Documente Academic
Documente Profesional
Documente Cultură
To manage and configure other devices or operate files on them, access the devices using
Telnet, STelnet, TFTP,FTP, SCP, or SFTP from the device that you have logged in to.
Context
NOTE
To ensure high security, do not use the des algorithm, 3des algorithm, and rsa algorithm whose length is
less than 2048 digits.
The Secure Copy Protocol (SCP) client sets up a secure connection to the SCP server so that
the client can upload files to or download files from the server.
8.9 Logging In to a Device Using HTTP
Hypertext Transfer Protocol (HTTP) is an application-layer protocol that transports hypertext
from WWW servers to local browsers. HTTP uses the client/server model in which requests
and replies are exchanged.
8.10 Enabling or Disabling a Public Key Algorithm
8.11 Configuring a DSCP Value for Telnet/SSH Packets
This section describes how to configure a DSCP value for Telnet/SSH packets.
8.12 Configuration Examples for Accessing Other Devices
This section provides examples for configuring one device to access other devices.
User
IP network
network
PC
Telnet client Telnet server
Telnet
Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote
login and virtual terminal services. The NE40E provides the following Telnet services:
l Telnet server: A user runs the Telnet client program on a PC to log in to the router to
configure and manage the router. The router functions as a Telnet server.
l Telnet client: After using the terminal emulator or Telnet client program on a PC to
connect to the router, a user runs the telnet command to log in to another router for
configuration and management. The router functions as a Telnet client. In Figure 8-2,
the CE functions as both a Telnet server and a Telnet client.
PC CE PE
Telnet server
P1 P2 P3
Telnet client Telnet server
Two types of shortcut keys can be used to interrupt Telnet connections. As shown in
Figure 8-3, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2,
and P2 is the Telnet client of P3. The usage of shortcut keys is described as follows:
– Ctrl_]: Instructs the server to disconnect a Telnet connection.
When the network works properly, entering the shortcut key Ctrl_] causes the
Telnet server to interrupt the current Telnet connection.
For example, after you enter Ctrl_] on P3, the <P2> prompt is displayed.
<P3> Select Ctrl_] to return to the prompt of P2
The connection was closed by the remote host.
NOTE
When the number of remote login users reaches the maximum number of VTY user
interfaces, the system prompts subsequent users with a message, indicating that all
user interfaces are in use and no more Telnet connections are allowed.
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to
transfer files between local clients and remote servers. FTP uses two TCP connections to copy
a file from one system to another. The TCP connections are usually established in client-
server mode, one for control (the server port number is 21) and the other for data transmission
(the server port number is 20).
l Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
l Data connection: transmits data between the client and server, maximizing the
throughput.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It uses
the UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP,
TFTP is simple, providing no authentication. It is applicable to scenarios where complicated
interactions between clients and the server are not required.
TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.
NOTE
l Currently, the HUAWEI NetEngine40E supports only the binary mode for TFTP.
l Currently, the HUAWEI NetEngine40E can function only as a TFTP client but not a TFTP server.
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to
securely log in to the device to manage and transfer files. On the other hand, users can use the
device functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client
needs to detect the fault in time and removes the connection proactively. To help the client
detect such a fault in time, configure an interval at which Keepalive packets are sent if no
packet is received and the maximum number of times that the server does not respond for the
client:
l If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.
l If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
The SCP cannot interwork Use the correct tool for If the WinSCP tool is used
with the WinSCP tool. interconnection. for interconnection, the
device cannot transfer files
through the SCP.
Usage Scenario
Large numbers of devices need to be managed and maintained on a network. You cannot
connect each device to a terminal. When no reachable route exists between remote devices
and a terminal, you can use Telnet to log in to the remote devices from the device that you
have logged in to.
As shown in Figure 8-4, you can use Telnet on the PC to log in to the Telnet client. Because
the PC does not have a reachable route to the Telnet server, you cannot remotely manage the
Telnet server. To remotely manage the Telnet server, use Telnet on the Telnet client to log in to
the Telnet server.
Figure 8-4 Using Telnet on the Telnet client to log in to the Telnet server
User
IP network
network
Pre-configuration Tasks
Before using Telnet on the Telnet client to log in to the Telnet server, complete the following
task:
Configuration Procedures
NOTE
Context
You can assign an IP address to an interface on a device and use this IP address as the source
address to establish a Telnet connection.
The source of a Telnet client can be a source interface or a source IP address.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run telnet client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address is configured for the Telnet client.
Step 3 Run commit
The configuration is committed.
----End
Context
Telnet provides an interactive interface for you to log in to a remote server. You can log in to a
device and then use Telnet on the device to log in to other devices on the network to configure
and manage these remote devices, without the need of connecting a terminal to each of the
devices.
An IP address can be configured for an interface on the device and specified as the source IP
address of a Telnet connection for security checks.
After the source IP address is configured for the Telnet client, the source IP address of the
Telnet client displayed on the server is the same as the configured one.
Perform either of the following operations based on the type of the source IP address:
Procedure
l If the source address is an IPv4 address:
Run the telnet [ -a source-ip-address | -i interface-type interface-number ] [ vpn-
instance vpn-instance-name ] host-ip-address [ port-number ] command to log in to and
manage other devices.
l If the source address is an IPv6 address:
Run the telnet ipv6 ipv6-address [ vpn-instance vpn-instance-name | public-net] [ -oi
interface-type interface-number ] [ port-number ] command to log in to and manage
other devices.
----End
Prerequisites
All configurations for logging in to another device are complete.
Procedure
l Run the display tcp status command to check the status of all TCP connections.
----End
Example
Run the display tcp status command to view the status of TCP connections. Established
indicates that a TCP connection has been established.
<HUAWEI> display tcp status
--------------------------------------------------------------------------------
Pid/SocketID Local Addr:Port Foreign Addr:Port VPNID
State
--------------------------------------------------------------------------------
0x80C8272F/2 0.0.0.0:23 0.0.0.0:0 1 LISTEN
0x80932727/4 0.0.0.0:22 0.0.0.0:0 1 LISTEN
Usage Scenario
Large numbers of devices need to be managed and maintained on a network. You cannot
connect each device to a terminal. When no reachable route exists between remote devices
and a terminal, you can use Telnet to log in to the remote devices from the device that you
have logged in to. Telnet does not provide a secure authentication mode, and data is
transmitted in plaintext over TCP. Therefore, Telnet has security risks.
STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and
authentication and protects devices against attacks, such as IP spoofing and simple password
interception.
As shown in Figure 8-6, the device supports the SSH function. You can log in to a remote
device in SSH mode to manage and maintain the device. The device that you have logged in
functions as an SSH client, and the remote device functions as an SSH server.
IP network
Pre-configuration Tasks
Before using STelnet to log in to other devices, configure STelnet login.
Configuration Procedures
Mandatory
Optional
Context
After the first login, the system automatically allocates an RSA, DSA, or ECC public key and
saves the key for subsequent login authentication.
If first authentication is disabled, the STelnet client cannot log in to the SSH server because
the validity check of the RSA, DSA, or ECC public key fails. If the STelnet client needs to
successfully log in to the SSH server for the first time, enable first authentication or configure
the client to assign an RSA, DSA, or ECC public key to the server in advance. For details, see
8.4.2 Configuring First Login to the SSH Server (Binding the SSH Client to the Public
Key Generated on the SSH Server)
Perform the following steps on the router that functions as an SSH client:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ssh client first-time enable
First authentication is enabled on the SSH client.
Step 3 Run commit
The configuration is committed.
----End
8.4.2 Configuring First Login to the SSH Server (Binding the SSH
Client to the Public Key Generated on the SSH Server)
To allow the SSH client to successfully log in to the SSH server for the first time, configure
the SSH client to allocate an RSA, DSA, or ECC public key to the SSH server before the
login if first authentication is disabled.
Context
If first authentication is disabled, the SSH client cannot log in to the SSH server because the
validity check of the RSA, DSA, or ECC public key fails. An RSA, DSA, or ECC public key
needs to be assigned to the server before the SSH client logs in to the server.
The RSA, DSA, or ECC public key allocated to the SSH server must be generated on the
server. Otherwise, the validity check for the RSA, DSA, or ECC public key on the SSH client
cannot succeed.
Perform the following steps on the router that functions as an SSH client:
NOTE
To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits. You are
advised to use a securer ECC authentication algorithm for higher security.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Perform any of the following operations based on the selected public key algorithm:
l To enter the RSA public key view, run the rsa peer-public-key key-name command.
l To enter the DSA public key view, run the dsa peer-public-key key-name command.
l To enter the ECC public key view, run the ecc peer-public-key key-name command.
Step 3 Run public-key-code begin
The public key edit view is displayed.
Step 4 Enter hex-data to edit the public key.
The entered public key must be a hexadecimal string complying with the public key format.
The public key is generated randomly on the SSH server.
NOTE
After entering the public key edit view, copy and paste the RSA, DSA, or ECC public key generated on
the server to the client.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run ssh client keepalive-interval seconds
The interval at which the client sends keepalive packets to the server is configured.
If the client does not receive a response from the server during an interval, the client sends
another keepalive packet to the server. If the server still does not respond, the client is
disconnected from the server.
Step 3 Run ssh client keepalive-maxcount count
The maximum number of keepalive packets that the client sends to the server is configured.
The interval at which the client sends keepalive packets to the server must be greater than the
maximum number of keepalive packets that the client sends to the server. For example, if the
interval is 0 (no keepalive packet is sent), the setting of the maximum number of keepalive
packets does not take effect.
Step 4 Run commit
The configuration is committed.
----End
Context
You can log in to the server from the SSH client without the need of specifying the listening
port number only when the listening port number of the server is 22. Otherwise, the listening
port number must be specified.
Perform the following steps on the router that functions as an SSH client:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc |
aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 | aes128_gcm |
aes256_gcm } *
NOTE
des_cbc, 3des_cbc, aes128_cbc, aes192_cbc, aes256_cbc, arcfour128 and arcfour256 are of weak
security. Therefore, do not add them to the encryption algorithm list. Using aes128_ctr, aes192_ctr,
aes128_gcm, aes256_gcm, or aes256_ctr is recommended, because such an algorithm has a higher
security.
Step 3 (Optional) Run ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96
| sha2_512 } *
The HMAC authentication algorithms are configured for the SSH client.
NOTE
sha2_256_96, sha1, sha1_96, md5, and md5_96 are of weak security. Therefore, do not add them to the
authentication algorithm list.
NOTE
For security purposes, do not use insecure key exchange algorithms such as dh_group1_sha1.
Step 5 In the user or system view, run either of the following commands:
l To use an IPv4 address to establish a connection to the SSH server over STelnet, run the
stelnet[ -a source-ip-address ] [ -force-receive-pubkey ] host-ip-address [ port-
number ] [ [ prefer_kex prefer_kex ] | [ prefer_ctos_cipher prefer_ctos_cipher ] |
[ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] |
[ prefer_stoc_hmac prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] |
[ prefer_stoc_compress zlib ] | [ -vpn-instance vpn-instance-name ] | [ -ki interval ] |
[ -kc count ] | [ identity-key { dsa | rsa | ecc } ] | [ user-identity-key { rsa | dsa |
ecc } ] ] * command.
l To use an IPv6 address to establish a connection to the SSH server over STelnet, run the
stelnet [ -a source-ipv6-address ] [ -force-receive-pubkey ] host-ipv6-address [ -vpn-
instance vpn-instance-name ] [ -oi interface-type interface-number ] [ port-number ]
[ [ prefer_kex prefer_kex ] | [ prefer_ctos_cipher prefer_ctos_cipher ] |
[ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] |
[ prefer_stoc_hmac prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] |
[ prefer_stoc_compress zlib ] | [ -ki interval ] | [ -kc count ] | [ identity-key { dsa | rsa |
ecc } ] | [ user-identity-key { rsa | dsa | ecc } ] ] * command.
NOTE
In the system view, the default level of stelnet command is configuration level.
----End
Prerequisites
The configurations for using STelnet to log in to other devices are complete.
Procedure
l Run the display ssh server-info command to check mappings between SSH servers and
RSA public keys on the client.
----End
Example
Run the display ssh server-info command to view mappings between SSH servers and RSA
public keys on the client.
<HUAWEI> display ssh server-info
----------------------------------------------------------------------------------
------------------------------
Server Name(IP) Server public key name
Server public key type State
----------------------------------------------------------------------------------
------------------------------
1000::1 1000::1
RSA CONFIGURE
10.164.39.223 10.164.39.223
RSA CONFIGURE
127.0.0.1 127.0.0.1
RSA CONFIGURE
192.0.0.223 192.0.0.223
RSA CONFIGURE
----------------------------------------------------------------------------------
------------------------------
Usage Scenario
In the TCP/IP protocol suite, FTP is most commonly used to transfer files. However, FTP
brings complex interactions between terminals and servers, which is hard to implement on
terminals that do not run advanced operating systems. TFTP is designed for file transfer that
does not require complex interactions between terminals and servers. It is simple, requiring a
few costs. TFTP can be used only for simple file transfer without authentication.
NOTE
Pre-configuration Tasks
Before using TFTP to access other devices, configure user login.
Configuration Procedures
You can choose one or more configuration tasks (excluding "Checking the Configuration") as
required.
Context
You can assign an IP address to an interface on a TFTP client and use this IP address as the
source address to establish a TFTP connection.
Perform the following steps on the router that functions as a TFTP client:
Procedure
Step 1 Run system-view
NOTE
----End
Context
An ACL is a set of sequential rules. These rules are described based on source addresses,
destination addresses, and port numbers of packets. ACL rules are used to filter packets. After
ACL rules are applied to a device, the device permits or denies packets based on the ACL
rules.
Multiple rules can be defined for one ACL. ACL rules are classified as interface, basic, or
advanced ACL rules based on their functions.
Perform the following steps on the router that functions as a TFTP client:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run acl acl-number or acl-number
The basic ACL view is displayed.
Step 3 Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ [ fragment | fragment-type
fragment-type-name ] | logging | source { source-ip-address source-wildcard | any } | time-
range time-name | vpn-instance vpn-instance-name ] *
An ACL rule is configured.
Step 4 Run quit
Return to the system view.
Step 5 Configure ACL to control the TFTP client's access to TFTP servers.
l For IPv4
Run tftp-server acl { acl-number | acl-name }The ACL is applied to the TFTP client to
control its access to TFTP servers.
l For IPv6
Run tftp-server ipv6 acl { acl-number | acl-name }The ACL is applied to the TFTP
client to control its access to TFTP servers.
Step 6 Run commit
The configuration is committed.
----End
Context
A virtual private network (VPN) is connected to remote devices or terminals over the Internet.
After a TFTP session is established, you can specify vpn-instance-name in the tftp command
to connect to a remote TFTP server.
To download a file, the TFTP client sends a read request to the TFTP server. After receiving
data, the TFTP client sends an acknowledgment to the server.
Perform one of the following operations based on the IP address type of the server:
Procedure
l Run tftp [ -a source-address | -i interface-type interface-number ] host-ip-address [ vpn-
instance vpn-instance-name | public-net ] get } source-filename [ destination-filename ]
A file is downloaded using TFTP.
The interface type specified by interface-type must be loopback.
Context
To upload a file, the TFTP client sends a write request to the TFTP server. After receiving
data, the TFTP client sends an acknowledgment to the server.
Perform one of the following operations based on the IP address type of the server:
Procedure
l Run tftp [ -a source-address | -i interface-type interface-number ] host-ip-address [ vpn-
instance vpn-instance-name ] put } source-filename [ destination-filename ]
A file is uploaded using TFTP.
The interface type specified by interface-type must be loopback.
l Run tftp ipv6 [ -a source-ip–address ] tftp-server-ipv6 [-oi interface-type interface-
number ] put source-filename [ destination-filename ]
TFTP is used to upload files.
----End
Prerequisites
The configurations for using TFTP to access other devices are complete.
Procedure
l Run the display tftp-client command to check the source address of the TFTP client.
l Run the display acl { acl-number | all } command to check ACL rules configured on the
TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<HUAWEI> display tftp-client
----------------------------------------------------------------------
Acl4Number : 0
SrcIPv4Addr : 0.0.0.0
Interface Name : LoopBack0
----------------------------------------------------------------------
Run the display acl { acl-number | all } command to view ACL rules configured on the TFTP
client.
<HUAWEI> display acl 2001
Basic acl 2001, 2 rules
Acl's step is 5
Acl's match-order is config
rule 5 permit ip source 1.1.1.1 0 (2 times matched)
rule 10 permit ip source 9.9.9.9 0 (3 times matched)
Usage Scenario
To transfer files with a remote FTP server or manage directories of the server, configure a
device as an FTP client and use FTP to access the FTP server.
Pre-configuration Tasks
Before using FTP to access other devices, configure the FTP server, including:
1. 6.4.1 Configuring a Local FTP User
2. 6.4.2 (Optional) Specifying a Listening Port Number for the FTP Server
3. 6.4.3 Enabling the FTP Server Function
4. 6.4.4 (Optional) Configuring FTP Server Parameters
5. 6.4.5 (Optional) Configuring FTP Access Control
Configuration Procedures
Mandatory
Optional
Context
You can assign an IP address to an interface on an FTP client and use this IP address as the
source address to establish an FTP connection.
Perform the following steps on the router that functions as an FTP client:
Procedure
Step 1 Run system-view
After configuring a source address for an FTP client, run the display ftp-users command on
the FTP server to check that the source address of the FTP client displayed in the command
output is the same as the configured one.
----End
Context
After a user fails to log in to a device using FTP, the number of FTP login failures is recorded
for the IP address. If the number of login failures within a specified period reaches the
threshold, the IP address is locked, and all users who log in through this IP address cannot set
up an FTP connection with this device.
Procedure
Step 1 Run system-view
The client IP address locking function is enabled on the device that functions as an FTP
server.
The maximum number of consecutive authentication failures and an authentication period are
configured for client IP address locking.
Step 4 Run ftp server ip-block reactive reactive-period
A period after which the system automatically unlocks a user is specified.
Step 5 Run commit
The configuration is committed.
Step 6 Run quit
The user view is displayed.
Step 7 Run activate ftp server ip-block ip-address ip-address [ vpn-instance vpn-name ]
The IP address of a user that fails the authentication is unlocked.
----End
Context
Commands can be run in the user or FTP client view to establish connections to remote FTP
servers.
NOTE
l If the ftp command without any parameters is used in the user view to establish a control connection
to an FTP server, the FTP client view is displayed but the connection is not established.
l When you run the ftp command in the user view or the open in the FTP client view to establish a
control connection to a remote FTP server using the default listening port number of the FTP server,
you do not need to specify a listening port number in the command. Otherwise, you must specify a
listening port number in the command.
l Before logging in to the FTP server, you can run the set net-manager vpn-instance command to
configure a default VPN instance. After a default VPN instance is configured, it will be used for
FTP operations.
Perform either of the following operations on the FTP client based on the type of the server's
IP address:
Procedure
l If the server has an IPv4 address, use commands described in Table 8-1 to connect the
client to other devices.
Table 8-1 Using FTP commands to connect the FTP client to other devices
View Operation
View Operation
l If the server has an IPv6 address, use commands described in Table 8-2 to connect the
client to other devices.
Table 8-2 Using FTP commands to connect the FTP client to other devices
View Operation
----End
Procedure
Step 1 Perform either of the following steps on the client, based on the type of the server's IP
address:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 ipv6-linklocal-address -oi interface-type interface-number [ port-
number ] [ vpn-instance vpn-instance-name | public-net ] command to use an IPv6
address to establish a connection to the FTP server and enter the FTP client view.
Managin Configuring the l Run the ascii command to set the file type to ASCII.
g files file type l Run the binary command to set the file type to binary.
The FTP file type is determined by the client. By default,
the ASCII type is used.
Configuring the l Run the passive command to set the data connection
data connection mode to PASV.
mode l Run the undo passive command to set the data
connection mode to ACTIVE.
Enabling the file l If the prompt command is run in the FTP client view
transfer to enable the file transfer notification function, the
notification system prompts you to confirm the upload or download
function operation during file upload or download.
l If the prompt command is run again in the FTP client
view, the file transfer notification function is disabled.
NOTE
The prompt command applies when the mput or mget command
is used to upload or download files. If the local device has the
files to be downloaded by running the mget command, the system
prompts you to replace the existing ones regardless of whether the
file transfer notification function is enabled.
----End
Context
After you log in to an FTP server from a device functioning as an FTP client, you can use
another user name to log in to the server. Changing a login user role does not affect the
current FTP connection. That is, FTP control and data connections and the connection status
do not change.
If you entered an incorrect user name or password, the current FTP connection is ended. To
log in to the server again, you must enter a correct user name and name.
NOTE
After logging in to the HUAWEI NetEngine40E, you can log in to the FTP server by using another user
name without logging out of the FTP client view. The established FTP connection is identical with that
established by running the ftp command.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of the server's IP
address:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 ipv6-linklocal-address -oi interface-type interface-number [ port-
number ] [ vpn-instance vpn-instance-name | public-net ] command to use an IPv6
address to establish a connection to the FTP server and enter the FTP client view.
After the login user role is changed, the connection between the original user role and the FTP
server is ended.
NOTE
Only FTP users at Level 3 or higher can run the user user-name command to change the user role and
log in to the FTP server.
----End
Context
After the number of users logging in to an FTP server reaches the upper limit, no more
authorized users can log in. To allow authorized users to log in to the FTP server, end idle
connections to the FTP server.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of the server's IP
address:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 ipv6-linklocal-address -oi interface-type interface-number [ port-
number ] [ vpn-instance vpn-instance-name | public-net ] command to use an IPv6
address to establish a connection to the FTP server and enter the FTP client view.
Step 2 Perform either of the following operations as needed to end an FTP connection.
l Run the bye/quit command to end the connection to the FTP server and return to the
user view.
l Run the close/disconnect command to end both the connection to the FTP server and the
FTP session and remain in the FTP client view.
----End
Prerequisites
The configurations of accessing other devices by using FTP are complete.
Procedure
l Run the display ftp-client command to check the source address of the FTP client.
l Run the display ftp server ip auth-fail information command to check information
about the IP addresses of all the clients that fail to pass authentication.
l Run the display ftp server ip-block list command to check information about the locked
IP addresses of all the clients that fail to pass authentication.
----End
Example
After configuring the source IP address of the FTP client, run the display ftp-client command
to view the configuration.
<HUAWEI> display ftp-client
--------------------------------------------------------------------------------
ACL name :
ACL number :
Source IPv4 address : 0.0.0.0
Interface Name :
--------------------------------------------------------------------------------
After configuring the loopback interface of the FTP client, run the display ftp-client
command to view the configuration.
<HUAWEI> display ftp-client
--------------------------------------------------------------------------------
ACL name :
ACL number :
Source IPv4 address : 0.0.0.0
Interface Name : LoopBack0
--------------------------------------------------------------------------------
After configuring the loopback interface of the FTP client, run the display ftp server ip auth-
fail information command to check information about the IP addresses of all the clients that
fail to pass authentication.
----------------------------------------------------------------------------------
----------------------------------------------
IP Address VPN Name
First Time Auth-fail Auth-fail Count
----------------------------------------------------------------------------------
----------------------------------------------
10.0.0.1 _public_
2016-09-05 11:19:28 1
----------------------------------------------------------------------------------
----------------------------------------------
After configuring the loopback interface of the FTP client, run the display ftp server ip-
block list command to check information about the locked IP addresses of all the clients that
fail to pass authentication.
----------------------------------------------------------------------------------
------------------------
IP Address VPN Name
UnBlock Interval (Seconds)
----------------------------------------------------------------------------------
------------------------
10.0.0.1 _public_
294
----------------------------------------------------------------------------------
------------------------
Usage Scenario
Based on SSH, SFTP ensures that users log in to a remote device securely to manage and
transfer files, enhancing secure file transfer. Because the device can function as an SFTP
client, you can log in to a remote SSH server from the device to transfer files securely.
Pre-configuration Tasks
Before using SFTP to access other devices, complete the following task:
Configuration Procedures
Configure first login to the SSH server Configure first login to the SSH server
(enabling first authentication on the (binding the SSH client to the public key
SSH client). generated on the SSH server).
Use SFTP to connect the SSH client Use SFTP to connect the SSH client to
to the SSH server. the SSH server.
Use SFTP commands to operate files. Use SFTP commands to operate files.
Mandatory
Optional
Context
You can assign an IP address to an interface on the SFTP client and use this IP address as the
source address to establish an SFTP connection.
The source address for an SFTP client can be a source interface or a source IP address.
Procedure
Step 1 Run system-view
----End
Context
After the first login, the system automatically allocates an RSA, DSA, or ECC public key and
saves the key for subsequent login authentication.
Perform the following steps on the device that functions as an SSH client:
Procedure
Step 1 Run system-view
----End
8.7.3 Configuring First Login to the SSH Server (Binding the SSH
Client to the Public Key Generated on the SSH Server)
To allow the SSH client to successfully log in to the SSH server for the first time, configure
the SSH client to allocate an RSA, DSA, or ECC public key to the SSH server before the
login if first authentication is disabled.
Context
If first authentication is disabled, the SSH client cannot log in to the SSH server because the
validity check of the RSA, DSA, or ECC public key fails. An RSA, DSA, or ECC public key
needs to be allocated to the server before the SSH client logs in to the server.
Perform the following steps on the router that functions as an SSH client:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Perform any of the following operations based on the selected public key algorithm:
l To enter the RSA public key view, run the rsa peer-public-key key-name command.
l To enter the DSA public key view, run the dsa peer-public-key key-name command.
l To enter the ECC public key view, run the ecc peer-public-key key-name command.
Step 3 Run public-key-code begin
The public key edit view is displayed.
Step 4 Enter hex-data to edit the public key.
The entered public key must be a hexadecimal string complying with the public key format.
The public key is generated randomly on the SSH server.
NOTE
After entering the public key edit view, copy and paste the RSA, DSA, or ECC public key generated on
the server to the client.
l To assign an RSA public key to the SSH server, run the ssh client { server-name |
server-ip } assign rsa-key key-name command.
l To assign a DSA public key to the SSH server, run the ssh client { server-name | server-
ip } assign dsa-key key-name command.
l To assign an ECC public key to the SSH server, run the ssh client { server-name |
server-ip } assign ecc-key key-name command.
Step 8 Run commit
The configuration is committed.
----End
8.7.4 Using SFTP to Connect the SSH Client to the SSH Server
You can log in to an SSH server from an SSH client by using SFTP.
Context
The command used to enable the SFTP client is similar to the command used to enable the
STelnet client. Both commands can carry the source address, key exchange algorithm,
encryption algorithm, HMAC algorithm, and Keepalive interval.
Perform the following steps on the router that functions as an SSH client:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc |
aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 | aes128_gcm |
aes256_gcm } *
The encryption algorithms are configured for the SSH client.
NOTE
des_cbc, 3des_cbc, aes128_cbc, aes192_cbc, aes256_cbc, arcfour128 and arcfour256 are of weak
security. Therefore, do not add them to the encryption algorithm list. Using aes128_ctr, aes192_ctr,
aes128_gcm, aes256_gcm, or aes256_ctr is recommended, because such an algorithm has a higher
security.
Step 3 (Optional) Run ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96
| sha2_512 } *
The HMAC authentication algorithms are configured for the SSH client.
NOTE
sha2_256_96, sha1, sha1_96, md5, and md5_96 are of weak security. Therefore, do not add them to the
authentication algorithm list.
NOTE
For security purposes, do not use insecure key exchange algorithms such as dh_group1_sha1.
----End
Context
After logging in to the SSH server from the SFTP client, you can perform the following
operations on the SFTP client:
l Create and delete directories of the SSH server; view the current working directory; view
files in a directory and the list of sub-directories.
l Rename, delete, upload, and download files.
l View command help on the SFTP client.
Perform the following steps on the router that functions as an SSH client:
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Perform either of the following steps based on a network protocol:
Run the sftp [ -a source-ip-address ] [ -force-receive-pubkey ] host-ip-address [ port-
number ] [ prefer_kex prefer_kex | prefer_ctos_cipher prefer_ctos_cipher |
prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac |
Managing Renaming a file on the Run the rename old-name new-name command.
files server
Deleting files from the Run the remove path &<1-10> or delete file
server command.
----End
Follow-up Procedure
There is a limit to the maximum number of SFTP clients that can connect to the SFTP server
at the same time. Therefore, after performing the desired operations on the SFTP server,
disconnect the SFTP client from the SFTP server so that other users can access the SFTP
server. You can run the bye, exit, or quit command in the SFTP client view to disconnect the
SFTP client from the SFTP server.
Prerequisites
Before you run the sftp client-transfile command to connect to an SFTP server, ensure that
the following requirements are met:
l The route between the SSH client and server is reachable. If the server does not use a
standard port number, the port number configured on the server must be obtained.
l The IP address of the SSH server and the information about the SSH user used for login
are obtained.
l The SFTP service is enabled on the server; the service types configured for the server
contain SFTP; password authentication is configured for the SSH user.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Perform either of the following steps based on a network protocol:
l Establish an SFTP connection based on IPv4
Run the sftp client-transfile { get | put } [ -a source-address | -i interface-type
interface-number ] host-ip host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-
name ] | prefer_kex prefer_kex | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher
prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac
prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki interval | -kc count ] *
username user-name password password sourcefile source-file [ destination
destination ] command to connect to the SFTP server in IPv4 mode and download files
from the server to the SFTP client or upload files from the SFTP client to the server.
l Establish an SFTP connection based on IPv6
Run the sftp client-transfile { get | put } ipv6 [ -a source-ipv6-address ] host-ip host-
ipv6 [ -oi interface-type interface-number ] [ port ] [ [ public-net | -vpn-instance vpn-
instance-name ] | prefer_kex prefer_kex ] | [ identity-key { rsa | dsa | ecc } |
----End
Example
# Configure an SFTP user to download the source file sample.txt from the server at 10.1.1.4
to the SFTP client, and log in to the SFTP server in DSA authentication mode.
<HUAWEI> system-view
[HUAWEI] sftp client-transfile get host-ip 10.1.1.4 identity-key dsa username
huawei password Huawei-123 sourcefile sample.txt
Prerequisites
The configurations of using SFTP to access other devices are complete.
Procedure
l Run the display sftp-client command to check the source address of the SFTP client.
l Run the display ssh server-info command to check mappings between SSH servers and
RSA public keys on the client.
----End
Example
Run the display sftp-client command on the client to view the source address of the SFTP
client.
<HUAWEI> display sftp-client
The source address of SFTP client is 1.1.1.1
Run the display ssh server-info command to view mappings between SSH servers and RSA
public keys on the client.
<HUAWEI> display ssh server-info
----------------------------------------------------------------------------------
------------------------------
Server Name(IP) Server public key name
Usage Scenario
SCP is a secure file transfer method based on SSH2.0. Unlike SFTP, SCP allows file upload
or download without user authentication or public key allocation. SCP also supports file
upload or download in batches.
Pre-configuration Tasks
Before using SCP to access other devices, ensure that the route between the SCP client and
server is reachable.
Configuration Procedures
Mandatory
Procedure
Optional
Procedure
Context
SCP is a secure file transfer method based on SSH2.0. By default, user interfaces support
Telnet. To use SCP to access other devices, configure user interfaces to support SSH.
Procedure
Step 1 Configure VTY user interfaces to support SSH (for details, see Configuring VTY User
Interfaces to Support SSH).
Step 2 Configure an SSH user (for details, see Configuring an SSH User and Specifying a Service
Type).
Step 3 Enable SCP service.
l Run scp server enable
The SCP service function is enabled.
l Run scp ipv4 server enable
The IPv4 SCP service function is enabled.
l Run scp ipv6 server enable
The IPv6 SCP service function is enabled.
Step 4 (Optional) Configure the minimum key length supported during Diffie-hellman-group-
exchange key exchange between the SSH server and client.
ssh server dh-exchange min-len min-len
If the SSH client supports the Diffie-hellman-group-exchange key of more than 1024 bits, run
the ssh server dh-exchange min-len command to set the minimum key length to 2048 bits to
improve security.
Step 5 Run commit
The configuration is committed.
----End
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 (Optional) Run scp client-source { -a source-ip-address [ public-net | -vpn-instance vpn-
instance-name ] | -i interface-type interface-number }
A source IP address or a source interface is configured for the SCP client.
The default source IP address of the SCP client is 0.0.0.0.
Step 3 (Optional) Run ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc |
aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 | aes128_gcm |
aes256_gcm } *
NOTE
des_cbc, 3des_cbc, aes128_cbc, aes192_cbc, aes256_cbc, arcfour128 and arcfour256 are of weak
security. Therefore, do not add them to the encryption algorithm list. Using aes128_ctr, aes192_ctr,
aes128_gcm, aes256_gcm, or aes256_ctr is recommended, because such an algorithm has a higher
security.
Step 4 (Optional) Run ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96
| sha2_512 } *
The HMAC authentication algorithms are configured for the SSH client.
By default, an SSH client supports these HMAC authentication algorithms: MD5, MD5_96,
SHA2_512, SHA1, SHA1_96, SHA2_256, and SHA2_256_96.
NOTE
sha2_256_96, sha1, sha1_96, md5, and md5_96 are of weak security. Therefore, do not add them to the
authentication algorithm list.
Step 5 Choose either of the following steps based on the network protocol to upload files to or
download files from the SCP server.
l For IPv4 configuration:
Run scp [ -port port-number | { public-net | -vpn-instance vpn-instance-name } | { -a
source-ip-address | -i interface-type interface-number } | -r | identity-key { dsa | rsa |
ecc } | -cipher cipher | -prefer-kex prefer-kex | -c | -force-receive-pubkey ] * source-
filename destination-filename
l For IPv6 configuration:
Run scp ipv6 [ -port port-number | { public-net | -vpn-instance vpn-instance-name } | -
a source-ipv6-address | -r | identity-key { dsa | rsa | ecc | sm2 } | -cipher cipher | -
prefer-kex prefer-kex | -c | -force-receive-pubkey ]* source-filename destination-
filename [ -oi interface-type interface-number ]
NOTE
To ensure high security, do not use the des algorithm, 3des algorithm, and rsa algorithm whose length is
less than 2048 digits.
----End
Prerequisites
The configurations for using SCP to access other devices are complete.
Procedure
l Run the display scp-client command to check the source IP address of the SCP client.
l Run the display ssh server-info command to check mappings between SSH servers and
RSA public keys on the client.
----End
Example
Run the display scp-client command to view the source IP address of the SCP client.
<HUAWEI> display scp-client
The source address of the SCP client is 1.1.1.1.
Run the display ssh server-info command to view mappings between SSH servers and RSA
public keys on the client.
<HUAWEI> display ssh server-info
----------------------------------------------------------------------------------
------------------------------
Server Name(IP) Server public key name
Server public key type State
----------------------------------------------------------------------------------
------------------------------
1000::1 1000::1
RSA CONFIGURE
10.164.39.223 10.164.39.223
RSA CONFIGURE
127.0.0.1 127.0.0.1
RSA CONFIGURE
192.0.0.223 192.0.0.223
RSA CONFIGURE
----------------------------------------------------------------------------------
------------------------------
Context
To download a certificate from an HTTP server, use HTTP. HTTP transfers web page
information on the Internet.
NOTE
HTTP has security risks.
Pre-configuration Tasks
Before logging in to a device using HTTP, configure a reachable route between the desired
terminal and device.
Configuration Procedures
Mandatory
Optional
Procedure
l If the server does not support SSL policies, perform the following steps on the HTTP
client:
a. Run system-view
The HTTP client needs to load a certificate for the SSL policy according to the
format of the certificate loaded on the HTTP server.
n Run the certificate load pem-cert cert-filename key-pair { dsa | rsa } key-
file key-filename auth-code cipher auth-code command to load a certificate in
the PEM format for the SSL policy.
n Run the certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac
cipher mac-code | key-file key-filename } auth-code cipher auth-code
command to load a certificate in the PFX format for the SSL policy.
n Run the certificate load pem-chain cert-filename key-pair { dsa | rsa } key-
file key-filename auth-code cipher auth-code command to load a certificate in
the PEM-chain format for the SSL policy.
d. Run trusted-ca load
A trusted-CA file is loaded for the SSL policy.
The HTTP client needs to load a trusted-CA file for the SSL policy according to the
format of the trusted-CA file loaded on the HTTP server.
n Run the trusted-ca load pem-ca ca-filename command to load a trusted-CA
file in the PEM format for the SSL policy.
n Run the trusted-ca load pfx-ca ca-filename auth-code cipher auth-code
command to load a trusted-CA file in the PFX format for the SSL policy.
e. Run commit
The configuration is committed.
f. Run quit
The system view is displayed.
g. Run http
HTTP is enabled, and the HTTP view is displayed.
h. Run client ssl-policy policy-name
An SSL policy is configured for the HTTP client.
i. Run client ssl-verify peer
The HTTP client is configured to perform SSL verification on the HTTP server.
j. Run commit
The configuration is committed.
----End
Context
You can disable an insecure public key algorithm to deny device login using this algorithm,
improving device security. A public key algorithm can be used for login only after it is
enabled on both the client and server.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run either of the following commands based on the SSH service type to enable or disable the
algorithm function.
1. Run ssh client publickey { dsa | ecc | rsa } *
A public key encryption algorithm allowed on the SSH client is configured.
2. Run ssh server publickey { dsa | ecc | rsa } *
A public key encryption algorithm allowed on the SSH server is configured.
By default, DSA, ECC and RSA algorithm is enabled.
NOTE
To configure a public key algorithm to be allowed and other algorithms to be denied, run the preceding
command with the algorithm specified. For example, after the ssh client publickey dsa command is run,
the DSA algorithm is allowed but the ECC, or RSA algorithm is not.
If this command is run for multiple times, the last configuration takes effect.
Step 3 Run either of the following commands based on the SSH service type to restore the default
algorithm.
1. Run undo ssh client publickey [ dsa | ecc | rsa ] *
The public key encryption algorithm of the SSH client is restored to the default value.
2. Run undo ssh server publickey [ dsa | ecc | rsa ] *
The public key encryption algorithm of the SSH server is restored to the default value.
Step 4 Run commit
The configuration is committed.
----End
Context
A device can send multiple types of protocol packets, such as NETCONF, Telnet, and SSH
packets. You can run the host-packet type command to uniformly configure a DSCP value
for the protocol packets. If a large number of protocol packets with the same DSCP value are
sent, network congestion may occur. To address this issue, configure different DSCP values
for the packets.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run one or more of the following commands based on the service type and protocol packet
type:
1. Run ssh client dscp
A DSCP value is configured for the SSH packets sent by a client.
----End
Example
Run the display current-configuration command to check the configured DSCP value.
<HUAWEI> system-view
[~HUAWEI] display current-configuration include-default | include dscp
Info: It will take a long time if the content you search is too much or the
string you input is too long, you can press CTRL_C to break.
telnet server dscp 10
telnet client dscp 10
ssh server dscp 10
ssh client dscp 10
Networking Requirements
Large numbers of devices need to be managed and maintained on a network. You cannot
connect each device to a terminal. When no reachable route exists between remote devices
and a terminal, you can use Telnet to log in to the remote devices from the device that you
have logged in to.
As shown in Figure 8-12, you can use Telnet on the PC to log in to P1 but cannot directly use
Telnet to log in to P2. P1 and P2 are routable. To remotely manage and configure P2, use
Telnet on P1 to log in to P2.
Session Session
Interface1
Interface1
1.1.1.1/24
2.1.1.1/24
Network Network
PC P1 P2
Precautions
l P1 and P2 must be routable.
l You must be able to log in to P1.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the Telnet authentication mode and password on P2.
2. Use Telnet on P1 to log in to P2.
Data Preparation
To complete the configuration, you need the following data:
l Host address of P2: 2.1.1.1
l Authentication mode: password; password: Hello-hello
Procedure
Step 1 Configure the Telnet authentication mode and password.
<HUAWEI> system-view
[~HUAWEI] sysname P2
[*HUAWEI] commit
[~P2] user-interface vty 0 4
[~P2-ui-vty0-4] authentication-mode password
[~P2-ui-vty0-4] set authentication-mode password
Please configure the login password (8-16)
Enter Password:
Confirm Password:
NOTE
l A password is entered in man-machine interaction mode. The system does not display the entered
password.
l A password is a string of 8 to 16 case-sensitive characters and must contain at least two types of the
following characters: uppercase letters, lowercase letters, digits, and special characters.
Special characters do not include question marks (?) or spaces. However, when double quotation
marks are used around a password, spaces are allowed in the password.
– Double quotation marks cannot contain double quotation marks if spaces are used in a
password.
– Double quotation marks can contain double quotation marks if no space is used in a password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
The configured password is displayed in ciphertext in the configuration file.
[*P2-ui-vty0-4] commit
[~P2-ui-vty0-4] quit
If an ACL is configured to access other devices by using Telnet, perform the following
configurations on P2:
[~P2] acl 2000
[*P2-acl4-basic-2000] rule permit source 1.1.1.1 0
[*P2-acl4-basic-2000] quit
[*P2] user-interface vty 0 4
[*P2-ui-vty0-4] acl 2000 inbound
[*P2-ui-vty0-4] commit
[~P2-ui-vty0-4] quit
NOTE
----End
Configuration Files
l P1 configuration file
#
sysname P1
#
interface gigabitethernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
admin
return
l P2 configuration file
#
sysname P2
#
acl number 2000
rule 5 permit source 1.1.1.1 0
#
interface gigabitethernet1/0/1
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
user-interface vty 0 4
authentication-mode password
set authentication password cipher @%@%(t7h+Qu=a#pz`3Kylk1/,JXR%iy(DA!x8&+!|
#b&.dEW65~.lEqGm~Np$O#2M]xJM@%@%
acl 2000 inbound
#
return
Networking Requirements
Large numbers of devices need to be managed and maintained on a network. You cannot
connect each device to a terminal. When no reachable route exists between remote devices
and a terminal, you can use Telnet to log in to the remote devices from the device that you
have logged in to. Telnet does not provide a secure authentication mode, and data is
transmitted in plaintext over TCP. Therefore, Telnet has security risks.
STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and
authentication and protects devices against attacks, such as IP spoofing and simple password
interception. As shown in Figure 8-13, after the STelnet server function is enabled on the
SSH server, the STelnet client can log in to the SSH server in password, ECC, password-ECC,
DSA, password-ECC, RSA, password-RSA, SM2, password-SM2 or all authentication mode.
SSH server
Interface1
10.1.1.1/16
Interface1 Interface1
10.1.2.2/16 10.1.3.3/16
Precautions
Client001 and client002 are configured to log in to the SSH server in password and RSA
authentication modes, respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts
to log in to the server.
3. Enable the STelnet server function on the SSH server.
4. Set the service type of client001 and client002 to STelnet.
5. Enable first authentication on the SSH client.
6. Use STelne on client001 and client002t to log in to the SSH server.
Data Preparation
To complete the configuration, you need the following data:
l Client001: password authentication (password: Hello-huawei123)
l Client002: RSA authentication (public key: RsaKey001)
l IP address of the SSH server: 10.1.1.1
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be:SSH Server_Host
The range of public key size is (2048 ~ 2048).
NOTE: Key pair generation will take a short while.
There are several authentication modes for SSH users: password, RSA, password-RSA, ECC, password-
ECC, and All.
l If the authentication mode is password, password-ECC, or password-RSA, configure a local user on
the server with the same user name.
l If the authentication mode is RSA, password-RSA, ECC, password-ECC, or All, save the RSA or
ECC public key generated on the SSH client to the server.
NOTE
A password is entered in man-machine interaction mode. The system does not display the entered
password.
Special characters do not include question marks (?) or spaces. However, when double quotation
marks are used around a password, spaces are allowed in the password.
– Double quotation marks cannot contain double quotation marks if spaces are used in a
password.
– Double quotation marks can contain double quotation marks if no space is used in a
password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
[*SSH Server-aaa] local-user client001 service-type ssh
[*SSH Server-aaa] commit
[~SSH Server-aaa] quit
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
======================Server Key========================
Time of Key pair created : 13:22:1 2010/10/25
Key Name : client002_Server
Key Type : RSA Encryption Key
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key rsakey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[*SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[*SSH Server-rsa-public-key-rsa-key-code] 308188
[*SSH Server-rsa-public-key-rsa-key-code] 028180
[*SSH Server-rsa-public-key-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0
006BB1BB
[*SSH Server-rsa-public-key-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7
36FDFD5F
[*SSH Server-rsa-public-key-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A
7336150B
[*SSH Server-rsa-public-key-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275
2DF7E4C5
[*SSH Server-rsa-public-key-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931
[*SSH Server-rsa-public-key-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153
7FB7D5B2
[*SSH Server-rsa-public-key-rsa-key-code] 171896FB 1FFC38CD
[*SSH Server-rsa-public-key-rsa-key-code] 0203
[*SSH Server-rsa-public-key-rsa-key-code] 010001
[*SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[*SSH Server-rsa-public-key] peer-public-key end
# Log in to the SSH server in password authentication mode on client001 by entering the user
name and password.
[~client001] stelnet 10.1.1.1
Please input the username:client001
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Enter password:
<SSH Server>
If the login succeeds, the user view is displayed. If the login fails, the message Session is
disconnected is displayed.
Step 8 Verify the configuration.
After the configuration is complete, run the display ssh server status and display ssh server
session commands on the SSH server. The command outputs show that the STelnet server
function has been enabled and that the STelnet client has logged in to the server successfully.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Enable
SSH server keepalive : Disable
SFTP IPv4 server : Disable
SFTP IPv6 server : Disable
STELNET IPv4 server : Disable
STELNET IPv6 server : Disable
SNETCONF IPv4 server : Enable
SNETCONF IPv6 server : Enable
SNETCONF IPv4 server port(830) : Disable
SNETCONF IPv6 server port(830) : Disable
SCP IPv4 server : Enable
SCP IPv6 server : Enable
SSH server DES : Disable
SSH IPv4 server port : 22
SSH IPv6 server port : 22
SSH server source address : 10.1.1.1
SSH ipv6 server source address : 0::0
SSH ipv6 server source vpnName :
ACL name :
ACL number :
ACL6 name :
ACL6 number :
SSH server ip-block : Enable
Username : client002
Authentication-type : rsa
User-public-key-name : rsakey001
User-public-key-type : -
Sftp-directory : -
Service-type : stelnet
----------------------------------------------------
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
rsa peer-public-key rsakey001
public-key-code begin
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
ssh authorization-type default root
ssh user client002 service-type stelnet
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user client001 service-type ssh
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
#
sysname client001
#
interface GigabitEthernet0/0/0
ip address 10.1.2.2 255.255.255.0
#
ssh client first-time enable
#
return
Networking Requirements
Large numbers of devices need to be managed and maintained on a network. You cannot
connect each device to a terminal. When no reachable route exists between remote devices
and a terminal, you can use Telnet to log in to the remote devices from the device that you
have logged in to. Telnet does not provide a secure authentication mode, and data is
transmitted in plaintext over TCP. Therefore, Telnet has security risks.
STelnet provides secure Telnet services based on SSH connections. Providing encryption and
authentication, SSH protects devices against attacks of IP address spoofing and simple
password interception. As shown in Figure 8-14, after the STelnet server function is enabled
on the SSH server, the STelnet client can log in to the SSH server in the authentication mode
of password, ECC, password-ECC, DSA, password-ECC, RSA, password-RSA or all.
Figure 8-14 Networking diagram for logging in to another device by using STelnet
NOTE
SSH server
Interface1
10.1.1.1/16
Interface1 Interface1
10.1.2.2/16 10.1.3.3/16
Precautions
Two users client001 and client002 are configured to log in to the SSH server in the
authentication mode of password and DSA respectively.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the DSA public key of the SSH server to authenticate the client when the client attempts
to log in to the server.
3. Enable the STelnet server function on the SSH server.
4. Set the service type of client001 and client002 to STelnet.
5. Enable first authentication on the SSH client.
6. Client001 and client002 log in to the SSH server by using STelnet.
Data Preparation
To complete the configuration, you need the following data:
l Client001: password authentication (password: Hello-huawei123)
l Client002: DSA authentication (public key: dsakey001)
l IP address of the SSH server: 10.1.1.1
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] dsa local-key-pair create
Info: The key name will be: SSH SERVER_Host_DSA
Info: The key modulus can be any one of the following : 2048.
Info: Key pair generation will take a short while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
There are several authentication modes for SSH users: password, RSA, password-RSA, DSA, password-
DSA, ECC, password-ECC, and all.
l If the authentication mode is password or password-RSA, password-DSA and password-ECC,
configure a local user on the server with the same user name.
l If the authentication mode is RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, or
all, save the RSA or DSA or ECC public key generated on the SSH client to the server.
NOTE
A password is entered in man-machine interaction mode. The system does not display the entered
password.
Special characters do not include question marks (?) or spaces. However, when double quotation
marks are used around a password, spaces are allowed in the password.
– Double quotation marks cannot contain double quotation marks if spaces are used in a
password.
– Double quotation marks can contain double quotation marks if no space is used in a
password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
[*SSH Server-aaa] local-user client001 service-type ssh
[*SSH Server-aaa] commit
[~SSH Server-aaa] quit
========================================================
Key code:
3082019F
028180
A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
0B752AC7 817E877F
0214
CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
028180
6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
F459F826 B9A5CF6D
028180
409C0AE7 1DDDDA8C F3924608 DC32728C D6FA51FB
B4933D03 E30780E1 676AA9EE E3A9B677 97DB1D3A
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
6192B926 9AD8764E E9F8661C 8EC08D08 BD83BCE3
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
# Copy the DSA public key generated on the client to the server.
[*SSH Server] dsa peer-public-key dsakey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[*SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return last view with "public-key-code end".
[*SSH Server-dsa-public-key-dsa-key-code] 3082019F
[*SSH Server-dsa-public-key-dsa-key-code] 028180
[*SSH Server-dsa-public-key-dsa-key-code] A49C5EAF 906C80B1 C474CCB0 D47C6965
22DFCF3C
[*SSH Server-dsa-public-key-dsa-key-code] 9602BAD8 FCE8F7E3 7A69BE18 8CB7D858
6B50EEBC
# Log in to the SSH server in password authentication mode on client001 by entering the user
name and password.
[~client001] stelnet 10.1.1.1
Please input the username:client001
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Enter password:
If the login succeeds, the user view is displayed. If the login fails, the message Session is
disconnected is displayed.
Step 8 Verify the configuration.
After the configuration is complete, run the display ssh server status and display ssh server
session commands on the SSH server. You can find that the STelnet server function has been
enabled, and the STelnet client has logged in to the server successfully.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Enable
SSH server keepalive : Disable
SFTP IPv4 server : Disable
SFTP IPv6 server : Disable
STELNET IPv4 server : Disable
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
dsa peer-public-key dsakey001
public-key-code begin
3082019F
028180
A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
0B752AC7 817E877F
0214
CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
028180
6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
F459F826 B9A5CF6D
028180
409C0AE7 1DDDDA8C F3924608 DC32728C D6FA51FB
B4933D03 E30780E1 676AA9EE E3A9B677 97DB1D3A
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
6192B926 9AD8764E E9F8661C 8EC08D08 BD83BCE3
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
public-key-code end
peer-public-key end
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign dsa-key dsakey001
ssh user client002 authentication-type dsa
ssh authorization-type default root
ssh user client002 service-type stelnet
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user client001 service-type ssh
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
Networking Requirements
Large numbers of devices need to be managed and maintained on a network. You cannot
connect each device to a terminal. When no reachable route exists between remote devices
and a terminal, you can use Telnet to log in to the remote devices from the device that you
have logged in to. Telnet does not provide a secure authentication mode, and data is
transmitted in plaintext over TCP. Therefore, Telnet has security risks.
STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and
authentication and protects devices against attacks, such as IP spoofing and simple password
interception. After the STelnet server function is enabled on the SSH server, the STelnet client
can log in to the SSH server in password, ECC, password-ECC, DSA, password-ECC, RSA,
password-RSA, SM2, password-SM2 or all authentication mode. As shown in Figure 8-15,
client001 and client002 are configured to log in to the SSH server in password and ECC
authentication modes, respectively.
SSH server
Interface1
10.1.1.1/16
Interface1 Interface1
10.1.2.2/16 10.1.3.3/16
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the ECC public key of the SSH server to authenticate the client when the client attempts
to log in to the server.
3. Enable the STelnet server function on the SSH server.
4. Set the service type of client001 and client002 to STelnet.
5. Enable first authentication on the SSH client.
6. Use STelnet on client001 and client002 to log in to the SSH server.
Data Preparation
To complete the configuration, you need the following data:
l Client001: password authentication (password: Hello-huawei123).
l Client002: ECC authentication (public key: ecckey001).
l IP address of the SSH server: 10.1.1.1.
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] ecc local-key-pair create
Info: The key name will be: SSH Server_Host_ECC
Info: The key modulus can be any one of the following: 256, 384, 521.
Info: Key pair generation will take a short while.
Please input the modulus [default=521]:521
Info: Generating keys...
Info: Succeeded in creating the ECC host keys.
NOTE
A password is entered in man-machine interaction mode. The system does not display the entered
password.
Special characters do not include question marks (?) or spaces. However, when double quotation
marks are used around a password, spaces are allowed in the password.
– Double quotation marks cannot contain double quotation marks if spaces are used in a
password.
– Double quotation marks can contain double quotation marks if no space is used in a
password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
[*SSH Server-aaa] local-user client001 service-type ssh
[*SSH Server-aaa] commit
[~SSH Server-aaa] quit
8D7723E0
7E63D68D E7
# Copy the ECC public key generated on the client to the server.
[~SSH Server] ecc peer-public-key ecckey001
Enter "ECC public key" view, return system view with "peer-public-key end".
[*SSH Server-ecc-public-key] public-key-code begin
Enter "ECC key code" view, return last view with "public-key-code end".
[*SSH Server-ecc-public-key-ecc-key-code] 04BF8F0A A6C01092 8A294A42 61D49FCA
2C98E48A
[*SSH Server-ecc-public-key-ecc-key-code] B70CCF59 0779A3C7 ADB04A19 A634C899
24057ED3
[*SSH Server-ecc-public-key-ecc-key-code] 668C27A0 AC1C1B96 09B54B3B F660F0D8
379065C2
[*SSH Server-ecc-public-key-ecc-key-code] E25B662D 73
[*SSH Server-ecc-public-key-ecc-key-code] public-key-code end
[*SSH Server-ecc-public-key] peer-public-key end
[*SSH Server] commit
# Log in to the SSH server in password authentication mode on client001 by entering the user
name and password.
<~client001> stelnet 10.1.1.1
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
Please input the username:client001
Enter password:
If the login succeeds, the user view is displayed. If the login fails, the message Session is
disconnected is displayed.
Step 8 Verify the configuration.
After the configuration is complete, run the display ssh server status and display ssh server
session commands on the SSH server. The command outputs show that the STelnet server
function has been enabled and that the STelnet client has logged in to the server successfully.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Enable
SSH server keepalive : Disable
SFTP IPv4 server : Disable
SFTP IPv6 server : Disable
STELNET IPv4 server : Disable
STELNET IPv6 server : Disable
SNETCONF IPv4 server : Enable
SNETCONF IPv6 server : Enable
SNETCONF IPv4 server port(830) : Disable
SNETCONF IPv6 server port(830) : Disable
SCP IPv4 server : Enable
SCP IPv6 server : Enable
SSH server DES : Disable
SSH IPv4 server port : 22
SSH IPv6 server port : 22
SSH server source address : 10.1.1.1
SSH ipv6 server source address : 0::0
SSH ipv6 server source vpnName :
ACL name :
ACL number :
ACL6 name :
ACL6 number :
SSH server ip-block : Enable
Conn : SFTP 0
Version : 2.0
State : Started
Username : user1
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group-exchange-sha1
Public Key : ecc
Service Type : SFTP
Authentication Type : password
Connection Port Number : 22
Idle Time : 00:00:49
Total Packet Number : 90
Packet Number after Rekey : 0
Total Data(MB) : 0
Data after Rekey(MB) : 0
Time after Session Established(Minute) : 0
Time after Rekey(Minute) : 1
--------------------------------------------------------------------------------
Username : client002
Authentication-type : ecc
User-public-key-name : ecckey001
User-public-key-type : ECC
Sftp-directory : -
Service-type : stelnet
----------------------------------------------------
Total 2, 2 printed
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
ecc peer-public-key ecckey001
public-key-code begin
04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3
668C27A0 AC1C1B96 09B54B3B F660F0D8 379065C2
E25B662D 73
public-key-code end
peer-public-key end
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign ecc-key ecckey001
Networking Requirements
In the TCP/IP protocol suite, FTP is most commonly used to transfer files. However, FTP
brings complex interactions between terminals and servers, which is hard to implement on
terminals that do not run advanced operating systems. TFTP is designed for file transfer that
does not require complex interactions between terminals and servers. It is simple, requiring a
few costs. TFTP can be used only for simple file transfer without authentication.
As shown in Figure 8-16, you can log in to the TFTP client from a PC and upload files to or
download files from the TFTP server.
Configuration Roadmap
The configuration roadmap is as follows:
1. Run the TFTP software on the TFTP server and set the directory of source files on the
server.
2. Use TFTP commands on the TFTP client to download files.
3. Use TFTP commands on the TFTP client to upload files.
Data Preparation
To complete the configuration, you need the following data:
l TFTP software to be installed on the TFTP server
l Name of the file to be downloaded and path of the file on the TFTP server
l Name of the file to be uploaded and path of the file on the TFTP client
Procedure
Step 1 Enable the TFTP server function.
In the Current Directory column, set the directory in which the file to be downloaded resides
on the TFTP server, as shown in Figure 8-17.
NOTE
Run the tftpservermt command on the client to enter the TFTP server path and run the
following command:
Step 2 Log in to the TFTP client from the HyperTerminal to download a file.
<HUAWEI> tftp 10.18.26.141 get a.txt cfcard:/b.txt
Warning: cfcard:/b.txt exists, overwrite? Please select
[Y/N]:y
Transfer file in binary mode.
Please wait for a while...
/
3338 bytes transferred
File transfer completed
Directory of 0/17#cfcard:/
Step 4 Log in to the TFTP client from the HyperTerminal to upload a file.
<HUAWEI> tftp 10.111.16.160 put sample.txt
Info: Transfer file in binary mode.
Please wait for a while...
\ 100% [***********]
File transfer completed
----End
Configuration Files
None
Networking Requirements
To transfer files with a remote FTP server or manage directories of the server, configure a
device as an FTP client and use FTP to access the FTP server.
As shown in Figure 8-18, the FTP client and server are routable. To download system
software and configuration files from the FTP server to the FTP client, log in to the FTP
server from the FTP client.
Interface1 Interface1
2.1.1.1/24 1.1.1.1/24
Network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the user name and password for an FTP user to log in to the FTP server and
the directory that the user will access.
2. Enable the FTP server function.
3. Run login commands to log in to the FTP server.
4. Configure the file transfer mode and working directory to allow the client to download
files from the server.
Data Preparation
To complete the configuration, you need the following data:
l User name: huawei; password: Hello-huawei123
l IP address of the FTP server: 1.1.1.1
l Name of the file to be downloaded and directory of the file
Procedure
Step 1 Configure an FTP user on the FTP server.
<HUAWEI> system-view
[~HUAWEI] aaa
[*HUAWEI-aaa] local-user huawei password
Please configure the password (8-128)
Enter Password:
Confirm Password:
NOTE
A password is entered in man-machine interaction mode. The system does not display the entered
password.
Special characters do not include question marks (?) or spaces. However, when double quotation marks
are used around a password, spaces are allowed in the password.
l Double quotation marks cannot contain double quotation marks if spaces are used in a password.
l Double quotation marks can contain double quotation marks if no space is used in a password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
[*HUAWEI-aaa] local-user huawei service-type ftp
[*HUAWEI-aaa] local-user huawei ftp-directory cfcard:/
[*HUAWEI-aaa] local-user huawei level 3
[*HUAWEI-aaa] commit
[*HUAWEI-aaa] quit
Step 4 Set the file transfer mode to dir and the working directory to new_dir:/ on the FTP client.
[ftp] binary
200 Type set to I.
[ftp] lcd new_dir:/
The current local directory is new_dir:.
[ftp] commit
Step 5 Download the latest system software from the FTP server to the FTP client.
[ftp] get V800R010C10B020D0123.cc
200 Port command okay.
150 Opening BINARY mode data connection for V800R010C10B020D0123.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit
Run the dir command to check whether the required file has been downloaded to the client.
----End
Configuration Files
l FTP server configuration file
#
aaa
local-user huawei password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user huawei ftp-directory cfcard:/
local-user huawei level 3
local-user huawei service-type ftp
#
interface GigabitEthernet1/0/1
undo shutdown
Networking Requirements
Based on SSH, SFTP ensures that users log in to a remote device securely to manage and
transfer files, enhancing secure file transfer. Because the device can function as an SFTP
client, you can log in to a remote SSH server from the device to transfer files securely.
As shown in Figure 8-19, after the SFTP server function is enabled on the SSH server, the
SFTP client can log in to the SSH server in password, ECC, password-ECC, DSA, password-
ECC, RSA, password-RSA, SM2, password-SM2 or all authentication mode.
SSH server
Interface1
10.1.1.1/16
Interface1 Interface1
10.1.2.2/16 10.1.3.3/16
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts
to log in to the server.
3. Enable the SFTP server function on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Use SFTP on client001 and client002 to log in to the SSH server.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be:SSH Server_Host
The range of public key size is (2048 ~ 2048).
NOTE: Key pair generation will take a short while.
There are several authentication modes for SSH users: password, RSA, password-RSA, ECC, password-
ECC, and All.
l If the authentication mode is password, password-ECC, or password-RSA, configure a local user on
the server with the same user name.
l If the authentication mode is RSA, password-RSA, ECC, password-ECC, or All, save the RSA or
ECC public key generated on the SSH client to the server.
NOTE
A password is entered in man-machine interaction mode. The system does not display the entered
password.
Special characters do not include question marks (?) or spaces. However, when double quotation
marks are used around a password, spaces are allowed in the password.
– Double quotation marks cannot contain double quotation marks if spaces are used in a
password.
– Double quotation marks can contain double quotation marks if no space is used in a
password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
[*SSH Server-aaa] local-user client001 service-type ssh
[*SSH Server-aaa] local-user client001 level 3
[*SSH Server-aaa] commit
[~SSH Server-aaa] quit
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001
======================Server Key========================
Time of Key pair created : 13:22:1 2010/10/25
Key Name : client002_Server
Key Type : RSA Encryption Key
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[*SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[*SSH Server-rsa-public-key-rsa-key-code] 308188
[*SSH Server-rsa-public-key-rsa-key-code] 028180
[*SSH Server-rsa-public-key-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0
006BB1BB
[*SSH Server-rsa-public-key-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7
36FDFD5F
[*SSH Server-rsa-public-key-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A
7336150B
[*SSH Server-rsa-public-key-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275
2DF7E4C5
[*SSH Server-rsa-public-key-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931
[*SSH Server-rsa-public-key-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153
7FB7D5B2
[*SSH Server-rsa-public-key-rsa-key-code] 171896FB 1FFC38CD
[*SSH Server-rsa-public-key-rsa-key-code] 0203
[*SSH Server-rsa-public-key-rsa-key-code] 010001
[*SSH Server-rsa-key-code] public-key-code end
[*SSH Server-rsa-public-key] peer-public-key end
[*SSH Server] commit
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password authentication mode
and client002 in RSA authentication mode.
[~SSH Server] ssh user client001 service-type sftp
[*SSH Server] ssh user client001 sftp-directory cfcard:
[*SSH Server] ssh user client002 service-type sftp
[*SSH Server] ssh user client002 sftp-directory cfcard:
Username : client002
Authentication-type : rsa
User-public-key-name : rsakey001
Sftp-directory : -
Service-type : sftp
----------------------------------------------------
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 sftp-directory cfcard:
ssh user client001 service-type sftp
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
ssh authorization-type default root
ssh user client002 sftp-directory cfcard:
ssh user client002 service-type sftp
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user client001 level 3
local-user client001 service-type ssh
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
Networking Requirements
SFTP is based on SSH connections. SFTP ensures that users log in to a remote device
securely to manage and transfer files, enhancing secure file transfer. As the device can
function as an SFTP client, you can log in to a remote SSH server from the device to transfer
files securely.
As shown in Figure 8-20, after the SFTP server function is enabled on the SSH server, the
SFTP client can log in to the SSH server in the authentication mode of password, ECC,
password-ECC, DSA, password-ECC, RSA, password-RSA, SM2, password-SM2 or all.
Figure 8-20 Networking diagram for access another device by using SFTP
NOTE
SSH server
Interface1
10.1.1.1/16
Interface1 Interface1
10.1.2.2/16 10.1.3.3/16
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the DSA public key of the SSH server to authenticate the client when the client attempts
to log in to the server.
3. Enable the SFTP server function on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Client001 and client002 log in to the SSH server chain SFTP mode to obtain files on the
server.
Data Preparation
To complete the configuration, you need the following data:
l Client001: password authentication (password: Hello-huawei123)
l Client002: DSA authentication (public key: dsakey001)
l IP address of the SSH server: 10.1.1.1
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] dsa local-key-pair create
Info: The key name will be: SSH SERVER_Host_DSA
Info: The key modulus can be any one of the following : 2048.
Info: Key pair generation will take a short while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
There are several authentication modes for SSH users: password, RSA, password-RSA, DSA, password-
DSA, ECC, password-ECC, and all.
l If the authentication mode is password or password-RSA, password-DSA, and password-ECC
configure a local user on the server with the same user name.
l If the authentication mode is RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, or
all, save the RSA or DSA or ECC public key generated on the SSH client to the server.
NOTE
A password is entered in man-machine interaction mode. The system does not display the entered
password.
Special characters do not include question marks (?) or spaces. However, when double quotation
marks are used around a password, spaces are allowed in the password.
– Double quotation marks cannot contain double quotation marks if spaces are used in a
password.
– Double quotation marks can contain double quotation marks if no space is used in a
password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
[*SSH Server-aaa] local-user client001 service-type ssh
[*SSH Server-aaa] local-user client001 level 3
[*SSH Server-aaa] commit
[~SSH Server-aaa] quit
3082019F
028180
A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
0B752AC7 817E877F
0214
CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
028180
6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
# Copy the DSA public key generated on the client to the server.
[~SSH Server] dsa peer-public-key dsakey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[*SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return last view with "public-key-code end".
[*SSH Server-dsa-public-key-dsa-key-code] 3082019F
[*SSH Server-dsa-public-key-dsa-key-code] 028180
[*SSH Server-dsa-public-key-dsa-key-code] A49C5EAF 906C80B1 C474CCB0 D47C6965
22DFCF3C
[*SSH Server-dsa-public-key-dsa-key-code] 9602BAD8 FCE8F7E3 7A69BE18 8CB7D858
6B50EEBC
[*SSH Server-dsa-public-key-dsa-key-code] 54BFB089 61A0DD31 5F7F3080 F0DB47E4
ECDCC10E
[*SSH Server-dsa-public-key-dsa-key-code] 7EC18D31 35CD78F7 E002FB6B 4CB59BA5
E2CDB898
[*SSH Server-dsa-public-key-dsa-key-code] 43FAD059 98B8EEA8 E7395FC7 CA9D1655
47927368
[*SSH Server-dsa-public-key-dsa-key-code] 9914AF09 6CFDC125 6CC8A07F DDDE603B
F31C4EA4
[*SSH Server-dsa-public-key-dsa-key-code] 0B752AC7 817E877F
[*SSH Server-dsa-public-key-dsa-key-code] 0214
[*SSH Server-dsa-public-key-dsa-key-code] CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B
6ECC9F27
[*SSH Server-dsa-public-key-dsa-key-code] 028180
[*SSH Server-dsa-public-key-dsa-key-code] 6D3202E7 4DCAC5DB 97034305 8D79FDB2
76D5CAA2
[*SSH Server-dsa-public-key-dsa-key-code] C8D00C3D 666F61D4 F2E36445 4027FD04
0D61B2A3
[*SSH Server-dsa-public-key-dsa-key-code] AF3CED6B C36CC68D E8DF35F9 FAF802ED
73BCBD66
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password authentication mode
and client002 in DSA authentication mode.
[~SSH Server] ssh user client001 service-type sftp
[*SSH Server] ssh user client001 sftp-directory cfcard:
[*SSH Server] ssh user client002 service-type sftp
[*SSH Server] ssh user client002 sftp-directory cfcard:
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
dsa peer-public-key dsakey001
public-key-code begin
3082019F
028180
A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
0B752AC7 817E877F
0214
CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
028180
6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
F459F826 B9A5CF6D
028180
409C0AE7 1DDDDA8C F3924608 DC32728C D6FA51FB
B4933D03 E30780E1 676AA9EE E3A9B677 97DB1D3A
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
6192B926 9AD8764E E9F8661C 8EC08D08 BD83BCE3
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
public-key-code end
peer-public-key end
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 sftp-directory cfcard:
ssh user client001 service-type sftp
ssh user client002
ssh user client002 assign dsa-key dsakey001
ssh user client002 authentication-type dsa
ssh authorization-type default root
ssh user client002 sftp-directory cfcard:
ssh user client002 service-type sftp
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user client001 level 3
local-user client001 service-type ssh
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
Networking Requirements
Based on SSH, SFTP ensures that users log in to a remote device securely to manage and
transfer files, enhancing secure file transfer. Because the device can function as an SFTP
client, you can log in to a remote SSH server from the device to transfer files securely.
As shown in Figure 8-21, after the SFTP server function is enabled on the SSH server, the
SFTP client can log in to the SSH server in password, ECC, password-ECC, DSA, password-
ECC, RSA, password-RSA, SM2, password-SM2 or all authentication mode.
SSH server
Interface1
10.1.1.1/16
Interface1 Interface1
10.1.2.2/16 10.1.3.3/16
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the ECC public key of the SSH server to authenticate the client when the client attempts
to log in to the server.
3. Enable the SFTP server function on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Use SFTP on client001 and client002 to log in to the SSH server.
Data Preparation
To complete the configuration, you need the following data:
l Client001: password authentication (password: Hello-huawei123)
l Client002: ECC authentication (public key: ecckey001)
l IP address of the SSH server: 10.1.1.1
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] ecc local-key-pair create
Info: The key name will be: SSH Server_Host_ECC
Info: The key modulus can be any one of the following: 256, 384, 521.
Info: Key pair generation will take a short while.
Please input the modulus [default=521]:521
Info: Generating keys...
Info: Succeeded in creating the ECC host keys.
NOTE
A password is entered in man-machine interaction mode. The system does not display the entered
password.
Special characters do not include question marks (?) or spaces. However, when double quotation
marks are used around a password, spaces are allowed in the password.
– Double quotation marks cannot contain double quotation marks if spaces are used in a
password.
– Double quotation marks can contain double quotation marks if no space is used in a
password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
[*SSH Server-aaa] local-user client001 service-type ssh
[*SSH Server-aaa] local-user client001 level 3
[*SSH Server-aaa] commit
[~SSH Server-aaa] quit
7E63D68D E7
# Copy the ECC public key generated on the client to the server.
[~SSH Server] ecc peer-public-key ecckey001
Enter "ECC public key" view, return system view with "peer-public-key end".
[*SSH Server-ecc-public-key] public-key-code begin
Enter "ECC key code" view, return last view with "public-key-code end".
[*SSH Server-ecc-public-key-ecc-key-code] 04BF8F0A A6C01092 8A294A42 61D49FCA
2C98E48A
[*SSH Server-ecc-public-key-ecc-key-code] B70CCF59 0779A3C7 ADB04A19 A634C899
24057ED3
[*SSH Server-ecc-public-key-ecc-key-code] 668C27A0 AC1C1B96 09B54B3B F660F0D8
379065C2
[*SSH Server-ecc-public-key-ecc-key-code] E25B662D 73
[*SSH Server-ecc-public-key-ecc-key-code] public-key-code end
[*SSH Server-ecc-public-key] peer-public-key end
[*SSH Server] commit
Step 6 Configure the service type and authorized directory for the SSH users.
Two SSH users are configured on the SSH server: client001 in password authentication mode
and client002 in ECC authentication mode.
Username : client002
Authentication-type : ecc
User-public-key-name : ecckey001
User-public-key-type : ECC
Sftp-directory : cfcard:
Service-type : sftp
----------------------------------------------------
Total 2, 2 printed
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
ecc peer-public-key ecckey001
public-key-code begin
04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3
668C27A0 AC1C1B96 09B54B3B F660F0D8 379065C2
E25B662D 73
public-key-code end
peer-public-key end
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 sftp-directory cfcard:
ssh user client001 service-type sftp
ssh user client002
ssh user client002 assign ecc-key ecckey001
ssh user client002 authentication-type ecc
ssh authorization-type default root
ssh user client002 sftp-directory cfcard:
ssh user client002 service-type sftp
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user client001 level 3
local-user client001 service-type ssh
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
Networking Requirements
The default listening port number is 22. If attackers continuously access this port, bandwidth
resources are consumed and performance of the server deteriorates. As a result, authorized
users cannot access the server.
If the listening port number of the SSH server is changed to a non-default one, attackers do
not know the change and continue to send requests for socket connections to port 22. The
SSH server denies the connection requests because the listening port number is incorrect.
Authorized users can set up socket connections with the SSH server by using the new
listening port number to implement the following functions: negotiate the version of the SSH
protocol, negotiate the algorithm, generate the session key, authenticate, send the session
request, and attend the session.
Figure 8-22 Using a non-default listening port number to access the SSH server
NOTE
SSH server
Interface1
10.1.1.1/16
Interface1 Interface1
10.1.2.2/16 10.1.3.3/16
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts
to log in to the server.
3. Enable the STelnet and SFTP server functions on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Configure a non-default listening port number of the SSH server to allow only
authorized users to access the server.
6. Use STelnet and SFTP respectively on client001 and client002 to log in to the SSH
server.
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure the server to generate a local key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be:SSH Server_Host
The range of public key size is (2048 ~ 2048).
NOTE: Key pair generation will take a short while.
[*SSH Server] commit
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[*SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[*SSH Server-rsa-key-code] 3047
[*SSH Server-rsa-key-code] 0240
[*SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[*SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[*SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[*SSH Server-rsa-key-code] 1D7E3E1B
[*SSH Server-rsa-key-code] 0203
[*SSH Server-rsa-key-code] 010001
[*SSH Server-rsa-key-code] public-key-code end
[*SSH Server-rsa-public-key] peer-public-key end
[*SSH Server-rsa-public-key] commit
There are several authentication modes for SSH users: password, RSA, password-RSA, ECC, password-
ECC, and All.
l If the authentication mode is password, password-ECC, or password-RSA, configure a local user on
the server with the same user name.
l If the authentication mode is RSA, password-RSA, ECC, password-ECC, or All, save the RSA or
ECC public key generated on the SSH client to the server.
NOTE
A password is entered in man-machine interaction mode. The system does not display the entered
password.
Special characters do not include question marks (?) or spaces. However, when double quotation
marks are used around a password, spaces are allowed in the password.
– Double quotation marks cannot contain double quotation marks if spaces are used in a
password.
– Double quotation marks can contain double quotation marks if no space is used in a
password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
# Set the service type of client002 to SFTP and configure the authorized directory for the
user.
[~SSH Server] ssh user client002 service-type sftp
[*SSH Server] ssh user client002 sftp-directory cfcard:
[*SSH Server] commit
Step 4 Enable the STelnet and SFTP server functions on the SSH server.
[~SSH Server] stelnet server enable
[*SSH Server] sftp server enable
[*SSH Server] commit
# Connect client001 to the SSH server using the new listening port number.
[~client001] stelnet 1.1.1.1 1025
Please input the username:client001
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 1.1.1.1. Please wait...
Enter password:
# Connect client002 to the SSH server using the new listening port number.
After the configuration is complete, run the display ssh server status and display ssh server
session commands on the SSH server. The current listening port number of the SSH server
can be displayed in the command output. The command output also shows that the STelnet or
SFTP client has logged in to the server successfully.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Enable
SSH server keepalive : Disable
SFTP IPv4 server : Disable
SFTP IPv6 server : Disable
STELNET IPv4 server : Disable
STELNET IPv6 server : Disable
SNETCONF IPv4 server : Enable
SNETCONF IPv6 server : Enable
SNETCONF IPv4 server port(830) : Disable
SNETCONF IPv6 server port(830) : Disable
SCP IPv4 server : Enable
SCP IPv6 server : Enable
SSH server DES : Disable
SSH IPv4 server port : 22
SSH IPv6 server port : 22
SSH server source address : 10.1.1.1
SSH ipv6 server source address : 0::0
SSH ipv6 server source vpnName :
ACL name :
ACL number :
ACL6 name :
ACL6 number :
SSH server ip-block : Enable
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
ssh server port 1025
stelnet server enable
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
ssh user client002 sftp-directory cfcard:
ssh user client002 service-type sftp
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user client001 service-type ssh
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 1.1.1.1 255.255.0.0
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
interface GigabitEthernet0/0/0
undo shutdown
ip address 1.1.2.2 255.255.0.0
#
ssh client first-time enable
#
return
Networking Requirements
As shown in Figure 8-23, PE1 is an SSH client located on the MPLS backbone network, and
CE1 functions as an SSH server located on the private network with the AS number of 65410.
Public network users need to securely access and manage CE1 after logging in to PE1.
Figure 8-23 Configuring an SSH client on the public network to access an SSH server on a
private network
NOTE
In this example, Interface1, Interface2 and Interface3 are GE1/0/1, GE2/0/1 and GE1/0/2, respectively.
MPLS backbone
AS: 100
Loopback1 Loopback1 Loopback1
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
PE1 Interface1 Interface1
(SSH 10.2.1.1/30 10.3.1.2/30
PE2
client) Interface1 Interface3
Interface2 10.2.1.2/30 P 10.3.1.1/30 Interface2
10.1.1.2/24 10.1.2.2/24
Interface1 Interface1
CE1 10.1.1.1/24 10.1.2.1/24
(SSH CE2
server)
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a VPN instance on PE1 to allow CE1 to access PE1.
2. Set up EBGP peer relationships between PEs and CEs and import VPN routes.
3. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts
to log in to the server.
4. Enable the STelnet and SFTP server functions on the SSH server.
5. Connect client001 and client002 to CE1 using STelnet and SFTP, respectively.
Data Preparation
To complete the configuration, you need the following data:
l Name of the VPN instance on the PEs: vpn1
l VPN target on the PEs: 111:1
l IP address of PE1: 10.1.1.2; IP address of PE2: 10.1.2.2
l Client001: password authentication (password: Hello-huawei123)
l Client002: RSA authentication (public key: RsaKey001)
l IP address of CE1: 10.1.1.1
Procedure
Step 1 Configure the MPLS backbone network.
Configure an IGP to allow PEs and the P on the MPLS backbone network to communicate
with each other. Configure basic MPLS functions, enable MPLS LDP, and establish LDP
LSPs on the MPLS backbone network.
For configuration details, see Configuration Files in this section.
Step 2 Configure VPN instances on PEs and connect CEs to PEs.
# Configure PE1.
[*PE1] ip vpn-instance vpn1
[*PE1-vpn-instance-vpn1] route-distinguisher 100:1
[*PE1-vpn-instance-vpn1] vpn-target 111:1 both
[*PE1-vpn-instance-vpn1] quit
[*PE1] interface gigabitethernet 2/0/1
[*PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1
[*PE1-GigabitEthernet2/0/1] undo shutdown
[*PE1-GigabitEthernet2/0/1] ip address 10.1.1.2 24
[*PE1-GigabitEthernet2/0/1] quit
[*PE1] commit
# Configure PE2.
[*PE2] ip vpn-instance vpn1
[*PE2-vpn-instance-vpn1] route-distinguisher 200:1
[*PE2-vpn-instance-vpn1] vpn-target 111:1 both
[*PE2-vpn-instance-vpn1] quit
[*PE2] interface gigabitethernet 2/0/1
[*PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1
[*PE2-GigabitEthernet2/0/1] undo shutdown
[*PE2-GigabitEthernet2/0/1] ip address 10.1.2.2 24
[*PE2-GigabitEthernet2/0/1] quit
[*PE2] commit
# Configure IP addresses for interfaces on CEs according to Figure 8-23. For configuration
details, see Configuration Files in this section.
After the configuration is complete, run the display ip vpn-instance verbose command on
PEs. You can view the configurations of VPN instances. Each PE can successfully ping its
connected CE.
NOTE
When there are multiple interfaces on a PE bound to the same VPN instance, specify the source address
in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the
CE connected to the peer PE. Otherwise, the ping may fail.
[~PE1] ping -vpn-instance vpn1 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=260 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=70 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=60 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=60 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=90 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/108/260 ms
Step 3 Establish EBGP peer relationships between the PEs and the CEs to import VPN routes.
# Configure CE1.
[*CE1] bgp 65410
[*CE1-bgp] peer 10.1.1.2 as-number 100
[*CE1-bgp] import-route direct
[*CE1-bgp] quit
[*CE1] commit
# Configure PE1.
[*PE1] bgp 100
[*PE1-bgp] ipv4-family vpn-instance vpn1
[*PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[*PE1-bgp-vpn1] import-route direct
[*PE1-bgp-vpn1] quit
[*PE1-bgp] quit
[*PE1] commit
# Configure CE2.
[*CE2] bgp 65420
[*CE2-bgp] peer 10.1.2.2 as-number 100
[*CE2-bgp] import-route direct
[*CE2-bgp] quit
[*CE2-bgp] commit
# Configure PE2.
[*PE2] bgp 100
[*PE2-bgp] ipv4-family vpn-instance vpn1
[*PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420
[*PE2-bgp-vpn1] import-route direct
[*PE2-bgp-vpn1] quit
[*PE2-bgp] quit
[*PE2-bgp] commit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. The command output shows that the EBGP peer relationships between PEs and the
CEs are in the Established state.
The following example uses the command output on PE1.
[~PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 3 3 0 00:00:37 Established 1
=====================================================
Time of Key pair created: 12:02:09 2007/6/8
Key name: PE1_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
E2EE8EB5
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg7
2x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F
2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61 rsa-key
=====================================================
Time of Key pair created: 12:02:09 2007/6/8
Key name: PE1_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F
23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40
278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437
D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4
970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
# Copy the RSA public key generated on the client to the server.
[*CE1] rsa peer-public-key RsaKey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[*CE1-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[*CE1-rsa-key-code] 3067
[*CE1-rsa-key-code] 0240
[*CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
[*CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
[*CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
[*CE1-rsa-key-code] E2EE8EB5
[*CE1-rsa-key-code] 0203
[*CE1-rsa-key-code] 010001
[*CE1-rsa-key-code] public-key-code end
[*CE1-rsa-public-key] peer-public-key end
[*CE1-rsa-public-key] quit
[*CE1] commit
There are several authentication modes for SSH users: password, RSA, password-RSA, ECC, password-
ECC, and All.
l If the authentication mode is password, password-ECC, or password-RSA, configure a local user on
the server with the same user name.
l If the authentication mode is RSA, password-RSA, ECC, password-ECC, or All, save the RSA or
ECC public key generated on the SSH client to the server.
NOTE
A password is entered in man-machine interaction mode. The system does not display the entered
password.
Special characters do not include question marks (?) or spaces. However, when double quotation
marks are used around a password, spaces are allowed in the password.
– Double quotation marks cannot contain double quotation marks if spaces are used in a
password.
– Double quotation marks can contain double quotation marks if no space is used in a
password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
[*CE1-aaa] local-user client001 service-type ssh
[*CE1-aaa] quit
l # Create an SSH user named client002, configure RSA authentication for the user, and
bind the RSA public key to client002.
[*CE1] ssh user client002
[*CE1] ssh user client002 authentication-type rsa
[*CE1] ssh user client002 assign rsa-key RsaKey001
# Set the service type of client002 to SFTP and configure the authorized directory for the
user.
[*CE1] ssh user client002 service-type sftp
[*CE1] ssh user client002 sftp-directory cfcard:
[*CE1] commit
Step 7 Enable the STelnet and SFTP server functions on the SSH server.
[~CE1] stelnet server enable
[*CE1] sftp server enable
[*CE1] commit
Step 8 Configure PE1 (the SSH client) to log in to CE1 (the SSH server).
# If the client logs in to the server for the first time, enable first authentication on the client.
[~PE1] ssh client first-time enable
[*PE1] commit
After the configuration is complete, run the display this command in the interface view on
PE1. The command output shows the VPN instance has been successfully configured. Run
the display ssh server session command on CE1. The command output shows the STelnet or
SFTP client has been successfully connected to the SSH server.
----End
Configuration Files
l CE1 configuration file
#
sysname CE1
#
rsa peer-public-key rsakey001
public-key-code begin
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5
419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8
9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
public-key-code end
peer-public-key end
#
stelnet server enable
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
ssh user client002 sftp-directory cfcard:
ssh user client002 service-type sftp
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user client001 service-type ssh
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
l P configuration file
#
sysname P
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/1
undo shutdown
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/2
undo shutdown
ip address 200.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 200.1.1.0 0.0.0.255
#
return
#
return
Networking Requirements
Unlike SFTP, SCP allows file upload or download without user authentication or public key
allocation. SCP also supports file upload or download in batches.
As shown in Figure 8-24, the device functioning as the SCP client has a reachable route to
the SSH server and can download files from the SSH server.
SCP Server
172.16.104.110/24
1.1.1.1/32
SCP Client
Configuration Roadmap
The configuration roadmap is as follows:
Data Preparation
To complete the configuration, you need the following data:
Procedure
Step 1 Configure the SSH server to generate a local RSA key pair.
<HUAWEI> system-view
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be:SSH Server_Host
The range of public key size is (2048 ~ 2048).
NOTE: Key pair generation will take a short while.
# Create an SSH user named Client001 and configure password authentication for the user.
[*SSH Server] ssh user client001
Info: Succeeded in adding a new SSH user.
[*SSH Server] ssh user client001 authentication-type password
Step 4 Download files from the SSH server to the SCP client.
# For the first login, enable first authentication on the SSH client.
<HUAWEI> system-view
[~HUAWEI] sysname SCP Client
[*SCP Client] ssh client first-time enable
# Set the source IP address of the SCP client to 1.1.1.1 (the IP address of a loopback
interface).
[*SCP Client] scp client-source -a 1.1.1.1
Info: Succeeded in setting the source address of the SCP client to 1.1.1.1.
# Use the AES128 algorithm to encrypt the file license.txt, and download the file to the local
working directory from the remote SSH server with an IP address of 172.16.104.110.
[*SCP Client] scp -a 1.1.1.1 -cipher aes128 client001@172.16.104.110:license.txt
license.txt
[*SCP Client] commit
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
aaa
local-user client001 password irreversible-cipher @%@%1-w$!
gvBa#6W,ZUm2EN*BYqNWwI3BV\uV`%_oauS;RQB&Y%>>~GV#QzO~k/8;U6;@%@%
local-user client001 service-type ssh
#
scp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type all
#
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
#
return
Networking Requirements
To enable an HTTP client to download a certificate from an HTTP server, use HTTP. On the
network shown in Figure 8-25, the route between the device functioning as an HTTP client
and the HTTP server is reachable. You can log in to the HTTP server from the HTTP client to
download a certificate from the server.
The server supports SSL policies. To improve data transmission security, configure an SSL
policy on the HTTP client.
Network
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure an SSL policy on the HTTP client.
2. Configure the HTTP client.
Data Preparation
To complete the configuration, you need the following data:
l SSL policy name policy1 to used configured on the HTTP client
Procedure
Step 1 Configure an SSL policy on the HTTP client.
<HUAWEI> system-view
[~HUAWEI] ssl-policy policy1
[*HUAWEI-ssl-policy-policy1] certificate load pem-cert
a_servercertchain2_pem_dsa.pem key-pair dsa key-file
a_serverkeychain2_pem_dsa.pem auth-code cipher 123456
[*HUAWEI-ssl-policy-policy1] trusted-ca load pem-ca a_rootcertchain2_pem_dsa.pem
[*HUAWEI-ssl-policy-policy1] commit
[~HUAWEI-ssl-policy-policy1] quit
----End
Configuration Files
l HTTP client configuration file
#
ssl policy policy1
certificate load pem-cert a_servercertchain2_pem_dsa.pem key-pair dsa key-
file a_serverkeychain2_pem_dsa.pem auth-code cipher %^%#<`c/:cbTs/'sK\S
+ct)8ia_d!Ukn|&7pOM!5|dT6%^%#
trusted-ca load pem-ca a_rootcertchain2_pem_dsa.pem
#
http