start to communicate with each other in the session. In this stage, you can execute commands from the client by pasting the commands in text format. (The text must be within 2000 bytes.) The commands must be available in the same view. Otherwise, the server might not be able to execute the commands correctly. If you want to execute commands of more than 2000 bytes, you can save the commands in a configuration file, upload it to the server through SFTP, and use it to restart the server.

SSH authentication

This section describes authentication methods that are supported by the device when it acts as an SSH server.

Password authentication

The SSH server authenticates a client through the AAA mechanism. The password authentication process is as follows:

1. The client sends the server an authentication request that includes the encrypted username and password.

2. The server performs the following operations:

a. Decrypts the request to get the username and password in plain text.

b. Verifies the username and password locally or through remote AAA authentication.

c. Informs the client of the authentication result.

If the remote AAA server requires the user for a secondary password authentication, it sends the SSH server an authentication response with a prompt. The prompt is transparently transmitted to the client and is displayed on the client to notify the user to enter a specific password. After the user enters the correct password and passes validity check by the remote AAA server, the device returns an authentication success message to the client.

NOTE:

Only clients that run SSH2 or a later version support password secondary authentication that is initiated by the AAA server.

Publickey authentication

The server authenticates the client by verifying the digital signature of the client. The publickey authentication process is as follows:

1. The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.

If the digital certificate of the client is required in authentication, the client also encapsulates the digital certificate in the authentication request. The digital certificate carries the public key information of the client.

2. The server verifies the client's public key.

¡ If the public key is invalid, the server informs the client of the authentication failure.

¡ If the public key is valid, the server requests the digital signature of the client. After receiving the signature, the server uses the public key to verify the signature and informs the client of the authentication result.

When acting as an SSH server, the device supports using the public key algorithms RSA and DSA to verify digital signatures.

When acting as an SSH client, the device supports using the public key algorithms RSA and DSA to generate digital signatures.

For more information about public key configuration, see "Managing public keys."

Password-publickey authentication

The server requires clients that run SSH2 to pass both password authentication and publickey authentication. However, if a client runs SSH1, it only needs to pass either authentication.

Any authentication

The server requires the client to pass either password authentication or publickey authentication.

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode (see "Configuring FIPS") and non-FIPS mode.

Configuring the device as an SSH server

You can configure the device as an Stelnet, SFTP or SCP server. Because the configuration procedures are similar, the SSH server represents the Stelnet, SFTP, and SCP server unless otherwise specified.

SSH server configuration task list

Task	Remarks
Generating local DSA and RSA key pairs	Required.
Enabling the SSH server	Required for Stelnet, SFTP, and SCP servers.
Enabling the SFTP server	Required only for SFTP server.
Configuring the user interfaces for SSH clients	Required.
Configuring a client's host public key	Required if publickey authentication is configured for users and the clients directly send the public keys to the server for validity check.
Configuring the PKI domain for verifying the client certificate	See "Configuring PKI." Required if the following conditions exist: · If publickey authentication is configured for users. · If the clients send the public keys to the server through digital certificates for validity check. The PKI domain must have the CA certificate to verify the client certificate.
Configuring an SSH user	Required for publickey authentication users and optional for other authentication users.
Setting the SSH management parameters	Optional.

Generating local DSA and RSA key pairs

DSA and RSA key pairs are required for generating the session key and session ID in the key exchange stage, and can also be used by a client to authenticate the server. When a client authenticates the server, it compares the public key that it receives from the server with the server public key that it saved locally. If the keys are consistent, the client uses the locally saved server's public key to decrypt the digital signature received from the server. If the decryption succeeds, the server passes the authentication.

Configuration guidelines

· To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the SSH server.

· The public-key local create rsa command generates a server RSA key pair and a host RSA key pair. Each of the key pairs consists of a public key and a private key. The public key in the server key pair of the SSH server is used in SSH1 to encrypt the session key for secure transmission of the key. Because SSH2 uses the DH algorithm to generate the session key on the SSH server and the client, no session key transmission is required in SSH2 and the server key pair is not used.

· The public-key local create dsa command generates only a host key pair. SSH1 does not support the DSA algorithm.

· DSA algorithm is not supported in FIPS mode.

Configuration procedure

To generate local RSA and DSA key pairs on the SSH server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Generate RSA and DSA key pairs.	public-key local create { dsa \| rsa }	By default, no RSA or DSA key pairs exist.

Enabling the SSH server

After you enable the SSH server on the device, a client can log in to the device through SSH.

When the device acts as an SCP server, only one SCP user is allowed to access to the SCP server at one time.

To enable the SSH server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the SSH server.	ssh server enable	Disabled by default.

Enabling the SFTP server

After you enable the SFTP server on the device, a client can log in to the device through SFTP.

When the device acts as the SFTP server, only one client can access the SFTP server at a time.

To enable the SFTP server:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the SFTP server.	sftp server enable	Disabled by default.

Configuring the user interfaces for SSH clients

An SSH client accesses the device through a VTY user interface. You must configure the user interfaces for SSH clients to allow SSH login. The configuration takes effect only on the clients logging in after the configuration.

IMPORTANT:

Before you configure a user interface to support SSH, you must configure its authentication mode to scheme. Otherwise, the protocol inbound command fails.

To configure the user interfaces for SSH clients:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VTY user interface view.	user-interface vty number [ ending-number ]	N/A
3. Set the login authentication mode to scheme.	authentication-mode scheme	By default, the authentication mode is password.
4. Configure the user interface to support SSH login.	protocol inbound { all \| ssh }	Optional. By default, Telnet and SSH are supported.

For more information about the authentication-mode and protocol inbound commands, see Fundamentals Command Reference.

Configuring a client's host public key

This configuration task is only necessary if publickey authentication is configured for users and the clients directly send the public key to the server for authentication.

During a publickey authentication for a client, the server first compares the SSH username and host public key received from the client with those saved locally. If the information is consistent, it verifies the digital signature that the client sends. The digital signature is calculated by the client according to the private key associated with the host public key.

You must configure the client's DSA and RSA host public key on the server and specify the associated host private key on the client to generate the digital signature, so that the client can pass publickey authentication with the correct digital signature. If the device serves as a client, the associated host private key is provided by the specified public key algorithm.

You can manually configure the public key of an SSH client on the server, or import it from the public key file:

· Manual configuration—Type or copy the client host public key on the client to the SSH server. The host public key must be in the DER encoding format, which has not been converted.

Manually configured client host public keys must be in the specified format. If you use the device to act as the client, you can use the display public-key local rsa public command to view the host public key and copy its contents to the server. A host public key obtained in other ways might be in incorrect format and cannot be saved on the server. H3C recommends that you configure a client public key by importing it from a public key file.

· Importing from the public key file—Upload the client's host public key file (in binary) to the server (for example, through FTP or TFTP), and import the uploaded file to the server. During the import process, the server automatically converts the public key in the public key file to a string in PKCS format.

You can configure up to 20 SSH client public keys on an SSH server.

For more information about client public key configuration, see "Managing public keys."

Configuring a client public key manually

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter public key view.	public-key peer keyname	N/A
3. Enter public key code view.	public-key-code begin	N/A
4. Configure a client's host public key.	Enter the content of the host public key	Spaces and carriage returns are allowed between characters.
5. Return to public key view and save the configured host public key.	public-key-code end	When you exit public key code view, the system automatically saves the public key.
6. Return to system view.	peer-public-key end	N/A

Importing a client public key from a public key file

Step	Command
1. Enter system view.	system-view
2. Import the public key from a public key file.	public-key peer keyname import sshkey filename

Configuring an SSH user

To configure an SSH user that uses publickey authentication, you must perform the procedure in this section.

If the authentication method is password-publickey or any, you must configure a local user account by using the local-user command for local authentication, or configure an SSH user account on an authentication server ( for example, a RADIUS server) for remote authentication.

If the authentication method is password, you do not need to perform the procedure in this section to configure them unless you want to use the display ssh user-information command to display all SSH users, including the password-only SSH users, for centralized management.

Configuration guidelines

When you configure an SSH user, follow these guidelines:

· You can set the service type to Stelnet, SFTP, or SCP.

· You can enable one of the following authentication modes for the SSH user:

¡ Password—The user must pass password authentication.

¡ Publickey authentication—The user must pass publickey authentication.

¡ Password-publickey authentication—As an SSH2.0 user, the user must pass both password and publickey authentication. As an SSH1 user, the user must pass either password or publickey authentication.

¡ Any—The user can use either password authentication or publickey authentication.

· All authentication methods, except password authentication, require a client's host public key or digital certificate to be specified.

¡ If a client directly sends the user's public key information to the server, the server must specify the client's public key, and the specified public key must already exist. For more information about public keys, see "Configuring a client's host public key."

¡ If a client sends the user's public key information to the server through a digital certificate, the server must specify the PKI domain for verifying the client certificate. For more information about configuring a PKI domain, see "Configuring PKI." To make sure the authorized SSH users pass the authentication, the specified PKI domain must have the proper CA certificate.

· For an SSH user, the command level accessible to the user depends on the authentication method:

¡ If the authentication method is publickey or password-publickey, the command level accessible to the user is set by the user privilege level command on the user interface.

¡ If the authentication method is password, the command level accessible to the user is authorized by AAA.

· SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or all.

· For an SFTP SSH user, the working folder depends on the authentication method:

¡ If the authentication method is password, the working folder is authorized by AAA.

¡ If the authentication method is publickey or password-publickey, the working folder is set by using the ssh user command.

· If you change the authentication mode or public key for an SSH user that has logged in, the change takes effect on the user at next login.

Configuration procedure

To configure an SSH user and specify the service type and authentication method:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an SSH user, and specify the service type and authentication method.	· Create an SSH user, and specify the service type and authentication method for Stelnet users: ssh user username service-type stelnet authentication-type { password \| { any \| password-publickey \| publickey } assign { pki-domain pkiname \| publickey keyname } } · Create an SSH user, and specify the service type and authentication method for all users, SCP or SFTP users: ssh user username service-type { all \| scp \| sftp } authentication-type { password \| { any \| password-publickey \| publickey } assign { pki-domain pkiname \| publickey keyname } work-directory directory-name }	Use either command.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create an SSH user, and specify the service type and authentication method.

· Create an SSH user, and specify the service type and authentication method for Stelnet users:
ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign { pki-domain pkiname | publickey keyname } }

· Create an SSH user, and specify the service type and authentication method for all users, SCP or SFTP users:
ssh user username service-type { all | scp | sftp } authentication-type { password | { any | password-publickey | publickey } assign { pki-domain pkiname | publickey keyname } work-directory directory-name }

Use either command.

Setting the SSH management parameters

The SSH management parameters can be set to improve the security of SSH connections. The SSH management parameters include:

· Compatibility between the SSH server and SSH1 clients.

· RSA server key pair update interval, applicable to users using an SSH1 client.

· SSH user authentication timeout period. This parameter is used to reject a connection if the authentication for the connection is not completed before the timeout period expires.

· Maximum number of SSH authentication attempts. This parameter is used to prevent malicious password cracking.

· SFTP connection idle timeout period. Once the idle period of an SFTP connection exceeds the specified threshold, the system automatically tears the connection down.

To set the SSH management parameters:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the SSH server to support SSH1 clients.	ssh server compatible-ssh1x enable	Optional. By default, the SSH server supports SSH1 clients.
3. Set the RSA server key pair update interval.	ssh server rekey-interval hours	Optional. By default, the interval is 0, and the RSA server key pair is not updated.
4. Set the SSH user authentication timeout period.	ssh server authentication-timeout time-out-value	Optional. 60 seconds by default.
5. Set the maximum number of SSH authentication attempts.	ssh server authentication-retries times	Optional. 3 by default. Authentication fails if the number of authentication attempts (including both publickey and password authentication) exceeds the upper limit.
6. Configure the SFTP connection idle timeout period.	sftp server idle-timeout time-out-value	Optional. 10 minutes by default.

Configuring the device as an Stelnet client

This section describes how to configure the device as an Stelnet client.

Stelnet client configuration task list

Task	Remarks
Specifying a source IP address or source interface for the Stelnet client	Optional.
Enabling and disabling first-time authentication	Optional.
Establishing a connection to an Stelnet server	Required.

Specifying a source IP address or source interface for the Stelnet client

By default, an Stelnet client uses the IP address of the outbound interface specified by the route to the Stelnet server as the source IP address to communicate with the Stelnet server. You can change the source IP address or specify a source interface for the client.

To make sure the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, H3C recommends that you specify a loopback interface or dialer interface as the source interface.

To specify a source IP address or source interface for the Stelnet client:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify a source IP address or source interface for the Stelnet client.	· Specify a source IPv4 address or source interface for the Stelnet client: ssh client source { interface interface-type interface-number \| ip ip-address } · Specify a source IPv6 address or source interface for the Stelnet client: ssh client ipv6 source { interface interface-type interface-number \| ipv6 ipv6-address }	Use either command.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify a source IP address or source interface for the Stelnet client.

· Specify a source IPv4 address or source interface for the Stelnet client:
ssh client source { interface interface-type interface-number | ip ip-address }

· Specify a source IPv6 address or source interface for the Stelnet client:
ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }

Use either command.

Enabling and disabling first-time authentication

When the device works as an SSH client and connects to the SSH server, you can enable or disable first-time authentication for the client.

When a client not configured with the server host public key accesses the server for the first time:

· If first-time authentication is disabled, the client does not access the server. To enable the client to access the server, you must configure the server host public key locally and specify the public key name for authentication on the client in advance.

· If first-time authentication is enabled, the client accesses the server, and saves the host public key on the client. When accessing the server again, the client uses the saved server host public key to authenticate the server.

In a secure network, first-time authentication simplifies client configuration, but it also creates some potential security risks.

Enabling first-time authentication

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable first-time authentication.	ssh client first-time enable	Optional. Enabled by default.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable first-time authentication.

ssh client first-time enable

Optional.

Enabled by default.

Disabling first-time authentication

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Disable first-time authentication.	undo ssh client first-time	Enabled by default.
3. Configure the server host public key.	See "Configuring a client's host public key"	The method for configuring the server host public key on the client is similar to that for configuring client public key on the server.
4. Specify the host public key name of the server.	ssh client authentication server server assign publickey keyname	N/A

Establishing a connection to an Stelnet server

You can launch the Stelnet client to establish a connection to an Stelnet server, and specify the public key algorithm, the preferred encryption algorithm, the preferred HMAC algorithm, and the preferred key exchange algorithm.

To establish a connection to an Stelnet server:

Task	Command	Remarks
Establish a connection to an Stelnet server.	· Establish a connection to an IPv4 server: ¡ In non-FIPS mode: ssh2 server [ port-number ] [ identity-key { dsa \| rsa } \| prefer-compress { zlib \| zlib-openssh } \| prefer-ctos-cipher { 3des \| aes128 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] * ¡ In non-FIPS mode: ssh2 server [ port-number ] [ identity-key rsa \| prefer-ctos-cipher { aes128 \| aes256 } \| prefer-ctos-hmac { sha1 \| sha1-96 } \| prefer-kex dh-group14 \| prefer-stoc-cipher { aes128 \| aes256 } \| prefer-stoc-hmac { sha1 \| sha1-96 } ] * · Establish a connection to an IPv6 server: ¡ In FIPS mode: ssh2 ipv6 server [ port-number ] [ identity-key { dsa \| rsa } \| prefer-compress { zlib \| zlib-openssh } \|prefer-ctos-cipher { 3des \| aes128 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] * ¡ In non-FIPS mode: ssh2 ipv6 server [ port-number ] [ identity-key rsa \| prefer-ctos-cipher { aes128 \| aes256 } \| prefer-ctos-hmac { sha1 \| sha1-96 } \| prefer-kex dh-group14 \| prefer-stoc-cipher { aes128 \| aes256 } \| prefer-stoc-hmac { sha1 \| sha1-96 } ] *	Use one of the commands in user view.

Task

Command

Remarks

Establish a connection to an Stelnet server.

· Establish a connection to an IPv4 server:

¡ In non-FIPS mode:
ssh2 server [ port-number ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

¡ In non-FIPS mode:
ssh2 server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *

· Establish a connection to an IPv6 server:

¡ In FIPS mode:
ssh2 ipv6 server [ port-number ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } |prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

¡ In non-FIPS mode:
ssh2 ipv6 server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *

Use one of the commands in user view.

Configuring the device as an SFTP client

This section describes how to configure the device as an SFTP client.

SFTP client configuration task list

Task	Remarks
Specifying a source IP address or source interface for the SFTP client	Optional.
Enabling and disabling first-time authentication	Optional.
Establishing a connection to an SFTP server	Required.
Working with SFTP directories	Optional.
Working with SFTP files	Optional.
Displaying help information	Optional.
Terminating the connection with the SFTP server	Optional.

Specifying a source IP address or source interface for the SFTP client

By default, an SFTP client uses the IP address of the outbound interface specified by the route to the SFTP server as the source IP address to communicate with the SFTP server. You can change the source IP address or specify a source interface for the client.

To make sure the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, H3C recommends that you specify a loopback interface or dialer interface as the source interface.

To specify a source IP address or interface for the SFTP client:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify a source IP address or interface for the SFTP client.	· Specify a source IPv4 address or interface for the SFTP client: sftp client source { interface interface-type interface-number \| ip ip-address } · Specify a source IPv6 address or interface for the SFTP client: sftp client ipv6 source { interface interface-type interface-number \| ipv6 ipv6-address }	Use either command.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Specify a source IP address or interface for the SFTP client.

· Specify a source IPv4 address or interface for the SFTP client:
sftp client source { interface interface-type interface-number | ip ip-address }

· Specify a source IPv6 address or interface for the SFTP client:
sftp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }

Use either command.

Establishing a connection to an SFTP server

You can launch the SFTP client to establish a connection to an SFTP server, and specify the public key algorithm, the preferred encryption algorithm, preferred HMAC algorithm, and preferred key exchange algorithm.

After the connection is established, you can directly enter SFTP client view on the server to perform directory and file operations.

To establish a connection to an SFTP server:

Task	Command	Remarks
Establish a connection to an SFTP server and enter SFTP client view.	· Establish a connection to an IPv4 SFTP server: ¡ In non-FIPS mode: sftp server [ port-number ] [ identity-key { dsa \| rsa } \| prefer-compress { zlib \| zlib-openssh } \|prefer-ctos-cipher { 3des \| aes128 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] * ¡ In FIPS mode: sftp server [ port-number ] [ identity-key rsa \| prefer-ctos-cipher { aes128 \| aes256 } \| prefer-ctos-hmac { sha1 \| sha1-96 } \| prefer-kex dh-group14 \| prefer-stoc-cipher { aes128 \| aes256 } \| prefer-stoc-hmac { sha1 \| sha1-96 } ] * · Establish a connection to an IPv6 SFTP server: ¡ In non-FIPS mode: sftp ipv6 server [ port-number ] [ identity-key { dsa \| rsa } \| prefer-compress { zlib \| zlib-openssh } \| prefer-ctos-cipher { 3des \| aes128 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] * ¡ In FIPS mode: sftp ipv6 server [ port-number ] [ identity-key rsa \| prefer-ctos-cipher { aes128 \| aes256 } \| prefer-ctos-hmac { sha1 \| sha1-96 } \| prefer-kex dh-group14 \| prefer-stoc-cipher { aes128 \| aes256 } \| prefer-stoc-hmac { sha1 \| sha1-96 } ] *	Use one of the commands in user view.

Task

Command

Remarks

Establish a connection to an SFTP server and enter SFTP client view.

· Establish a connection to an IPv4 SFTP server:

¡ In non-FIPS mode:
sftp server [ port-number ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } |prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

¡ In FIPS mode:
sftp server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *

· Establish a connection to an IPv6 SFTP server:

¡ In non-FIPS mode:
sftp ipv6 server [ port-number ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

¡ In FIPS mode:
sftp ipv6 server [ port-number ] [ identity-key rsa | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *

Use one of the commands in user view.

Working with SFTP directories

SFTP directory operations include:

· Changing or displaying the current working directory

· Displaying files under a directory or the directory information

· Changing the name of a directory on the server

· Creating or deleting a directory

To work with the SFTP directories:

Step	Command	Remarks
1. Enter SFTP client view.	For more information, see "Establishing a connection to an SFTP server."	N/A
2. Change the working directory of the remote SFTP server.	cd [ remote-path ]	Optional.
3. Return to the upper-level directory.	cdup	Optional.
4. Display the current working directory on the SFTP server.	pwd	Optional.
5. Display files under a directory.	· dir [ -a \| -l ] [ remote-path ] · ls [ -a \| -l ] [ remote-path ]	Optional. The dir command functions as the ls command.
6. Change the name of a directory on the SFTP server.	rename oldname newname	Optional.
7. Create a new directory on the SFTP server.	mkdir remote-path	Optional.
8. Delete one or more directories from the SFTP server.	rmdir remote-path&<1-10>	Optional.

Working with SFTP files

SFTP file operations include:

· Changing the name of a file

· Downloading a file

· Uploading a file

· Displaying a list of files

· Deleting a file

To work with SFTP files:

Step	Command	Remarks
1. Enter SFTP client view.	For more information, see "Establishing a connection to an SFTP server."	N/A
2. Change the name of a file on the SFTP server.	rename old-name new-name	Optional.
3. Download a file from the remote server and save it locally.	get remote-file [ local-file ]	Optional.
4. Upload a local file to the SFTP server.	put local-file [ remote-file ]	Optional.
5. Display the files under a directory.	· dir [ -a \| -l ] [ remote-path ] · ls [ -a \| -l ] [ remote-path ]	Optional. The dir command functions as the ls command.
6. Delete one or more directories from the SFTP server.	· delete remote-file&<1-10> · remove remote-file&<1-10>	Optional. The delete command functions as the remove command.

Displaying help information

Use the help command to display all commands or the help information of an SFTP client command, including the command format and parameters.

To display all commands or the help information of an SFTP client command:

Step	Command
1. Enter SFTP client view.	For more information, see "Establishing a connection to an SFTP server."
2. Display all commands or the help information of an SFTP client command.	help [ all \| command-name ]

Terminating the connection with the SFTP server

Step	Command	Remarks
1. Enter SFTP client view.	For more information, see "Establishing a connection to an SFTP server."	N/A
2. Terminate the connection with the SFTP server and return to user view.	· bye · exit · quit	Use any of the commands. These commands function in the same way.

Step

Command

Remarks

1. Enter SFTP client view.

For more information, see "Establishing a connection to an SFTP server."

N/A

2. Terminate the connection with the SFTP server and return to user view.

· bye

· exit

· quit

Use any of the commands.

These commands function in the same way.

Configuring the device as an SCP client

This section describes how to configure the device as an SCP client.

SCP client configuration task list

Task	Remarks
Enabling and disabling first-time authentication	Optional.
Transferring files with an SCP server	Required.

Transferring files with an SCP server

Task	Command	Remarks
Connect to the SCP server, and transfer files with the server.	· Upload a file to the SCP server: ¡ In non-FIPS mode: scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ] identity-key { dsa \| rsa } \| [ prefer-compress { zlib \| zlib-openssh } \| prefer-ctos-cipher { 3des \| aes128 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] * ¡ In FIPS mode: scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key rsa \| prefer-compress { zlib \| zlib-openssh } \| prefer-ctos-cipher { aes128 \| aes256 } \| prefer-ctos-hmac { sha1 \| sha1-96 } \| prefer-kex dh-group14 \| prefer-stoc-cipher { aes128 \| aes256 } \| prefer-stoc-hmac { sha1 \| sha1-96 } ] * · Download a file from the SCP server: ¡ In non-FIPS mode: scp [ ipv6 ] server [ port-number ] get source-file-path [ destination-file-path ] [ identity-key { dsa \| rsa } \| prefer-compress { zlib \| zlib-openssh } \| prefer-ctos-cipher { 3des \| aes128 \| des } \| prefer-ctos-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } \| prefer-kex { dh-group-exchange \| dh-group1 \| dh-group14 } \| prefer-stoc-cipher { 3des \| aes128 \| des } \| prefer-stoc-hmac { md5 \| md5-96 \| sha1 \| sha1-96 } ] * ¡ In FIPS mode: scp [ ipv6 ] server [ port-number ] get source-file-path [ destination-file-path ] [ identity-key rsa \| prefer-compress { zlib \| zlib-openssh } \| prefer-ctos-cipher { aes128 \| aes256 } \| prefer-ctos-hmac { sha1 \| sha1-96 } \| prefer-kex dh-group14 \| prefer-stoc-cipher { aes128 \| aes256 } \| prefer-stoc-hmac { sha1 \| sha1-96 } ] *	Use one of the commands.

Task

Command

Remarks

Connect to the SCP server, and transfer files with the server.

· Upload a file to the SCP server:

¡ In non-FIPS mode:
scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ] identity-key { dsa | rsa } | [ prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

¡ In FIPS mode:
scp [ ipv6 ] server [ port-number ] put source-file-path [ destination-file-path ] [ identity-key rsa | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *

· Download a file from the SCP server:

¡ In non-FIPS mode:
scp [ ipv6 ] server [ port-number ] get source-file-path [ destination-file-path ] [ identity-key { dsa | rsa } | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

¡ In FIPS mode:
scp [ ipv6 ] server [ port-number ] get source-file-path [ destination-file-path ] [ identity-key rsa | prefer-compress { zlib | zlib-openssh } | prefer-ctos-cipher { aes128 | aes256 } | prefer-ctos-hmac { sha1 | sha1-96 } | prefer-kex dh-group14 | prefer-stoc-cipher { aes128 | aes256 } | prefer-stoc-hmac { sha1 | sha1-96 } ] *

Use one of the commands.

Displaying and maintaining SSH

Task	Command	Remarks
Display the source IP address or interface configured for the SFTP client.	display sftp client source [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display the source IP address or interface information configured for the Stelnet client.	display ssh client source [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display SSH server status information or session information on an SSH server.	display ssh server { status \| session } [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display the mappings between SSH servers and their host public keys on an SSH client.	display ssh server-info [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display information about one or all SSH users on an SSH server.	display ssh user-information [ username ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display the public keys of the local key pairs.	display public-key local { dsa \| rsa } public [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.
Display the public keys of the SSH peers.	display public-key peer [ brief \| name publickey-name ] [ \| { begin \| exclude \| include } regular-expression ]	Available in any view.

Stelnet configuration examples

This section provides examples of configuring Stelnet.

Password authentication enabled Stelnet server configuration example

Network requirements

As shown in Figure 1, you can log in to the AC through the Stelnet client (SSH2) that runs on the client. The AC acts as the Stelnet server and uses password authentication. The username and password of the client are saved on the AC. The client and the AC can reach each other.

Figure 1 Network diagram

Configuration procedure

1. Generate an RSA key pair on the Stelnet client:

a. Launch PuTTYGen.exe, select SSH-2 RSA, and click Generate.

Figure 2 Generating an RSA key pair on the client

b. Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 3. Otherwise, the progress bar stops moving and the key pair generating progress stops.

Figure 3 Generating process

c. After the key pair is generated, click Save public key to save the public key.

A file saving window appears.

Figure 4 Saving a key pair on the client

d. Enter a file name (key.pub in this example), and click Save.

e. On the page as shown in Figure 4, click Save private key to save the private key.

A confirmation dialog box appears.

f. Click Yes.

A file saving window appears.

g. Enter a file name (private.ppk in this example), and click Save.

h. Transmit the public key file to the server through FTP or TFTP. (Details not shown.)

2. Configure the Stelnet server AC:

# Generate RSA key pairs.

<AC> system-view

[AC] public-key local create rsa

# Enable the SSH server.

[AC] ssh server enable

# Configure an IP address for VLAN-interface 2. The Stelnet client uses this address as the destination address for SSH connection.

[AC] interface vlan-interface 2

[AC-Vlan-interface2] ip address 192.168.1.40 255.255.255.0

[AC-Vlan-interface2] quit

# Set the authentication mode for the user interfaces to AAA.

[AC] user-interface vty 0 4

[AC-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[AC-ui-vty0-4] protocol inbound ssh

[AC-ui-vty0-4] quit

# Create a local user client001, with the password as aabbcc, user privilege level 3, and the service type as ssh.

[AC] local-user client001

[AC-luser-client001] password simple aabbcc

[AC-luser-client001] authorization-attribute level 3

[AC-luser-client001] service-type ssh

[AC-luser-client001] quit

# Create an SSH user client001 and specify the service type for user as stelnet, and the authentication method as password.

[AC] ssh user client001 service-type stelnet authentication-type password

3. Establish a connection to the Stelnet server:

The device supports different types of Stelnet client software, such as PuTTY and OpenSSH. The following example uses PuTTY version 0.58 on the Stelnet client.

To establish a connection to the Stelnet server:

a. Launch PuTTY.exe on the Stelnet client.

Figure 5 Specifying the host name (or IP address)

b. In the Host Name (or IP address) filed, enter the IP address 192.168.1.40 of the Stelnet server.

c. Click Open to connect to the server.

If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client001) and password (aabbcc), you can enter the CLI of the server.

Publickey authentication enabled Stelnet server configuration example

Network requirements

As shown in Figure 6, you can log in to the AC through the Stelnet client (SSH2) that runs on the client. The AC acts as the Stelnet server, adopting publickey authentication and the RSA public key algorithm.

Figure 6 Network diagram

Configuration considerations

In the server configuration, the client public key is required. Use the client software to generate the RSA key pair on the client before configuring the Stelnet server.

The device supports different types of Stelnet client software, such as PuTTY and OpenSSH. The following example uses PuTTY version 0.58 on the Stelnet client.

Configuration procedure

1. Generate an RSA key pair on the Client:

a. Launch PuTTYGen.exe, select SSH-2 RSA, and click Generate.

Figure 7 Generating a key pair on the client

b. Continuously move the mouse and do not place the mouse over the green progress bar shown in Figure 8. Otherwise, the progress bar stops moving and the key pair generating progress stops.

Figure 8 Generating process

c. After the key pair is generated, click Save public key to save the public key.

A file saving window appears.

Figure 9 Saving a key pair on the client

a. Enter a file name (key.pub in this example), and click Save.

e. On the page as shown in Figure 9, click Save private key to save the private key.

A confirmation dialog box appears.

f. Click Yes.

A file saving window appears.

g. Enter a file name (private.ppk in this example), and click Save.

h. Transmit the public key file to the server through FTP or TFTP. (Details not shown.)

2. Configure the Stelnet server AC:

# Generate RSA key pairs.

<AC> system-view

[AC] public-key local create rsa

# Enable the SSH server.

[AC] ssh server enable

# Configure an IP address for VLAN-interface 2. The Stelnet client uses this address as the destination address for SSH connection.

[AC] interface vlan-interface 2

[AC-Vlan-interface2] ip address 192.168.1.40 255.255.255.0

[AC-Vlan-interface2] quit

# Set the authentication mode for the user interfaces to AAA.

[AC] user-interface vty 0 4

[AC-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[AC-ui-vty0-4] protocol inbound ssh

# Set the user command privilege level to 3.

[AC-ui-vty0-4] user privilege level 3

[AC-ui-vty0-4] quit

# Import the client's public key from file key.pub and name it Key001.

[AC] public-key peer Key001 import sshkey key.pub

# Create an SSH user client002 with the authentication method publickey, and assign the public key Key001 to the user.

[AC] ssh user client002 service-type stelnet authentication-type publickey assign publickey Key001

3. Establish a connection to the Stelnet server:

a. Launch PuTTY.exe on the Stelnet client.

Figure 10 Specifying the host name (or IP address)

b. In the Host Name (or IP address) field, enter the IP address 192.168.1.40 of the Stelnet server.

c. Select Connection > SSH > Auth from the navigation tree.

d. Click Browse… to bring up the file selection window, navigate to the private key file (private in this example) and click OK.

Figure 11 Specifying the private key file

e. Click Open to connect to the server.

If the connection is successfully established, the system asks you to enter the username and password. After entering the username (client002), you can enter the CLI of the server.

Password authentication enabled Stelnet client configuration example

Network requirements

As shown in Figure 12, you can log in to the switch through the Stelnet client that runs on AC. The switch acts as the Stelnet server and uses password authentication. The username and password of AC are saved on the switch.

Figure 12 Network diagram

Configuration procedure

1. Configure the Stelnet server:

# Generate RSA key pairs.

<Switch> system-view

[Switch] public-key local create rsa

# Enable the SSH server.

[Switch] ssh server enable

# Configure an IP address for VLAN-interface 2. The Stelnet client uses this address as the destination address for SSH connection.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0

[Switch-Vlan-interface2] quit

# Set the authentication mode for the user interfaces to AAA.

[Switch] user-interface vty 0 4

[Switch-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[Switch-ui-vty0-4] protocol inbound ssh

[Switch-ui-vty0-4] quit

# Create a local user client001 with the password aabbcc, the user privilege level 3, and the service type ssh.

[Switch] local-user client001

[Switch-luser-client001] password simple aabbcc

[Switch-luser-client001] authorization-attribute level 3

[Switch-luser-client001] service-type ssh

[Switch-luser-client001] quit

# Create an SSH user client001 with the service type stelnet and the authentication method password.

[Switch] ssh user client001 service-type stelnet authentication-type password

2. Establish a connection to the Stelnet server:

# Configure an IP address for VLAN-interface 2.

<AC> system-view

[AC] interface vlan-interface 2

[AC-Vlan-interface2] ip address 192.168.1.56 255.255.255.0

[AC-Vlan-interface2] quit

[AC] quit

# Configure AC not to support first-time authentication.

[AC] undo ssh client first-time

# Configure the host public key of the SSH server and name the key key1.

[AC] public-key peer key1

[AC-pkey-public-key] public-key-code begin

[AC-pkey-key-code]308201B73082012C06072A8648CE3804013082011F0281810

0D757262C4584C44C211F18BD96E5F0

[AC-pkey-key-code]61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE

65BE6C265854889DC1EDBD13EC8B274

[AC-pkey-key-code]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B0

6FD60FE01941DDD77FE6B12893DA76E

[AC-pkey-key-code]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B3

68950387811C7DA33021500C773218C

[AC-pkey-key-code]737EC8EE993B4F2DED30F48EDACE915F0281810082269009E

14EC474BAF2932E69D3B1F18517AD95

[AC-pkey-key-code]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02

492B3959EC6499625BC4FA5082E22C5

[AC-pkey-key-code]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E

88317C1BD8171D41ECB83E210C03CC9

[AC-pkey-key-code]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC

9B09EEF0381840002818000AF995917

[AC-pkey-key-code]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D

F257523777D033BEE77FC378145F2AD

[AC-pkey-key-code]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71

01F7C62621216D5A572C379A32AC290

[AC-pkey-key-code]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E

8716261214A5A3B493E866991113B2D

[AC-pkey-key-code]485348

[AC-pkey-key-code] public-key-code end

[AC-pkey-public-key] peer-public-key end

# Specify the host public key for the Stelnet server 192.168.1.40 as key1.

[AC] ssh client authentication server 192.168.1.40 assign publickey key1

[AC] quit

# Establish an SSH connection to the Stelnet server 192.168.1.40.

<AC> ssh2 192.168.1.40

Username: client001

Trying 192.168.1.40

Press CTRL+K to abort

Connected to 192.168.1.40...

Enter password:

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

Publickey authentication enabled Stelnet client configuration example

Network requirements

As shown in Figure 13, you can log in to the switch through the Stelnet client that runs on AC. The switch acts as the Stelnet server and uses publickey authentication and the RSA public key algorithm.

Figure 13 Network diagram

Configuration considerations

In the server configuration, the client public key is required. Use the client software to generate RSA key pairs on the client before configuring the Stelnet server.

Configuration procedure

1. Configure the Stelnet client AC:

# Create VLAN-interface 2 and assign an IP address to it.

<AC> system-view

[AC] interface vlan-interface 2

[AC-Vlan-interface2] ip address 192.168.1.56 255.255.255.0

[AC-Vlan-interface2] quit

# Generate RSA key pairs.

[AC] public-key local create rsa

# Export the RSA public key to the file key.pub.

[AC] public-key local export rsa ssh2 key.pub

[AC] quit

# Transmit the public key file to the server through FTP or TFTP. (Details not shown.)

2. Configure the Stelnet server:

# Generate RSA key pairs.

<Switch> system-view

[Switch] public-key local create rsa

# Enable the SSH server.

[Switch] ssh server enable

# Configure an IP address for VLAN-interface 2. The SSH client uses this address as the destination address for SSH connection.

[Switch] interface vlan-interface 2

[Switch-Vlan-interface2] ip address 192.168.1.40 255.255.255.0

[Switch-Vlan-interface2] quit

# Set the authentication mode for the user interfaces to AAA.

[Switch] user-interface vty 0 4

[Switch-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[Switch-ui-vty0-4] protocol inbound ssh

# Set the user command privilege level to 3.

[Switch-ui-vty0-4] user privilege level 3

[Switch-ui-vty0-4] quit

# Import the peer public key from the file key.pub, and name it Key001.

[Switch] public-key peer Key001 import sshkey key.pub

# Create an SSH user client002 with the authentication method publickey, and assign the public key Key001 to the user.

[Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Key001

3. Establish an SSH connection to the Stelnet server 192.168.1.40.

<AC> ssh2 192.168.1.40

Username: client002

Trying 192.168.1.40 ...

Press CTRL+K to abort

Connected to 192.168.1.40 ...

The Server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

******************************************************************************

* Without the owner's prior written consent, *

* no decompiling or reverse-engineering shall be allowed. *

******************************************************************************

SFTP configuration example

Network requirements

As shown in Figure 14, an SSH connection is established between AC 1 and AC 2. AC 1 acts as an SFTP client to log into AC 2 for file management and file transfer. The username is client001 and password is aabbcc.

Figure 14 Network diagram

Configuration procedure

1. Configure the SFTP server AC 2:

# Generate RSA key pairs.

<AC2> system-view

[AC2] public-key local create rsa

# Enable the SSH server.

[AC2] ssh server enable

# Configure an IP address for VLAN-interface 2. The client uses this address as the destination address for SSH connection.

[AC2] interface vlan-interface 2

[AC2-Vlan-interface2] ip address 192.168.0.1 255.255.255.0

[AC2-Vlan-interface2] quit

# Set the authentication mode of the user interfaces to AAA.

[AC2] user-interface vty 0 4

[AC2-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[AC2-ui-vty0-4] protocol inbound ssh

[AC2-ui-vty0-4] quit

# Create a local user client001.

[AC2] local-user client001

[AC2-luser-client001] password simple aabbcc

[AC2-luser-client001] authorization-attribute level 3

[AC2-luser-client001] service-type ssh

[AC2-luser-client001] quit

# Configure the AC to authenticate SSH users by using password authentication, and provide SFTP services.

[AC2] ssh user client001 service-type sftp authentication-type password

NOTE:

To use publickey authentication, configure the public key of AC 1 on AC 2. For configuration steps, see "Publickey authentication enabled Stelnet server configuration example."

# Enable the SFTP server.

[AC2] sftp server enable

2. Configure the client AC 1:

# Configure an IP address for VLAN-interface 2.

<AC1> system-view

[AC1] interface vlan-interface 2

[AC1-Vlan-interface2] ip address 192.168.0.2 255.255.255.0

[AC1-Vlan-interface2] quit

[AC1] quit

# Establish a connection with the remote SFTP server and enter SFTP client view.

<AC1> sftp 192.168.0.1

Input Username: client001

Trying 192.168.0.1 ...

Press CTRL+K to abort

Connected to 192.168.0.1 ...

The Server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

Enter password:

<sftp-client>

# Display files under the current directory of the server, delete file z, and verify the result.

<sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 startup.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new

-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub

-rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z

End of file

Success

<sftp-client> delete z

The following File will be deleted:

Are you sure to delete it? [Y/N]:y

This operation may take a long time. Please wait...

Success

File successfully Removed

<sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 startup.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new

-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub

End of file

Success

# Add a directory named new1 and verify the result.

<sftp-client> mkdir new1

Success

New directory created

sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 startup.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new

-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub

drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1

End of file

Success

# Rename the directory new1 to new2 and verify the result.

<sftp-client> rename new1 new2

Success

File successfully renamed

<sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 startup.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new

-rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub

drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2

End of file

Success

# Download the pubkey2 file from the server and save it as local file public.

<sftp-client> get pubkey2 public

Remote file:/pubkey2 ---> Local file: public

End of file

Success

Downloading file successfully ended

# Upload a local file named pu to the server, save it as puk, and verify the result.

<sftp-client> put pu puk

Local file:pu ---> Remote file: /puk

Success

Uploading file successfully ended

<sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 startup.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new

drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2

-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub

-rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk

End of file

Success

<sftp-client>

# Terminate the connection with the remote SFTP server.

<sftp-client> quit

Bye

<AC1>

SCP configuration example

This section provides examples of configuring SCP for file transfer with password authentication

Network requirements

As shown in Figure 15, AC 1 acts as the SCP client, and AC 2 acts as the SCP server. A user can securely transfer files with AC 2 through AC 1. AC 2 uses the password authentication method and the client 's username and password are saved on AC 2.

Figure 15 Network diagram

Configuration procedure

1. Configure the SCP server AC 2:

<AC2> system-view

[AC2] public-key local create rsa

# Enable the SSH server.

[AC2] ssh server enable

# Configure an IP address for VLAN-interface 2. The client uses this address as the destination address for SCP connection.

[AC2] interface vlan-interface 2

[AC2-Vlan-interface2] ip address 192.168.0.1 255.255.255.0

[AC2-Vlan-interface2] quit

# Set the authentication mode of the user interfaces to AAA.

[AC2] user-interface vty 0 4

[AC2-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[AC2-ui-vty0-4] protocol inbound ssh

[AC2-ui-vty0-4] quit

# Create a local user named client001 with the password as aabbcc and service type as ssh.

[AC2] local-user client001

[AC2-luser-client001] password simple aabbcc

[AC2-luser-client001] service-type ssh

[AC2-luser-client001] quit

# Create an SSH user client001, and specify the service type as scp and authentication method as password.

[AC2] ssh user client001 service-type scp authentication-type password

2. Configure an IP address for VLAN-interface 2 on the SCP client AC 1:

<AC1> system-view

[AC1] interface vlan-interface 2

[AC1-Vlan-interface2] ip address 192.168.0.2 255.255.255.0

[AC1-Vlan-interface2] quit

[AC1] quit

3. Connect to the SCP server, download the file remote.bin from the server, and save it locally with the name local.bin.

<AC1> scp 192.168.0.1 get remote.bin local.bin

Username: client001

Trying 192.168.0.1 ...

Press CTRL+K to abort

Connected to 192.168.0.1 ...

The Server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

Enter password:

18471 bytes transfered in 0.001 seconds.

07-Security Configuration Guide

Configuring SSH

Overview

How SSH works

Password authentication

Publickey authentication

Password-publickey authentication

Any authentication

FIPS compliance

Configuration guidelines

Configuration procedure

Enabling the SSH server

Enabling the SFTP server

Configuring a client's host public key

Configuring a client public key manually

Importing a client public key from a public key file

Configuration guidelines

Configuration procedure

Setting the SSH management parameters

Configuring the device as an Stelnet client

Disabling first-time authentication

Configuring the device as an SFTP client

Configuring the device as an SCP client

Stelnet configuration examples

Password authentication enabled Stelnet server configuration example

Network requirements

Configuration procedure

Network requirements

Configuration considerations

Configuration procedure

Password authentication enabled Stelnet client configuration example

Network requirements

Configuration procedure

Publickey authentication enabled Stelnet client configuration example

Network requirements

Configuration considerations

Configuration procedure

SFTP configuration example

SCP configuration example

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us