Login
- Table of Contents
-
- H3C S6116 Ultra-Low Latency Switch Series Configuration Guide-Release 671x-6W100
- 00-Preface
- 01-Interface forwarding configuration
- 02-CLI configuration
- 03-RBAC configuration
- 04-Login management configuration
- 05-FTP and TFTP configuration
- 06-File system management configuration
- 07-Configuration file management configuration
- 08-Software upgrade configuration
- 09-Device management configuration
- 10-Tcl configuration
- 11-Bulk interface configuration
- 12-IP addressing configuration
- 13-IPv6 basics configuration
- 14-Static routing configuration
- 15-IPv6 static routing configuration
- 16-AAA configuration
- 17-Public key management
- 18-SSH configuration
- 19-System maintenance and debugging configuration
- 20-NTP configuration
- 21-SNMP configuration
- 22-RMON configuration
- 23-Event MIB configuration
- 24-Information center configuration
- 25-PTP configuration
- 26-Network synchronization configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-SSH configuration | 311.30 KB |
Contents
Configuring the device as an SSH server
Specifying the SSH service port
Configuring the user lines for SSH login
Configuring a client's host public key
Configuring the SSH management parameters
Configuring the device as an Stelnet client
Stelnet client tasks at a glance
Specifying the source IP address for outgoing SSH packets
Establishing a connection to an Stelnet server
Deleting server public keys saved in the public key file on the Stelnet client
Configuring the device as an SFTP client
Specifying the source IP address for outgoing SFTP packets
Establishing a connection to an SFTP server
Deleting server public keys saved in the public key file on the SFTP client
Terminating the connection with the SFTP server
Configuring the device as an SCP client
Specifying the source IP address for outgoing SCP packets
Establishing a connection to an SCP server
Deleting server public keys saved in the public key file on the SCP client
Specifying algorithms for SSH2
Specifying key exchange algorithms for SSH2
Specifying public key algorithms for SSH2
Specifying encryption algorithms for SSH2
Specifying MAC algorithms for SSH2
Display and maintenance commands for SSH
Configuring SSH
About SSH
Secure Shell (SSH) is a network security protocol. Using encryption and authentication, SSH can implement secure remote access and file transfer over an insecure network.
SSH uses the typical client-server model to establish a channel for secure data transfer based on TCP.
SSH includes two versions: SSH1.x and SSH2.0 (hereinafter referred to as SSH1 and SSH2), which are not compatible. SSH2 is better than SSH1 in performance and security.
SSH applications
The device supports the following SSH applications:
· Secure Telnet—Stelnet provides secure and reliable network terminal access services. Through Stelnet, a user can securely log in to a remote server. Stelnet can protect devices against attacks, such as IP spoofing and plain text password interception. The device can act as an Stelnet server or an Stelnet client.
· Secure File Transfer Protocol—Based on SSH2, SFTP uses SSH connections to provide secure file transfer. The device can act as an SFTP server, allowing a remote user to log in to the SFTP server for secure file management and transfer. The device can also act as an SFTP client, enabling a user to log in from the device to a remote device for secure file transfer.
· Secure Copy—Based on SSH2, SCP offers a secure method to copy files. The device can act as an SCP server, allowing a user to log in to the device for file upload and download. The device can also act as an SCP client, enabling a user to log in from the device to a remote device for secure file transfer.
When acting as an SSH server or client, the device supports the following SSH versions:
· When acting as an Stelnet, SFTP, or SCP server, the device supports both SSH2 and SSH1.
· When acting as an SSH client, the device supports only SSH2.
How SSH works
This section uses SSH2 as an example to describe the stages to establish an SSH session.
Table 1 Stages to establish an SSH session
|
Stages |
Description |
|
Connection establishment |
The SSH server listens to connection requests on port 22. After a client initiates a connection request, the server and the client establish a TCP connection. |
|
Version negotiation |
The two parties determine a version to use. |
|
Algorithm negotiation |
SSH supports multiple algorithms. Based on the local algorithms, the two parties negotiate the following algorithms: · Key exchange algorithm for generating session keys. · Encryption algorithm for encrypting data. · Public key algorithm for the digital signature and authentication. · HMAC algorithm for protecting data integrity. |
|
Key exchange |
The two parties use the DH exchange algorithm to dynamically generate the session keys and session ID. · The session keys are used for protecting data transfer. · The session ID is used for identifying the SSH connection. In this stage, the client also authenticates the server. |
|
Authentication |
The SSH server authenticates the client in response to the client's authentication request. |
|
Session request |
After passing the authentication, the client sends a session request to the server to request the establishment of a session (or request the Stelnet, SFTP, or SCP service). |
|
Interaction |
After the server grants the request, the client and the server start to communicate with each other in the session. In this stage, you can paste commands in text format and execute them at the CLI. The text pasted at one time must be no more than 2000 bytes. As a best practice to ensure the correct execution of commands, paste commands that are in the same view. To execute commands of more than 2000 bytes, save the commands in a configuration file, upload the file to the server through SFTP, and use it to restart the server. |
SSH authentication methods
This section describes authentication methods that are supported by the device when it acts as an SSH server.
Password authentication
The SSH server authenticates a client through the AAA mechanism. The password authentication process is as follows:
1. The client sends the server an authentication request that includes the encrypted username and password.
2. The server performs the following operations:
a. Decrypts the request to get the username and password in plain text.
b. Verifies the username and password locally.
c. Informs the client of the authentication result.
If the AAA server requires the user to enter a password for secondary authentication, it send the SSH server an authentication response carrying a prompt. The prompt is transparently transmitted to the client to notify the user to enter a specific password. When the user enters the correct password, the AAA sever examines the password validity. If the password is valid, the SSH server returns an authentication success message to the client.
SSH1 clients do not support secondary password authentication initiated by the AAA server.
For more information about AAA, see "Configuring AAA."
Keyboard-interactive authentication
In keyboard-interactive authentication, the authentication server and user exchanges information for authentication as follows:
1. The authentication server sends a prompt to the SSH server in an authentication response.
The prompt indicates the information required to be provided by the user.
2. The SSH server transparently transmits the prompt to the client terminal.
3. The user enters the required information as prompted.
This process repeats multiple times if the authentication server requires more interactive information. The authentication server returns an authentication success message after the user provides all required interactive information.
If the authentication server does not require interactive information, the keyboard-interactive authentication process is the same as the password authentication.
Publickey authentication
The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows:
1. The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.
2. The server verifies the client's public key.
¡ If the public key is invalid, the server informs the client of the authentication failure.
¡ If the public key is valid, the server requests the digital signature of the client. After receiving the signature, the server uses the public key to verify the signature and informs the client of the authentication result.
When acting as an SSH server, the device supports using the public key algorithms DSA, ECDSA, and RSA to verify digital signatures.
When acting as an SSH client, the device supports using the public key algorithms DSA, ECDSA, and RSA to generate digital signatures.
For more information about public key configuration, see "Managing public keys."
Password-publickey authentication
The server requires SSH2 clients to pass both password authentication and publickey authentication. However, an SSH1 client only needs to pass either authentication.
Any authentication
The server requires clients to pass keyboard-interactive authentication, password authentication, or publickey authentication. Success with any one authentication method is sufficient to connect to the server.
Configuring the device as an SSH server
SSH server tasks at a glance
To configure an SSH server, perform the following tasks:
2. (Optional.) Specifying the SSH service port
3. Enabling the SSH server
4. Configuring the user lines for SSH login
Required only for Stelnet servers.
5. Configuring a client's host public key
Required for authentication method publickey, password-publickey, or any.
¡ Required for authentication method keyboard-interactive, publickey, password-publickey, or any.
¡ Optional for the password authentication method.
7. (Optional.) Configuring the SSH management parameters
SSH management settings, such as authentication and connection control settings, help improve security of SSH connections.
8. (Optional.) Disconnecting SSH sessions
Generating local key pairs
About this task
The DSA, ECDSA, or RSA key pairs on the SSH server are required for generating the session keys and session ID in the key exchange stage. They can also be used by a client to authenticate the server. When a client authenticates the server, it compares the public key received from the server with the server's public key that the client saved locally. If the keys are consistent, the client uses the locally saved server's public key to decrypt the digital signature received from the server. If the decryption succeeds, the server passes the authentication.
To support SSH clients that use different types of key pairs, generate DSA, ECDSA, and RSA key pairs on the SSH server.
· RSA key pairs—The SSH server generates a server key pair and a host key pair for RSA. The RSA server key pair is only used in SSH1 to encrypt the session key for secure transmission of the session key. It is not used in SSH2, because no session key transmission is required in SSH2.
· DSA key pair—The SSH server generates only one DSA host key pair. SSH1 does not support the DSA algorithm.
· ECDSA key pair—The SSH server generates only one ECDSA host key pair.
Restrictions and guidelines
Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the key pairs.
If the device does not have RSA key pairs with default names, it automatically generates one RSA server key pair and one RSA host key pair when SSH starts. Both key pairs use their default names. The SSH application starts when you execute an SSH server command on the device.
The key modulus length must be less than 2048 bits when you generate the DSA key pair on the SSH server.
When you generate an ECDSA key pair, you can generate only a secp256r1 or secp384r1 ECDSA key pair.
Procedure
1. Enter system view.
system-view
2. Generate local key pairs.
public-key local create { dsa | ecdsa { secp256r1 | secp384r1 } | rsa }
Specifying the SSH service port
About this task
The default port of the SSH service is 22. You can specify another port for the SSH service to improve security of SSH connections.
Restrictions and guidelines
If you modify the SSH port number when the SSH server is enabled, the SSH service is restarted and all SSH connections are terminated after the modification. SSH users must reconnect to the SSH server to access the server.
If you set the SSH port to a well-known port number, the service that uses the well-known port number might fail to start. Well-known port numbers are in the range of 1 to 1024.
Procedure
1. Enter system view.
system-view
2. Specify the SSH service port.
ssh server port port-number
By default, the SSH service port is 22.
Enabling the Stelnet server
About this task
After you enable the Stelnet server on the device, a client can log in to the device through Stelnet.
Procedure
1. Enter system view.
system-view
2. Enable the Stelnet server.
ssh server enable
By default, the Stelnet server is disabled.
Enabling the SFTP server
About this task
After you enable the SFTP server on the device, a client can log in to the device through SFTP.
Restrictions and guidelines
When acting as an SFTP server, the device does not support SFTP connections initiated by SSH1 clients.
Procedure
1. Enter system view.
system-view
2. Enable the SFTP server.
sftp server enable
By default, the SFTP server is disabled.
Enabling the SCP server
About this task
After you enable the SCP server on the device, a client can log in to the device through SCP.
Restrictions and guidelines
When acting as an SCP server, the device does not support SCP connections initiated by SSH1 clients.
Procedure
1. Enter system view.
system-view
2. Enable the SCP server.
scp server enable
By default, the SCP server is disabled.
Configuring the user lines for SSH login
About this task
Depending on the SSH application, an SSH client can be an Stelnet client, SFTP client, SCP client.
Only Stelnet clients require the user line configuration. The user line configuration takes effect on the clients at the next login.
Procedure
1. Enter system view.
system-view
2. Enter VTY user line view.
line vty number [ ending-number ]
3. Set the login authentication mode to scheme.
authentication-mode scheme
By default, the authentication mode is password.
For more information about this command, see login management commands in the command reference for the device.
Configuring a client's host public key
About this task
In publickey authentication, the server compares the SSH username and the client's host public key received from the client with the locally saved SSH username and the client's host public key. If they are the same, the server checks the digital signature that the client sends. The client generates the digital signature by using the private key that is paired with the client's host public key.
For publickey authentication, password-publickey authentication, or any authentication, you must perform the following tasks:
1. Configure the client's DSA, ECDSA, or RSA host public key on the server.
2. Specify the associated host private key on the client to generate the digital signature.
If the device acts as an SSH client, specify the public key algorithm on the client. The algorithm determines the associated host private key for generating the digital signature.
Client public key configuration methods
You can configure the client host public key by using the following methods:
· Manually enter the content of a client's host public key on the server.
a. Display the host public key on the client and record the key.
b. Type the client's host public key character by character on the server, or use the copy and paste method.
The manually entered key must be in DER format without being converted. For the displayed key to meet the requirement when the client is an H3C device, use the display public-key local public command. The format of the public key displayed in any other way (for example, by using the public-key local export command) might be incorrect. If the key is not in correct format, the system discards the key.
· Import the client host public key from a public key file.
a. Save the client public key file to the server. For example, transfer the client public key file to the server in binary mode through FTP or TFTP.
b. Import the client public key from the locally saved public key file.
During the import process, the server automatically converts the host public key to a string in PKCS format.
Restrictions and guidelines
As a best practice, configure no more than 20 SSH client's host public keys on an SSH server.
Import the client's host public key as a best practice.
Entering a client's host public key
1. Enter system view.
system-view
2. Enter public key view.
public-key peer keyname
3. Configure a client's host public key.
Enter the content of the client's host public key character by character, or use the copy and paste method.
When you enter the content of a client's host public key, you can use spaces and carriage returns between characters but the system does not save them. For more information, see public key management in the configuration guide for the device.
4. Exit public key view and save the key.
peer-public-key end
Importing a client's host public key from the public key file
1. Enter system view.
system-view
2. Import a client's public key from the public key file.
public-key peer keyname import sshkey filename
Configuring an SSH user
About this task
Configure an SSH user and a local user depending on the authentication method.
· If the authentication method is publickey, you must create an SSH user and a local user on the SSH server. The two users must have the same username, so that the SSH user can be assigned the correct working directory and user role.
· If the authentication method is password, you must configure a local user on the SSH server for local authentication. You do not need to create an SSH user by using the ssh user command. However, if you want to display all SSH users, including the password-only SSH users, for centralized management, you can use this command to create them. If such an SSH user has been created, make sure you have specified the correct service type and authentication method.
· If the authentication method is keyboard-interactive, password-publickey, or any, you must create an SSH user on the SSH server and configure a local user on the SSH server for local authentication.
In either case, the local user must have the same username as the SSH user.
For information about configuring local users, see AAA configuration in the configuration guide for the device.
Restrictions and guidelines
If you change the authentication parameters for a logged-in SSH user, the change takes effect on the user at the next login.
For an SFTP or SCP user, the working directory depends on the authentication method.
· If the authentication method is publickey or password-publickey, the working folder is specified by the authorization-attribute command in the associated local user view.
· If the authentication method is keyboard-interactive or password, the working directory is authorized by AAA.
For an SSH user, the user role also depends on the authentication method.
· If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view.
· If the authentication method is keyboard-interactive or password, the user role is authorized by AAA.
In all authentication methods except keyboard-interactive authentication and password authentication, for a client that sends the user's public key information directly to the server, you must specify the client's host public key on the server. The specified public key must already exist. For more information about public keys, see "Configuring a client's host public key." If you specify multiple client public keys, the device verifies the user identity by using the public keys in the order they are specified. The user is valid if the user passes one public key check.
Procedure
1. Enter system view.
system-view
2. Create an SSH user, and specify the service type and authentication method.
ssh user username service-type { all | scp | sftp | stelnet } authentication-type { keyboard-interactive | password | { any | password-publickey | publickey } [ assign publickey keyname&<1-6>] }
An SSH server supports up to 1024 SSH users.
Configuring the SSH management parameters
Enabling the SSH server to support SSH1 clients
1. Enter system view.
system-view
2. Enable the SSH server to support SSH1 clients.
ssh server compatible-ssh1x enable
By default, the SSH server does not support SSH1 clients.
Enabling SSH algorithm renegotiation and key re-exchange
1. Enter system view.
system-view
2. Enable SSH algorithm renegotiation and key re-exchange.
ssh server key-re-exchange enable [ interval interval ]
By default, SSH algorithm renegotiation and key re-exchange are disabled.
The command takes effect only on new SSH connections that are established after the command is configured, and it does not affect existing SSH connections.
Setting the minimum interval for updating the RSA server key pair
1. Enter system view.
system-view
2. Set the minimum interval for updating the RSA server key pair.
ssh server rekey-interval interval
By default, the device does not update the RSA server key pair.
This configuration takes effect only on SSH1 clients.
Setting the SSH user authentication timeout timer
1. Enter system view.
system-view
2. Set the SSH user authentication timeout timer.
ssh server authentication-timeout time-out-value
The default setting is 60 seconds.
Perform this task to prevent malicious occupation of TCP connections. If a user does not finish the authentication when the timeout timer expires, the connection cannot be established.
Setting the maximum number of SSH authentication attempts
1. Enter system view.
system-view
2. Set the maximum number of SSH authentication attempts.
ssh server authentication-retries retries
The default setting is 3.
Perform this task to prevent malicious hacking of usernames and passwords. If the authentication method is any, the total number of publickey authentication attempts and password authentication attempts cannot exceed the upper limit.
Specifying an SSH login control ACL
1. Enter system view.
system-view
2. Specify an SSH login control ACL.
IPv4:
ssh server acl { advanced-acl-number | basic-acl-number | mac mac-acl-number }
IPv6:
ssh server ipv6 acl { ipv6 { advanced-acl-number | basic-acl-number } | mac mac-acl-number }
This feature uses an ACL to filter SSH clients that initiate SSH connections to the server. By default, no ACLs are specified and all SSH users can initiate SSH connections to the server.
Only SSH users that match the ACL's permit rules can initiate SSH connections to the server. If the specified ACL does not exist or the ACL contains no rules, no SSH users can initiate SSH connections to the server.
This configuration takes effect only on new SSH connections. It does not affect the existing SSH connections.
Enabling logging for SSH login attempts that are denied by the SSH login control ACL
1. Enter system view.
system-view
2. Enable logging for SSH login attempts that are denied by the SSH login control ACL.
ssh server acl-deny-log enable
By default, logging is disabled for login attempts that are denied by the SSH login control ACL.
This command enables SSH to generate log messages for SSH login attempts that are denied by the SSH login control ACL and send the messages to the information center.
Setting the DSCP value in the packets that the SSH server sends to SSH clients
1. Enter system view.
system-view
2. Set the DSCP value in the packets that the SSH server sends to the SSH clients.
IPv4:
ssh server dscp dscp-value
IPv6:
ssh server ipv6 dscp dscp-value
By default, the DSCP value of SSH packets is 48.
The DSCP value of a packet defines the priority of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Setting the SFTP connection idle timeout timer
1. Enter system view.
system-view
2. Set the SFTP connection idle timeout timer.
sftp server idle-timeout time-out-value
By default, the SFTP connection idle timeout is 10 minutes.
When the SFTP connection idle timeout timer expires, the system automatically tears the connection down and releases the connection resources.
Setting the maximum number of online SSH users
1. Enter system view.
system-view
2. Set the maximum number of online SSH users.
aaa session-limit ssh max-sessions
The default setting is 32.
When the number of online SSH users reaches the upper limit, the system denies new SSH connection requests. Changing the upper limit does not affect online SSH users.
Setting the maximum number of records for SSH user login exceptions
1. Enter system view.
system-view
2. Set the maximum number of records for SSH user login exceptions.
ssh exception-record max-number max-number
By default, the maximum number of records for SSH user login exceptions is 10.
To view more records for SSH user login exceptions, you can use this command to set the maximum number of records.
Setting alarm and recovery thresholds for SSH user login failures in the specified statistics period
1. Enter system view.
system-view
2. Set alarm and recovery thresholds for SSH user login failures in the specified statistics period.
ssh server login-failed threshold-alarm upper-limit report-time lower-limit resume-time period period-time
By default, the statistics period is 5 minutes, and the SSH user login failure alarm threshold and alarm recovery threshold are 30 and 20, respectively.
Configure this command to monitor the SSH user login situation. With this command configured, the device generates alarms as follows:
¡ Generates an alarm when the number of login failures in the specified statistics period reaches or exceeds the alarm threshold.
¡ Generates a recovery alarm when the number of login failures in the specified statistics period drops below the alarm recovery threshold from the alarm threshold or a higher value.
Disconnecting SSH sessions
About this task
The device supports concurrent login sessions. To avoid an SSH login user interfering with your configuration, you can disconnect that SSH login user.
Procedure
Execute the following command in user view to disconnect SSH sessions:
free ssh { user-ip { ip-address | ipv6 ipv6-address } [ port port-number ] | user-pid pid-number | username username }
Configuring the device as an Stelnet client
Stelnet client tasks at a glance
To configure an Stelnet client, perform the following tasks:
Only required for authentication method publickey, password-publickey, or any.
2. (Optional.) Specifying the source IP address for outgoing SSH packets
3. Establishing a connection to an Stelnet server
4. (Optional.) Deleting server public keys saved in the public key file on the Stelnet client
Generating local key pairs
About this task
You must generate local key pairs on Stelnet clients when the Stelnet server uses the publickey, password-publickey, or any authentication method.
Restrictions and guidelines
Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the key pairs.
The key modulus length must be less than 2048 bits when you generate a DSA key pair.
When you generate an ECDSA key pair, you can generate only a secp256r1 or secp384r1 ECDSA key pair.
Procedure
1. Enter system view.
system-view
2. Generate local key pairs.
public-key local create { dsa | ecdsa { secp256r1 | secp384r1 } | rsa }
Specifying the source IP address for outgoing SSH packets
About this task
After you specify the source IP address for outgoing SSH packets on an Stelnet client, the client uses the specified IP address to communicate with the Stelnet server.
Procedure
1. Enter system view.
system-view
2. Specify the source address for outgoing SSH packets.
IPv4:
ssh client source { interface interface-type interface-number | ip ip-address }
By default, an IPv4 Stelnet client uses the primary IPv4 address of the output interface in the matching route as the source address of the outgoing SSH packets.
IPv6:
ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }
By default, an IPv6 Stelnet client automatically selects a source IPv6 address for outgoing SSH packets in compliance with RFC 3484.
Establishing a connection to an Stelnet server
About this task
Perform this task to enable the Stelnet client feature on the device and establish a connection to the Stelnet server. You can specify the public key algorithm and the preferred encryption, HMAC, and key exchange algorithms to be used during the connection.
To access the server, a client must use the server's host public key to authenticate the server. As a best practice, configure the server's host public key on the device in an insecure network. If the server's host public key is not configured on the client, the client will notify you to confirm whether to continue with the access.
· If you choose to continue, the client accesses the server and downloads the server's host public key. The downloaded public key will be used to authenticate the server in subsequent accesses.
If the server public key is not specified the when you connect to the server, the device saves the server public key to the public key file. It does not save the server public key to the configuration file.
· If you choose to not continue, the connection cannot be established.
Restrictions and guidelines for establishing a connection to an Stelnet server
An Stelnet client cannot establish connections to both IPv4 and IPv6 Stelnet servers.
Establishing a connection to an IPv4 Stelnet server
Execute the following command in user view to establish a connection with an IPv4 Stelnet server:
ssh2 server [ port-number ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | public-key keyname | source { interface interface-type interface-number | ip ip-address } ] *
Establishing a connection to an IPv6 Stelnet server
Execute the following command in user view to establish a connection to an IPv6 Stelnet server:
ssh2 ipv6 server [ port-number ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | escape character | public-key keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] *
Deleting server public keys saved in the public key file on the Stelnet client
About this task
If the locally saved server public key does not meet the device requirement, the client cannot connect to the server. To connect to the server, delete the server public key saved on the client and make sure a correct public key has been generated on the server.
Procedure
1. Enter system view.
system-view
2. Delete server public keys saved in the public key file on the Stelnet client.
delete ssh client server-public-key [ server-ip ip-address ]
Configuring the device as an SFTP client
SFTP client tasks at a glance
To configure an SFTP client, perform the following tasks:
Only required for authentication method publickey, password-publickey, or any.
2. (Optional.) Specifying the source IP address for outgoing SFTP packets
3. Establishing a connection to an SFTP server
4. (Optional.) Deleting server public keys saved in the public key file on the SFTP client
5. (Optional.) Working with SFTP directories
6. (Optional.) Working with SFTP files
7. (Optional.) Displaying help information
8. (Optional.) Terminating the connection with the SFTP server
Generating local key pairs
About this task
You must generate local key pairs on SFTP clients when the SFTP server uses the publickey, password-publickey, or any authentication method.
Restrictions and guidelines
Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the key pairs.
The key modulus length must be less than 2048 bits when you generate a DSA key pair.
When you generate an ECDSA key pair, you can generate only a secp256r1 or secp384r1 ECDSA key pair.
Procedure
1. Enter system view.
system-view
2. Generate local key pairs.
public-key local create { dsa | ecdsa { secp256r1 | secp384r1 } | rsa }
Specifying the source IP address for outgoing SFTP packets
About this task
After you specify the source IP address for outgoing SFTP packets on an SFTP client, the client uses the specified IP address to communicate with the SFTP server.
Procedure
1. Enter system view.
system-view
2. Specify the source address for outgoing SFTP packets.
IPv4:
sftp client source { ip ip-address | interface interface-type interface-number }
By default, an SFTP client uses the primary IPv4 address of the output interface in the matching route as the source address of the outgoing SFTP packets.
IPv6:
sftp client ipv6 source { ipv6 ipv6-address | interface interface-type interface-number }
By default, an IPv6 SFTP client automatically selects a source IPv6 address for the outgoing SFTP packets in compliance with RFC 3484.
Establishing a connection to an SFTP server
About this task
Perform this task to enable the SFTP client feature on the device and establish a connection to the SFTP server. You can specify the public key algorithm and the preferred encryption, HMAC, and key exchange algorithms to be used during the connection.
To access the server, a client must use the server's host public key to authenticate the server. As a best practice, configure the server's host public key on the device in an insecure network. If the server's host public key is not configured on the client, the client will notify you to confirm whether to continue with the access.
· If you choose to continue, the client accesses the server and downloads the server's host public key. The downloaded public key will be used to authenticate the server in subsequent accesses.
If the server public key is not specified when you connect to the server, the device saves the server public key to the public key file. It does not save the server public key to the configuration file.
· If you choose to not continue, the connection cannot be established.
Restrictions and guidelines for establishing a connection to an SFTP server
An SFTP client cannot establish connections to both IPv4 and IPv6 SFTP servers.
Establishing a connection to an IPv4 SFTP server
Execute the following command in user view to establish a connection to an IPv4 SFTP server:
sftp server [ port-number ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | public-key keyname | source { interface interface-type interface-number | ip ip-address } ] *
Establishing a connection to an IPv6 SFTP server
Execute the following command in user view to establish a connection to an IPv6 SFTP server:
sftp ipv6 server [ port-number ] [ -i interface-type interface-number ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ dscp dscp-value | public-key keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] *
Deleting server public keys saved in the public key file on the SFTP client
About this task
If the locally saved server public key does not meet the device requirement, the client cannot connect to the server. To connect to the server, delete the server public key saved on the client and make sure a correct public key has been generated on the server.
Procedure
1. Enter system view.
system-view
2. Delete server public keys saved in the public key file on the SFTP client.
delete ssh client server-public-key [ server-ip ip-address ]
Working with SFTP directories
About this task
After you establish a connection to an SFTP server, you can operate directories of the SFTP server.
Changing the working directory on the SFTP server
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Change the working directory on the SFTP server.
cd [ remote-path ]
3. (Optional.) Return to the upper-level directory.
cdup
Displaying the current working directory on the SFTP server
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Display the current working directory on the SFTP server.
pwd
Displaying files under a directory
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Display files under a directory.
¡ dir [ -a | -l ] [ remote-path ]
¡ ls [ -a | -l ] [ remote-path ]
The dir command has the same function as the ls command.
Changing the name of a directory on the SFTP server
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Change the name of a directory on the SFTP server.
rename oldname newname
Creating a new directory on the SFTP server
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Create a new directory on the SFTP server.
mkdir remote-path
Deleting directories on the SFTP server
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Delete one or more directories from the SFTP server.
rmdir remote-path
Working with SFTP files
About this task
After you establish a connection to an SFTP server, you can operate files on the SFTP server.
Changing the name of a file on the SFTP server
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Change the name of a file on the SFTP server.
rename old-name new-name
Downloading a file from the SFTP server and save it locally
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Download a file from the SFTP server and save it locally.
get remote-file [ local-file ]
Uploading a local file to the SFTP server
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Upload a local file to the SFTP server.
put local-file [ remote-file ]
Display files under a directory
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Display files under a directory.
¡ dir [ -a | -l ] [ remote-path ]
¡ ls [ -a | -l ] [ remote-path ]
The dir command has the same function as the ls command.
Deleting a file from the SFTP server
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Delete a file from the SFTP server.
¡ delete remote-file
¡ remove remote-file
The delete command has the same function as the remove command.
Displaying help information
About this task
After you establish a connection to the SFTP server, you can display the help information of SFTP client commands, including the command syntax and parameter configuration.
Procedure
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Display SFTP client command help information.
¡ help
¡ ?
The help command has the same function as the ? command.
Terminating the connection with the SFTP server
1. Enter SFTP client view.
For more information, see "Establishing a connection to an SFTP server."
2. Terminate the connection with the SFTP server and return to user view.
¡ bye
¡ exit
¡ quit
The three commands have the same function.
Configuring the device as an SCP client
SCP client tasks at a glance
To configure an SCP client, perform the following tasks:
Only required for the publickey, password-publickey, or any authentication method.
2. (Optional.) Specifying the source IP address for outgoing SCP packets
3. Establishing a connection to an SCP server
4. (Optional.) Deleting server public keys saved in the public key file on the SCP client
Generating local key pairs
About this task
You must generate local key pairs on SCP clients when the SCP server uses the publickey, password-publickey, or any authentication method.
Restrictions and guidelines
Local DSA, ECDSA, and RSA key pairs for SSH use default names. You cannot assign names to the key pairs.
The key modulus length must be less than 2048 bits when you generate a DSA key pair.
When you generate an ECDSA key pair, you can generate only a secp256r1 or secp384r1 ECDSA key pair.
Procedure
1. Enter system view.
system-view
2. Generate local key pairs.
public-key local create { dsa | ecdsa { secp256r1 | secp384r1 } | rsa }
Specifying the source IP address for outgoing SCP packets
About this task
After you specify the source IP address for outgoing SCP packets on an SCP client, the client uses the specified IP address to communicate with the SCP server.
Procedure
1. Enter system view.
system-view
2. Specify the source address for outgoing SCP packets.
IPv4:
scp client source { interface interface-type interface-number | ip ip-address }
By default, an SCP client uses the primary IPv4 address of the output interface in the matching route as the source address of the outgoing SCP packets.
IPv6:
scp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }
By default, an SCP client automatically selects an IPv6 address as the source address of the outgoing packets in compliance with RFC 3484.
Establishing a connection to an SCP server
About this task
Perform this task to enable the SCP client feature on the device, establish a connection to the SCP server, and transfer files with the server. You can specify the public key algorithm and the preferred encryption, HMAC, and key exchange algorithms to be used during the connection.
To access the server, a client must use the server's host public key to authenticate the server. As a best practice, configure the server's host public key on the device in an insecure network. If the server's host public key is not configured on the client, the client will notify you to confirm whether to continue with the access.
· If you choose to continue, the client accesses the server and downloads the server's host public key. The downloaded public key will be used to authenticate the server in subsequent accesses.
If the server public key is not specified when you connect to the server, the device saves the server public key to the public key file. It does not save the server public key to the configuration file.
· If you choose to not continue, the connection cannot be established.
Restrictions and guidelines for establishing a connection to an SCP server
An SCP client cannot establish connections to both IPv4 and IPv6 SCP servers.
Establishing a connection to an IPv4 SCP server
Execute the following command in user view to connect to an IPv4 SCP server, and transfer files with the server:
scp server [ port-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ public-key keyname | source { interface interface-type interface-number | ip ip-address } ] * [ user username [ password password [ no-more-input ] ] ]
Establishing a connection to an IPv6 SCP server
Execute the following command in user view to connect to an IPv6 SCP server, and transfer files with the server.
scp ipv6 server [ port-number ] [ -i interface-type interface-number ] { put | get } source-file-name [ destination-file-name ] [ identity-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa } | prefer-compress zlib | prefer-ctos-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } | prefer-kex { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } | prefer-stoc-cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } ] * [ public-key keyname | source { interface interface-type interface-number | ipv6 ipv6-address } ] * [ user username [ password password [ no-more-input ] ] ]
Deleting server public keys saved in the public key file on the SCP client
About this task
If the locally saved server public key does not meet the device requirement, the client cannot connect to the server. To connect to the server, delete the server public key saved on the client and make sure a correct public key has been generated on the server.
Procedure
1. Enter system view.
system-view
2. Delete server public keys saved in the public key file on the SCP client.
delete ssh client server-public-key [ server-ip ip-address ]
Specifying algorithms for SSH2
About algorithms for SSH2
The SSH2 client and server use the following types of algorithms for algorithm negotiation during the Stelnet, SFTP, or SCP session establishment:
· Key exchange algorithms.
· Public key algorithms.
· Encryption algorithms.
· MAC algorithms.
If you specify algorithms, SSH2 uses only the specified algorithms for algorithm negotiation. The client uses the specified algorithms to initiate the negotiation, and the server uses the matching algorithms to negotiate with the client. If multiple algorithms of the same type are specified, the algorithm specified earlier has a higher priority during negotiation.
Specifying key exchange algorithms for SSH2
1. Enter system view.
system-view
2. Specify key exchange algorithms for SSH2.
ssh2 algorithm key-exchange { dh-group-exchange-sha1 | dh-group1-sha1 | dh-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 } *
By default, SSH2 uses the ecdh-sha2-nistp256, ecdh-sha2-nistp384, dh-group-exchange-sha1, dh-group14-sha1, and dh-group1-sha1 key exchange algorithms in descending order of priority for algorithm negotiation.
Specifying public key algorithms for SSH2
1. Enter system view.
system-view
2. Specify public key algorithms for SSH2.
:
ssh2 algorithm public-key { dsa | ecdsa-sha2-nistp256 | ecdsa-sha2-nistp384 | rsa | x509v3-ecdsa-sha2-nistp256 | x509v3-ecdsa-sha2-nistp384 } *
By default, SSH2 uses the x509v3-ecdsa-sha2-nistp256, x509v3-ecdsa-sha2-nistp384, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, rsa, and dsa public key algorithms in descending order of priority for algorithm negotiation.
Specifying encryption algorithms for SSH2
1. Enter system view.
system-view
2. Specify encryption algorithms for SSH2.
ssh2 algorithm cipher { 3des-cbc | aes128-cbc | aes128-ctr | aes128-gcm | aes192-ctr | aes256-cbc | aes256-ctr | aes256-gcm | des-cbc } *
By default, SSH2 uses the aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm, aes256-gcm, aes128-cbc, 3des-cbc, aes256-cbc, and des-cbc encryption algorithms in descending order of priority for algorithm negotiation.
Specifying MAC algorithms for SSH2
1. Enter system view.
system-view
2. Specify MAC algorithms for SSH2.
ssh2 algorithm mac { md5 | md5-96 | sha1 | sha1-96 | sha2-256 | sha2-512 } *
By default, SSH2 uses the sha2-256, sha2-512, sha1, md5, sha1-96, and md5-96 MAC algorithms in descending order of priority for algorithm negotiation.
Display and maintenance commands for SSH
Execute display commands in any view.
|
Task |
Command |
|
Display the public keys of the local key pairs. |
display public-key local { dsa | ecdsa | rsa } public [ name publickey-name ] |
|
Display information about peer public keys. |
display public-key peer [ brief | name publickey-name ] |
|
Display the source IP address configuration of the SCP client. |
display scp client source |
|
Display the source IP address configuration of the SFTP client. |
display sftp client source |
|
Display server public key information saved in the public key file on the SSH client. |
display ssh client server-public-key [ server-ip ip-address ] |
|
Display the source IP address configuration of the Stelnet client. |
display ssh client source |
|
Display SSH server status or sessions. |
display ssh server { session | status } |
|
Display SSH user information on the SSH server. |
display ssh user-information [ username ] |
|
Display algorithms used by SSH2 in the algorithm negotiation stage. |
display ssh2 algorithm |
|
Display records for SSH user login exceptions. |
display ssh exception-record |
For more information about the display public-key local and display public-key peer commands, see public key management commands in the command reference for the device.
