Field	Description
SSH server	Whether the SSH server function is enabled.
SSH version	SSH protocol version. When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2.
SSH authentication-timeout	Authentication timeout timer.
SSH server key generating interval	SSH server key pair update interval.
SSH authentication retries	Maximum number of authentication attempts for SSH users.
SFTP server	Whether the SFTP server function is enabled.
SFTP server Idle-Timeout	SFTP connection idle timeout timer.

# Display the SSH server sessions.

<Sysname> display ssh server session

UserPid SessID Ver Encrypt State Retries Serv Username

184 0 2.0 aes128-cbc Established 1 Stelnet abc@123

Table 2 Command output

Field	Description
UserPid	User process ID.
SessID	Session ID.
Ver	Protocol version of the SSH server.
Encrypt	Encryption algorithm used on the SSH server.
State	Session state: · Init—Initialization. · Ver-exchange—Version negotiation. · Keys-exchange—Keys exchange. · Auth-request—Authentication request. · Serv-request—Session service request. · Established—The session is established. · Disconnected—The session is disconnected.
Retries	Number of authentication failures.
Serv	Service type, including SCP, SFTP, and Stelnet.
Username	Name of a user for logging in to the server.

display ssh user-information

Use display ssh user-information to display information about SSH users on an SSH server.

Syntax

display ssh user-information [ username ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If no SSH user is specified, this command displays information about all SSH users.

Usage guidelines

This command only displays information about SSH users configured through the ssh user command on the SSH server.

Examples

# Display information about all SSH users.

<Sysname> display ssh user-information

Total ssh users:2

Username Authentication-type User-public-key-name Service-type

yemx password null Stelnet|SFTP

test publickey pubkey SFTP

Table 3 Command output

Field	Description
Total ssh users	Total number of SSH users.
Authentication-type	Authentication methods, including password authentication, publickey authentication, password-publickey authentication, and any authentication. If password authentication is used, the public key of the user displays as "null."
User-public-key-name	Public key name of the user.
Service-type	Service types, including Stelnet, SFTP, and SCP. If multiple service types are displayed at the same time, it indicates that these services are available for SSH users.

Related commands

ssh user

sftp server enable

Use sftp server enable to enable the SFTP server function.

Use undo sftp server enable to disable the SFTP server function.

Syntax

sftp server enable

undo sftp server enable

Default

The SFTP server function is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Examples

# Enable the SFTP server function.

<Sysname> system-view

[Sysname] sftp server enable

Related commands

display ssh server

sftp server idle-timeout

Use sftp server idle-timeout to set the idle timeout timer for SFTP user connections on an SFTP server.

Use undo sftp server idle-timeout to restore the default.

Syntax

sftp server idle-timeout time-out-value

undo sftp server idle-timeout

Default

The idle timeout timer is 10 minutes.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

time-out-value: Specifies a timeout timer (in minutes), in the range of 1 to 35791.

Usage guidelines

If an SFTP connection is idle when the idle timeout timer expires, the system automatically terminates the connection. If many SFTP connections are established, you can set a small value so that the connection resources can be properly released.

Examples

# Set the idle timeout timer for SFTP user connections to 500 minutes.

<Sysname> system-view

[Sysname] sftp server idle-timeout 500

Related commands

display ssh server

ssh server acl

Use ssh server acl to set an ACL for IPv4 SSH clients.

Use undo ssh server acl to restore the default.

Syntax

ssh server acl acl-number

undo ssh server acl

Default

All IPv4 SSH clients are allowed to initiate connections to the device.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

acl-number: Specifies an ACL by its number, in the range of 2000 to 4999.

Usage guidelines

Use this command to specify an ACL to filter the IPv4 SSH clients' request packets. The filtering process is as follows:

· If an ACL is specified, only the IPv4 SSH clients that match the permit statement in this ACL can access the device.

· If the specified ACL does not exist, or the ACL does not have any statement, all the IPv4 SSH clients can access the device.

The ACL only filters new SSH connections after the configuration.

If you execute this command multiple times, the last configuration takes effect.

Examples

# Specify an ACL to only permit an IPv4 SSH client 1.1.1.1 to initiate the connection to the device.

<Sysname> system-view

[Sysname] acl number 2001

[Sysname-acl-basic-2001] rule permit source 1.1.1.1 0

[Sysname-acl-basic-2001] quit

[Sysname] ssh server acl 2001

Related commands

display ssh server

ssh server ipv6 acl

Use ssh server ipv6 acl to set an ACL for IPv6 SSH clients.

Use undo ssh server ipv6 acl to restore the default.

Syntax

ssh server ipv6 acl [ ipv6 ]acl-number

undo ssh server ipv6 acl

Default

All IPv6 SSH clients are allowed to initiate connections to the device.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

ipv6: Specifies ACL type as IPv6. If this keyword is not specified, Layer 2 ACL is applied.

acl-number: Specifies an ACL by its number. If the ipv6 keyword is specified, the value of this argument is in the range of 2000 to 3999. If the ipv6 keyword is not specified, the value of this argument is in the range of 4000 to 4999.

Usage guidelines

Use this command to specify an ACL to filter the IPv6 SSH clients' request packets. The filtering process is as follows:

· If an ACL is specified, only the IPv6 SSH clients that match the permit statement in this ACL can access the device.

· If the specified ACL does not exist, or the ACL does not have any statement, all the IPv6 SSH clients can access the device.

The ACL only filters new SSH connections after the configuration.

If you execute this command multiple times, the last configuration takes effect.

Examples

# Specify an ACL to only permit an IPv6 SSH client 1::1/64 to initiate the connection to the device.

<Sysname> system-view

[Sysname] acl ipv6 number 2001

[Sysname-acl6-basic-2001] rule permit source 1::1 64

[Sysname-acl6-basic-2001] quit

[Sysname] ssh server ipv6 acl 2001

Related commands

display ssh server

ssh server authentication-retries

Use ssh server authentication-retries to set the maximum number of authentication attempts for SSH users.

Use undo ssh server authentication-retries to restore the default.

Syntax

ssh server authentication-retries times

undo ssh server authentication-retries

Default

The maximum number of authentication attempts for SSH users is 3.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

times: Specifies the maximum number of authentication attempts for SSH users, in the range of 1 to 5.

Usage guidelines

You can set this limit to prevent malicious hacking of usernames and passwords.

This configuration takes effect only for the users at next login.

The any authentication fails if the total number of authentication attempts (including both publickey and password authentication attempts) exceeds the upper limit configured by the ssh server authentication-retries command.

If the authentication method of SSH users is password-publickey, the server first uses publickey authentication, and then uses password authentication to authenticate SSH users. The process is regarded as one authentication attempt.

Examples

# Set the maximum number of authentication attempts for SSH users to 4.

<Sysname> system-view

[Sysname] ssh server authentication-retries 4

Related commands

display ssh server

ssh server authentication-timeout

Use ssh server authentication-timeout to set the SSH user authentication timeout timer on the SSH server.

Use undo ssh server authentication-timeout to restore the default.

Syntax

ssh server authentication-timeout time-out-value

undo ssh server authentication-timeout

Default

The authentication timeout timer is 60 seconds.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

time-out-value: Specifies an authentication timeout timer (in seconds), in the range of 1 to 120.

Usage guidelines

If a user does not finish the authentication when the timeout timer expires, the connection is down.

You can set a small value for the timeout timer to prevent malicious occupation of TCP connections while authentications are suspended.

Examples

# Set the SSH user authentication timeout timer to 10 seconds.

<Sysname> system-view

[Sysname] ssh server authentication-timeout 10

Related commands

display ssh server

ssh server compatible-ssh1x enable

Use ssh server compatible-ssh1x enable to enable the SSH server to support SSH1 clients.

Use undo ssh server compatible-ssh1x to disable the SSH server from supporting SSH1 clients.

Syntax

ssh server compatible-ssh1x enable

undo ssh server compatible-ssh1x

Default

The SSH server supports SSH1 clients.

Views

System view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Usage guidelines

The configuration only takes effect for the clients at next login.

Examples

# Enable the SSH server to support SSH1 clients.

<Sysname> system-view

[Sysname] ssh server compatible-ssh1x enable

Related commands

display ssh server

ssh server enable

Use ssh server enable to enable the SSH server function so that the SSH clients use SSH to communicate with the server.

Use undo ssh server enable to disable the SSH server function.

Syntax

ssh server enable

undo ssh server enable

Default

SSH server function is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Examples

# Enable SSH server function.

<Sysname> system-view

[Sysname] ssh server enable

Related commands

display ssh server

ssh server rekey-interval

Use ssh server rekey-interval to set an interval for updating the RSA server key pair.

Use undo ssh server rekey-interval to restore the default.

Syntax

ssh server rekey-interval hours

undo ssh server rekey-interval

Default

The interval for updating the RSA server key pair is 0, and the system does not update the RSA server key pair.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

hours: Specifies an interval (in hours) for updating the server key pair, in the range of 1 to 24.

Usage guidelines

Updating the RSA server key pair periodically can prevent malicious hacking to the key pair and enhance security of the SSH connections.

This command only takes effect to SSH users that use SSH1 client software.

Examples

# Set the RSA server key pair update interval to 3 hours.

<Sysname> system-view

[Sysname] ssh server rekey-interval 3

Related commands

display ssh server

ssh user

Use ssh user to create an SSH user and specify the service type and authentication method.

Use undo ssh user to delete an SSH user.

Syntax

ssh user username service-type { all | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname }

undo ssh user username

Default

No SSH users exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. If the username contains ISP domain name, the form is pureusername@domain.

service-type: Specifies a service type for an SSH user:

· all—Specifies Stelnet, SFTP, and SCP.

· scp—Specifies the service type as SCP.

· sftp—Specifies the service type as SFTP.

· stelnet—Specifies the service type of Stelnet.

authentication-type: Specifies an authentication method for an SSH user:

· password—Specifies password authentication. This authentication method features easy and fast encryption, but it is vulnerable. It can work with AAA to implement user authentication, authorization, and accounting.

· any—Specifies either password authentication or publickey authentication.

· password-publickey: Specifies both password authentication and publickey authentication (featuring higher security) if the client runs SSH2, and specifies either type of authentication if the client runs SSH1.

· publickey—Specifies publickey authentication. This authentication method has complicated and slow encryption, but it provides strong authentication that can defend against brute-force attacks. This authentication method is easy to use. If this method is configured, the authentication process completes automatically without the need of entering any password.

assign publickey keyname: Assigns an existing host public key to an SSH user. The keyname argument is a string of 1 to 64 characters.

Usage guidelines

To configure an SSH user that uses publickey authentication, you must create a local user that has the same username as the SSH user to assign the working directory and user role.

To configure an SSH user that uses password authentication, you must configure a local user account by using the local-user command for local authentication, or configure an SSH user account on an authentication server, for example, a RADIUS server, for remote authentication. For password-only SSH users, you do not need to execute this command to configure them unless you want to use the display ssh user-information command to display all SSH users, including the password-only SSH users, for centralized management.

If you use the ssh user command to configure a host public key for a user who has already had a host public key, the new one overwrites the old one.

You can change the authentication method, service type, and host public key for an SSH user when the user is communicating with the SSH server, but your changes only take effect for the clients at next login.

For an SFTP or SCP user, the working directory depends on the authentication method:

· If only password authentication is used, the working directory is authorized by AAA.

· If publickey authentication, whether with password authentication or not, is used, the working directory is specified by the authorization-attribute command in the associated local user view.

For an SFTP or Stelnet user, the user role also depends on the authentication method:

· If only password authentication is used, the user role is authorized by the remote AAA server or the local device.

· If publickey authentication, whether with password authentication or not, is used, the user role is specified by the authorization-attribute command in the associated local user view.

Examples

# Create an SSH user named user1, set the service type as sftp and the authentication method as publickey, and assign a host public key named key1 to the user.

<Sysname> system-view

[Sysname] ssh user user1 service-type sftp authentication-type publickey assign publickey key1

# Create a local device management user named user1, set the password as123456 in plain text and the service type as ssh, and assign the working directory as flash:, the user role as network-admin.

[Sysname] local-user user1 class manage

[Sysname-luser-manage-user1] password simple 123456

[Sysname-luser-manage-user1] service-type ssh

[Sysname-luser-manage-user1] authorization-attribute work-directory flash: user-role network-admin

Related commands

· authorization-attribute

· display ssh user-information

· local-user

SSH client configuration commands

bye

Use bye to terminate the connection with an SFTP server and return to user view.

Syntax

bye

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

This command functions as the exit and quit commands.

Examples

# Terminate the connection with the SFTP server.

sftp> bye

cd

Use cd to change the working path on an SFTP server.

Syntax

cd [ remote-path ]

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Parameters

remote-path: Specifies the name of a path on the server.

Usage guidelines

You can use the cd .. command to return to the upper-level directory.

You can use the cd / command to return to the root directory of the system.

Examples

# Change the working path to new1.

sftp> cd new1

Current Directory is:/new1

sftp> pwd

Remote working directory: /new1

sftp>

cdup

Use cdup to return to the upper-level directory.

Syntax

cdup

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Example

# Return to the upper-level directory from the current working directory /test1.

sftp> cd test1

Current Directory is:/test1

sftp> pwd

Remote working directory: /test1

sftp> cdup

Current Directory is:/

sftp> pwd

Remote working directory: /

sftp>

delete

Use delete to delete the specified files from the SFTP server.

Syntax

delete remote-file

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Parameters

remote-file: Specifies the files to delete from the server.

Usage guidelines

This command functions as the remove command.

Examples

# Delete the file temp.c from the server.

sftp> delete temp.c

Removing /temp.c

dir

Use dir to display information about the files and sub-directories under a specified directory.

Syntax

dir [ -a | -l ] [ remote-path ]

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Parameters

-a: Displays the names of the files and sub-directories under a specified directory.

-l: Displays detailed information about the files and sub-directories under a specified directory in the form of a list.

remote-path: Specifies the name of the directory to be queried.

Usage guidelines

If the –a and –l keywords are not specified, the command displays the names of the files and sub-directories under a specified directory.

If the remote-path argument is not specified, the command displays detailed information about the files and sub-directories under the current working directory.

This command functions as the ls command.

Examples

# Display the names of the files and sub-directories under the current working directory.

sftp> dir –a

config.cfg

pubkey2

pubkey1

pub1

new1

new2

pub2

# Display detailed information about the files and sub-directories under the current working directory in the form of a list.

sftp> dir –l

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

display sftp client source

Use display sftp client source to display the source IP address or source interface configured for the SFTP client.

Syntax

display sftp client source

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display the source IP address configured for the SFTP client.

<Sysname> display sftp client source

The source IP address of the SFTP client is 192.168.0.1.

The source IPv6 address of the SFTP client is 2:2::2:2.

Related commands

· sftp client ipv6 source

· sftp client source

display ssh client source

Use display ssh client source to display the source IP address or source interface configured for the Stelnet client.

Syntax

display ssh client source

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display the source IP address configured for the Stelnet client.

<Sysname> display ssh client source

The source IP address of the SSH client is 192.168.0.1.

The source IPv6 address of the SSH client is 2:2::2:2.

Related commands

· ssh client ipv6 source

· ssh client source

exit

Use exit to terminate the connection with an SFTP server and return to user view.

Syntax

exit

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

This command functions as the bye and quit commands.

Examples

# Terminate the connection with the SFTP server.

sftp> exit

get

Use get to download a file from an SFTP server and save it locally.

Syntax

get remote-file [ local-file ]

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Parameters

remote-file: Specifies the name of a file on the SFTP server.

local-file: Specifies the name for the local file.

Usage guidelines

If the local-file argument is not specified, the file will be saved locally with the same name as that on the server.

Examples

# Download the file temp1.c and save it as temp.c locally.

sftp> get temp1.c temp.c

Fetching /temp1.c to temp.c

/temp.c 100% 1424 1.4KB/s 00:00

help

Use help to display help information of an SFTP client command.

Syntax

help

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

The help command functions as entering the question mark (?).

Examples

# Display help information.

sftp> help

Available commands:

bye Quit sftp

cd [path] Change remote directory to 'path'

cdup Change remote directory to the parent directory

delete path Delete remote file

dir [-a|-l][path] Display remote directory listing

-a List all filenames

-l List filename including the specific

information of the file

exit Quit sftp

get remote-path [local-path] Download file

help Display this help text

ls [-a|-l][path] Display remote directory

-a List all filenames

-l List filename including the specific

information of the file

mkdir path Create remote directory

put local-path [remote-path] Upload file

pwd Display remote working directory

quit Quit sftp

rename oldpath newpath Rename remote file

remove path Delete remote file

rmdir path Delete remote empty directory

? Synonym for help

ls

Use ls to display information about the files and sub-directories under a specified directory.

Syntax

ls [ -a | -l ] [ remote-path ]

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Parameters

-a: Displays the names of the files and sub-directories under a specified directory.

-l: Displays detailed information about the files and sub-directories under a specified directory in the form of a list.

remote-path: Specifies the name of the directory to be queried.

Usage guidelines

If the –a and –l keywords are not specified, the command displays the names of the files and sub-directories under a specified directory.

If the remote-path argument is not specified, the command displays detailed information about the files and sub-directories under the current working directory.

This command functions as the dir command.

Examples

# Display the names of the files and sub-directories under the current working directory.

sftp> ls –a

config.cfg

pubkey2

pubkey1

pub1

new1

new2

pub2

# Display detailed information about the files and sub-directories under the current working directory in the form of a list.

sftp> ls -l

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

mkdir

Use mkdir to create a directory on an SFTP server.

Syntax

mkdir remote-path

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Parameters

remote-path: Specifies the name for the directory on an SFTP server

Examples

# Create a directory named test on the SFTP server.

sftp> mkdir test

put

Use put to upload a local file to an SFTP server.

Syntax

put local-file [ remote-file ]

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Parameters

local-file: Specifies the name of a local file.

remote-file: Specifies the name of a file on an SFTP server.

Usage guidelines

If the remote-file argument is not specified, the file will be remotely saved with the same name as the local one.

Examples

# Upload the local file startup.bak to the SFTP server and save it as startup01.bak.

sftp> put startup.bak startup01.bak

Uploading startup.bak to /startup01.bak

startup01.bak 100% 1424 1.4KB/s 00:00

pwd

Use pwd to display the current working directory of an SFTP server.

Syntax

pwd

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Examples

# Display the current working directory of the SFTP server.

sftp> pwd

Remote working directory: /

The output shows that the current working directory is the root directory.

quit

Use quit to terminate the connection with an SFTP server and return to user view.

Syntax

quit

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

This command functions as the bye and exit commands.

Examples

# Terminate the connection with the SFTP server.

sftp> quit

remove

Use remove to delete the specified files from an SFTP server.

Syntax

remove remote-file

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Parameters

remote-file: Specifies the files to delete from an SFTP server.

Usage guidelines

This command functions as the delete command.

Examples

# Delete the file temp.c from the SFTP server.

sftp> remove temp.c

Removing /temp.c

rename

Use rename to change the name of a specified file or directory on an SFTP server.

Syntax

rename old-name new-name

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Parameters

oldname: Specifies the name of an existing file or directory.

newname: Specifies the new name for the file or directory.

Examples

# Change the name of a file on the SFTP server from temp1.c to temp2.c.

sftp> dir

aa.pub temp1.c

sftp> rename temp1.c temp2.c

sftp> dir

aa.pub temp2.c

rmdir

Use rmdir to delete the specified directories from an SFTP server.

Syntax

rmdir remote-path

Views

SFTP client view

Predefined user roles

network-admin

mdc-admin

Parameters

remote-path: Specifies the directories to delete from an SFTP server.

Examples

# Delete the sub-directory temp1 under the current directory on the SFTP server.

sftp> rmdir temp1

scp

Use scp to transfer files with an SCP server.

Syntax

scp server [ port-number ] [ vpn-instance vpn-instance-name ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 }] * [ publickey keyname | source { interface interface-type interface-number | ip ip-address } ] *

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

server: Specifies an IPv4 server by its address or host name, a case-insensitive string of 1 to 20 characters.

port-number: Specifies the port number of the server, in the range of 0 to 65535. The default is 22.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the server belongs to, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

get: Downloads the file.

put: Uploads the file.

source-file-path: Specifies the directory of the source file.

destination-file-path: Specifies the directory of the target file. If this argument is not specified, the directory names of the source and target files are same.

identity-key: Specifies the public key algorithm for the client, either dsa or rsa. The default is dsa. If the server uses publickey authentication, this keyword must be specified.

· dsa: Specifies the public key algorithm dsa.

· rsa: Specifies the public key algorithm rsa.

prefer-compress: Specifies the preferred compression algorithm between the server and the client. By default, compression is not supported.

zlib: Specifies the compression algorithm zlib.

prefer-ctos-cipher: Specifies the preferred client-to-server encryption algorithm, defaulting to aes128.

Algorithms des, 3des, and aes128 are arranged in ascending order in the aspects of security strength and calculation time.

· 3des: Specifies the encryption algorithm 3des-cbc.

· aes128: Specifies the encryption algorithm aes128-cbc.

· des: Specifies the encryption algorithm des-cbc.

prefer-ctos-hmac: Specifies the preferred client-to-server HMAC algorithm, defaulting to sha1. Algorithm sha1 features stronger security but costs more time in calculation than md5.

· md5: Specifies the HMAC algorithm hmac-md5.

· md5-96: Specifies the HMAC algorithm hmac-md5-96.

· sha1: Specifies the HMAC algorithm hmac-sha1.

· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm, defaulting to dh-group-exchange.

Algorithm dh-group14 features stronger security but costs more time in calculation than dh-group1.

· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.

· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.

· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm, defaulting to aes128.

prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm, defaulting to sha1.

publickey keyname: Specifies the host public key of the sever, which is used to authenticate the server. The keyname argument is a case-insensitive string of 1 to 64 characters.

source: Specifies a source IP address or source interface to connect to the server. By default, the device automatically selects a source IP address based on the routing entry. To avoid the communication failure between the client and the server due to interface faults, use the specified loopback interface as the source interface, and IP address of this interface as the source IP address.

interface interface-type interface-number: Specifies a source interface. The interface-type interface-number argument specifies a source interface by its type and number. The IPv4 address of this interface is the source IP address to send packets.

ip ip-address: Specifies a source IPv4 address.

Usage guidelines

When the client's authentication method is publickey, the client must get the local private key for digital signature. Because the publickey authentication uses either RSA or DSA algorithm, you must specify an algorithm (by using the identity-key keyword) in order to get the correct data for the local private key.

Examples

# Connect an SCP client to the SCP server 200.1.1.1, specify the public key of the server as svkey, and download the file abc.txt from the server. The SCP client uses publickey authentication. Use the following algorithms:

· The preferred key exchange algorithm is dh-group1.

· The preferred server-to-client encryption algorithm is aes128.

· The preferred client-to-server HMAC algorithm is md5.

· The preferred server-to-client HMAC algorithm is sha1-96.

· The preferred compression algorithm between the server and client is zlib.

<Sysname> scp 200.1.1.1 get abc.txt prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96 prefer-compress zlib publickey svkey

scp ipv6

Use scp ipv6 to transfer files with an IPv6 SCP server.

Syntax

scp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 }] * [ publickey keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] *

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

server: Specifies an IPv6 server by its address or host name, a case-insensitive string of 1 to 46 characters.

port-number: Specifies the port number of the server, in the range of 1 to 65535. The default is 22.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the server belongs to, where the vpn-instance-name argument is a case-sensitive string of 1 to 31 characters.

-i interface-type interface-number: Specifies the outgoing interface used by the client to connect to the server. The argument interface-type interface-number specified the outgoing interface by its type and number. This option is only used when the server uses a link-local address and the specified outgoing interface on the client must have a link-local address.