01-08 Accessing Other Devices PDF

HUAWEI NetEngine40E Universal Service Router
Configuration Guide - Basic Configuration Guides 8 Accessing Other Devices
8 Accessing Other Devices
About This Chapter
To manage and configure other devices or operate files on them, access the devices using
Telnet, STelnet, TFTP,FTP, SCP, or SFTP from the device that you have logged in to.
Context
NOTE
To ensure high security, do not use the des algorithm, 3des algorithm, and rsa algorithm whose length is
less than 2048 digits.
8.1 Overview of Accessing Other Devices

You can log in to one device and access another device using Telnet, FTP, TFTP, or SFTP.
8.2 Licensing Requirements and Limitations for Accessing Other Devices
8.3 Using Telnet to Log In to Other Devices
Telnet is a client/server application that allows you to log in to remote devices to manage and
maintain the devices.
8.4 Using STelnet to Log In to Other Devices
STelnet provides secure Telnet services. You can use STelnet to log in to and manage other
devices from the device that you have logged in to.
8.5 Using TFTP to Access Other Devices
TFTP is used to transfer files between remote servers and local hosts. Unlike FTP, TFTP is
simple and provides no authentication. TFTP applies when no complex interaction is required
between clients and the server.
8.6 Using FTP to Access Other Devices
You can log in to an FTP server from the device that functions as an FTP client to upload files
to or download files from the server.
8.7 Using SFTP to Access Other Devices
SFTP provides secure FTP services. After a device is configured as an SFTP client, the SFTP
server authenticates the client and encrypts data in both directions to provide secure file
transfer.
8.8 Using SCP to Access Other Devices
Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 216

The Secure Copy Protocol (SCP) client sets up a secure connection to the SCP server so that
the client can upload files to or download files from the server.
8.9 Logging In to a Device Using HTTP
Hypertext Transfer Protocol (HTTP) is an application-layer protocol that transports hypertext
from WWW servers to local browsers. HTTP uses the client/server model in which requests
and replies are exchanged.
8.10 Enabling or Disabling a Public Key Algorithm
8.11 Configuring a DSCP Value for Telnet/SSH Packets
This section describes how to configure a DSCP value for Telnet/SSH packets.
8.12 Configuration Examples for Accessing Other Devices
This section provides examples for configuring one device to access other devices.
8.1 Overview of Accessing Other Devices

You can log in to one device and access another device using Telnet, FTP, TFTP, or SFTP.
As shown in Figure 8-1, after you use the terminal emulator or Telnet program on a PC to
connect to the router, you can use Telnet, FTP, TFTP, or SFTP to access other devices from
the router functioning as a client.
Figure 8-1 Accessing other devices
User
IP network
network
PC
Telnet client Telnet server
Telnet
Telnet is an application layer protocol in the TCP/IP protocol suite. Telnet provides remote
login and virtual terminal services. The NE40E provides the following Telnet services:
l Telnet server: A user runs the Telnet client program on a PC to log in to the router to
configure and manage the router. The router functions as a Telnet server.
l Telnet client: After using the terminal emulator or Telnet client program on a PC to
connect to the router, a user runs the telnet command to log in to another router for
configuration and management. The router functions as a Telnet client. In Figure 8-2,
the CE functions as both a Telnet server and a Telnet client.
Figure 8-2 Telnet server providing the Telnet client service
Telnet session 1 Telnet session 2
PC CE PE
Telnet server

l Telnet service interruption
Figure 8-3 Usage of Telnet shortcut keys
Telnet session 1 Telnet session 2
P1 P2 P3
Telnet client Telnet server
Two types of shortcut keys can be used to interrupt Telnet connections. As shown in
Figure 8-3, P1 uses Telnet to log in to P2 and then to P3. P1 is the Telnet client of P2,
and P2 is the Telnet client of P3. The usage of shortcut keys is described as follows:
– Ctrl_]: Instructs the server to disconnect a Telnet connection.
When the network works properly, entering the shortcut key Ctrl_] causes the
Telnet server to interrupt the current Telnet connection.
For example, after you enter Ctrl_] on P3, the <P2> prompt is displayed.
<P3> Select Ctrl_] to return to the prompt of P2
The connection was closed by the remote host.
After you enter Ctrl_] on P2, the <P1> prompt is displayed.

<P2> Ctrl_]
The connection was closed by the remote host.
<P1>
NOTE
If the network connection is disconnected, shortcut keys do not take effect.

– Ctrl_K: Instructs the client to disconnect the connection.
When the server fails and the client is unaware of the failure, the server does not
respond to the client's input. If you enter Ctrl_K, the Telnet client interrupts and
quits the Telnet connection.
For example, enter Ctrl_K on P3 to quit the Telnet connection.
<P3> Ctrl_K
<P1>
When the number of remote login users reaches the maximum number of VTY user
interfaces, the system prompts subsequent users with a message, indicating that all
user interfaces are in use and no more Telnet connections are allowed.
FTP
FTP is a standard application protocol based on the TCP/IP protocol suite. It is used to
transfer files between local clients and remote servers. FTP uses two TCP connections to copy
a file from one system to another. The TCP connections are usually established in client-
server mode, one for control (the server port number is 21) and the other for data transmission
(the server port number is 20).

l Control connection: issues commands from the client to the server and transmits replies
from the server to the client, minimizing the transmission delay.
l Data connection: transmits data between the client and server, maximizing the
throughput.
FTP has two file transfer modes:

l Binary mode: is used to transfer program files, such as .app, .bin, and .btm files.
l ASCII mode: is used to transfer text files, such as .txt, .bat, and .cfg files.
The device provides the following FTP functions:

l FTP client: Users can use the terminal emulator or the Telnet program to connect PCs to
the device, and run the ftp command to establish a connection between the device and a
remote FTP server to access and operate files on the server.
l FTP server: Users can use the FTP client program to log in to the device and operate
files on the device.
Before users log in, the network administrator must configure an IP address for the FTP
server.
TFTP
TFTP is an application protocol based on User Datagram Protocol (UDP) connections. It uses
the UDP port number 69 to transfer files between local hosts and remote servers. Unlike FTP,
TFTP is simple, providing no authentication. It is applicable to scenarios where complicated
interactions between clients and the server are not required.
TFTP supports both binary and ASCII file transfer modes, which are also supported by FTP.
NOTE
l Currently, the HUAWEI NetEngine40E supports only the binary mode for TFTP.
l Currently, the HUAWEI NetEngine40E can function only as a TFTP client but not a TFTP server.
TFTP transfer requests are initiated by clients:

l When a TFTP client needs to download files from the server, the client sends a read
request to the TFTP server. The server sends data packets to the client, and the client
acknowledges the data packets.
l When a TFTP client needs to upload a file to the server, the client sends a write request
and then data to the server, and receives acknowledgments from the server.
SFTP
SFTP uses SSH to ensure secure file transfer. On one hand, SFTP allows remote users to
securely log in to the device to manage and transfer files. On the other hand, users can use the
device functioning as a client to log in to a remote server and transfer files securely.
When the SFTP server or the connection between the server and the client fails, the client
needs to detect the fault in time and removes the connection proactively. To help the client
detect such a fault in time, configure an interval at which Keepalive packets are sent if no
packet is received and the maximum number of times that the server does not respond for the
client:
l If the client does not receive any packet within the specified period, the client sends a
Keepalive packet to the server.

l If the maximum number of times that the server does not respond exceeds the specified
value, the client proactively releases the connection.
8.2 Licensing Requirements and Limitations for Accessing

Other Devices
Licensing Requirements
This feature is a basic feature and is not under license control.
Restrictions and Guidelines
Restrictions Guidelines Impact
The SCP cannot interwork Use the correct tool for If the WinSCP tool is used
with the WinSCP tool. interconnection. for interconnection, the
device cannot transfer files
through the SCP.
8.3 Using Telnet to Log In to Other Devices

Usage Scenario
Large numbers of devices need to be managed and maintained on a network. You cannot
connect each device to a terminal. When no reachable route exists between remote devices
and a terminal, you can use Telnet to log in to the remote devices from the device that you
have logged in to.
As shown in Figure 8-4, you can use Telnet on the PC to log in to the Telnet client. Because
the PC does not have a reachable route to the Telnet server, you cannot remotely manage the
Telnet server. To remotely manage the Telnet server, use Telnet on the Telnet client to log in to
the Telnet server.
Figure 8-4 Using Telnet on the Telnet client to log in to the Telnet server
User
IP network
network
PC Telnet client Telnet server
Pre-configuration Tasks
Before using Telnet on the Telnet client to log in to the Telnet server, complete the following
task:

l Configure Telnet login.

l Ensure that the route between the Telnet client and server is reachable.
Configuration Procedures
Figure 8-5 Flowchart for using Telnet to log in to other devices

Configure a source address for
the Telnet client.
Use Telnet to log in to other

devices.
Mandatory
Procedure
Optional
Procedure
NOTE
Use the STelnet protocol because this protocol is not secure.
8.3.1 (Optional) Configuring a Source Address for the Telnet

Client
You can configure a source address for the Telnet client and use the source address to
establish a Telnet connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on a device and use this IP address as the source
address to establish a Telnet connection.
The source of a Telnet client can be a source interface or a source IP address.
Procedure
Step 1 Run system-view
The system view is displayed.
Step 2 Run telnet client-source { -a source-ip-address | -i interface-type interface-number }
A source IP address is configured for the Telnet client.
Step 3 Run commit
The configuration is committed.
----End
8.3.2 Using Telnet to Log In to Other Devices


Context
Telnet provides an interactive interface for you to log in to a remote server. You can log in to a
device and then use Telnet on the device to log in to other devices on the network to configure
and manage these remote devices, without the need of connecting a terminal to each of the
devices.
An IP address can be configured for an interface on the device and specified as the source IP
address of a Telnet connection for security checks.
After the source IP address is configured for the Telnet client, the source IP address of the
Telnet client displayed on the server is the same as the configured one.
Perform either of the following operations based on the type of the source IP address:
Procedure
l If the source address is an IPv4 address:
Run the telnet [ -a source-ip-address | -i interface-type interface-number ] [ vpn-
instance vpn-instance-name ] host-ip-address [ port-number ] command to log in to and
manage other devices.
l If the source address is an IPv6 address:
Run the telnet ipv6 ipv6-address [ vpn-instance vpn-instance-name | public-net] [ -oi
interface-type interface-number ] [ port-number ] command to log in to and manage
other devices.
----End
8.3.3 Verifying the Configuration of Using Telnet to Log In to

Other Devices
When you use a router to log in to another router, you can check information about the
established TCP connection.
Prerequisites
All configurations for logging in to another device are complete.
Procedure
l Run the display tcp status command to check the status of all TCP connections.
----End
Example
Run the display tcp status command to view the status of TCP connections. Established
indicates that a TCP connection has been established.
<HUAWEI> display tcp status
--------------------------------------------------------------------------------
Pid/SocketID Local Addr:Port Foreign Addr:Port VPNID
State
--------------------------------------------------------------------------------
0x80C8272F/2 0.0.0.0:23 0.0.0.0:0 1 LISTEN
0x80932727/4 0.0.0.0:22 0.0.0.0:0 1 LISTEN

0x30666bb4/9 10.137.217.222:23 10.137.217.223:53930 2 Established

--------------------------------------------------------------------------------
8.4 Using STelnet to Log In to Other Devices

STelnet provides secure Telnet services. You can use STelnet to log in to and manage other
devices from the device that you have logged in to.
Usage Scenario
have logged in to. Telnet does not provide a secure authentication mode, and data is
transmitted in plaintext over TCP. Therefore, Telnet has security risks.
STelnet is a secure Telnet service based on SSH connections. SSH provides encryption and
authentication and protects devices against attacks, such as IP spoofing and simple password
interception.
As shown in Figure 8-6, the device supports the SSH function. You can log in to a remote
device in SSH mode to manage and maintain the device. The device that you have logged in
functions as an SSH client, and the remote device functions as an SSH server.
Figure 8-6 Using STelnet to log in to the SSH server
IP network
SSH client SSH server
Before using STelnet to log in to other devices, configure STelnet login.
Figure 8-7 Flowchart for using STelnet to log in to other devices
Configure first login to the SSH

Configure first login to the SSH
server (binding the SSH client to
server (enabling first authentication
the public key generated on the
on the SSH client).
SSH server).
Configure the Keepalive feature on Configure the Keepalive feature on

the SSH client. the SSH client.
Use STelnet to log in to other Use STelnet to log in to other

devices. devices.
Mandatory
Optional

8.4.1 Configuring First Login to the SSH Server (Enabling First

Authentication on the SSH Client)
After first authentication is enabled on the SSH client, the validity of the RSA, DSA, or ECC
public key of the SSH server is not checked when the STelnet client logs in to the SSH server
for the first time.
Context
After the first login, the system automatically allocates an RSA, DSA, or ECC public key and
saves the key for subsequent login authentication.
If first authentication is disabled, the STelnet client cannot log in to the SSH server because
the validity check of the RSA, DSA, or ECC public key fails. If the STelnet client needs to
successfully log in to the SSH server for the first time, enable first authentication or configure
the client to assign an RSA, DSA, or ECC public key to the server in advance. For details, see
8.4.2 Configuring First Login to the SSH Server (Binding the SSH Client to the Public
Key Generated on the SSH Server)
Perform the following steps on the router that functions as an SSH client:
Procedure
Step 2 Run ssh client first-time enable
First authentication is enabled on the SSH client.
Step 3 Run commit
----End
8.4.2 Configuring First Login to the SSH Server (Binding the SSH
Client to the Public Key Generated on the SSH Server)
To allow the SSH client to successfully log in to the SSH server for the first time, configure
the SSH client to allocate an RSA, DSA, or ECC public key to the SSH server before the
login if first authentication is disabled.
Context
If first authentication is disabled, the SSH client cannot log in to the SSH server because the
validity check of the RSA, DSA, or ECC public key fails. An RSA, DSA, or ECC public key
needs to be assigned to the server before the SSH client logs in to the server.
The RSA, DSA, or ECC public key allocated to the SSH server must be generated on the
server. Otherwise, the validity check for the RSA, DSA, or ECC public key on the SSH client
cannot succeed.

NOTE
To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits. You are
advised to use a securer ECC authentication algorithm for higher security.
Procedure
Step 2 Perform any of the following operations based on the selected public key algorithm:
l To enter the RSA public key view, run the rsa peer-public-key key-name command.
l To enter the DSA public key view, run the dsa peer-public-key key-name command.
l To enter the ECC public key view, run the ecc peer-public-key key-name command.
Step 3 Run public-key-code begin
The public key edit view is displayed.
Step 4 Enter hex-data to edit the public key.
The entered public key must be a hexadecimal string complying with the public key format.
The public key is generated randomly on the SSH server.
NOTE
After entering the public key edit view, copy and paste the RSA, DSA, or ECC public key generated on
the server to the client.
Step 5 Run public-key-code end

Exit the public key edit view.
If the configured public key contains invalid characters or does not comply with the public
key format, a message is displayed and the configured public key is discarded. If the
configured public key is valid, it is saved into the client's public key chain table.
l If no valid hex-data is specified, no public key is generated.
l If key-name specified in Step 2 has been deleted in another window, the system displays
an error and returns to the system view.
Step 6 Run peer-public-key end
Exit the public key view and return to the system view.
Step 7 Perform any of the following operations based on the selected algorithm:
l To assign an RSA public key to the SSH server, run the ssh client { server-name |
server-ip } assign rsa-key key-name command.
l To assign a DSA public key to the SSH server, run the ssh client { server-name | server-
ip } assign dsa-key key-name command.
l To assign an ECC public key to the SSH server, run the ssh client { server-name |
server-ip } assign ecc-key key-name command.
Step 8 Run commit
----End

8.4.3 (Optional) Configuring the Keepalive Feature on the SSH

Client
After the keepalive feature is configured on the SSH client, the client sends keepalive packets
at the configured interval to the SSH server to check whether the connection between them is
normal. The keepalive feature implements fast fault detection.
Procedure
Step 2 Run ssh client keepalive-interval seconds
The interval at which the client sends keepalive packets to the server is configured.
If the client does not receive a response from the server during an interval, the client sends
another keepalive packet to the server. If the server still does not respond, the client is
disconnected from the server.
Step 3 Run ssh client keepalive-maxcount count
The maximum number of keepalive packets that the client sends to the server is configured.
The interval at which the client sends keepalive packets to the server must be greater than the
maximum number of keepalive packets that the client sends to the server. For example, if the
interval is 0 (no keepalive packet is sent), the setting of the maximum number of keepalive
packets does not take effect.
Step 4 Run commit
----End
8.4.4 Using STelnet Command to Log In to Other Devices

You can use STelnet to log in to the SSH server from the SSH client to configure and manage
the server.
Context
You can log in to the server from the SSH client without the need of specifying the listening
port number only when the listening port number of the server is 22. Otherwise, the listening
port number must be specified.
Procedure
Step 2 (Optional) Run ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc |
aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 | aes128_gcm |
aes256_gcm } *

The encryption algorithms are configured for the SSH client.
NOTE
des_cbc, 3des_cbc, aes128_cbc, aes192_cbc, aes256_cbc, arcfour128 and arcfour256 are of weak
security. Therefore, do not add them to the encryption algorithm list. Using aes128_ctr, aes192_ctr,
aes128_gcm, aes256_gcm, or aes256_ctr is recommended, because such an algorithm has a higher
security.
Step 3 (Optional) Run ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96
| sha2_512 } *
The HMAC authentication algorithms are configured for the SSH client.
NOTE
sha2_256_96, sha1, sha1_96, md5, and md5_96 are of weak security. Therefore, do not add them to the
authentication algorithm list.
Step 4 (Optional) Run ssh client key-exchange { dh_group14_sha1 | dh_group1_sha1 |

dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 |
ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } *
A key exchange algorithm list has been configured on the SSH client.
NOTE
For security purposes, do not use insecure key exchange algorithms such as dh_group1_sha1.
Step 5 In the user or system view, run either of the following commands:
l To use an IPv4 address to establish a connection to the SSH server over STelnet, run the
stelnet[ -a source-ip-address ] [ -force-receive-pubkey ] host-ip-address [ port-
number ] [ [ prefer_kex prefer_kex ] | [ prefer_ctos_cipher prefer_ctos_cipher ] |
[ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] |
[ prefer_stoc_hmac prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] |
[ prefer_stoc_compress zlib ] | [ -vpn-instance vpn-instance-name ] | [ -ki interval ] |
[ -kc count ] | [ identity-key { dsa | rsa | ecc } ] | [ user-identity-key { rsa | dsa |
ecc } ] ] * command.
l To use an IPv6 address to establish a connection to the SSH server over STelnet, run the
stelnet [ -a source-ipv6-address ] [ -force-receive-pubkey ] host-ipv6-address [ -vpn-
instance vpn-instance-name ] [ -oi interface-type interface-number ] [ port-number ]
[ [ prefer_kex prefer_kex ] | [ prefer_ctos_cipher prefer_ctos_cipher ] |
[ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] |
[ prefer_stoc_hmac prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] |
[ prefer_stoc_compress zlib ] | [ -ki interval ] | [ -kc count ] | [ identity-key { dsa | rsa |
ecc } ] | [ user-identity-key { rsa | dsa | ecc } ] ] * command.
NOTE
In the system view, the default level of stelnet command is configuration level.
----End
8.4.5 Verifying the Configuration of Using STelnet to Log In to

Other Devices
After completing the configuration for using STelnet to log in to other devices, you can view
mappings between SSH servers and RSA or ECC public keys on the SSH client, global
configuration of SSH servers, and sessions between SSH servers and the client.

Prerequisites
The configurations for using STelnet to log in to other devices are complete.
Procedure
l Run the display ssh server-info command to check mappings between SSH servers and
RSA public keys on the client.
----End
Example
Run the display ssh server-info command to view mappings between SSH servers and RSA
public keys on the client.
<HUAWEI> display ssh server-info
----------------------------------------------------------------------------------
------------------------------
Server Name(IP) Server public key name
Server public key type State
----------------------------------------------------------------------------------
------------------------------
1000::1 1000::1
RSA CONFIGURE
10.164.39.223 10.164.39.223
RSA CONFIGURE
127.0.0.1 127.0.0.1
RSA CONFIGURE
192.0.0.223 192.0.0.223
RSA CONFIGURE
----------------------------------------------------------------------------------
------------------------------
8.5 Using TFTP to Access Other Devices

TFTP is used to transfer files between remote servers and local hosts. Unlike FTP, TFTP is
simple and provides no authentication. TFTP applies when no complex interaction is required
between clients and the server.
Usage Scenario
In the TCP/IP protocol suite, FTP is most commonly used to transfer files. However, FTP
brings complex interactions between terminals and servers, which is hard to implement on
terminals that do not run advanced operating systems. TFTP is designed for file transfer that
does not require complex interactions between terminals and servers. It is simple, requiring a
few costs. TFTP can be used only for simple file transfer without authentication.
NOTE
The HUAWEI NetEngine40E can function only as a TFTP client.
Before using TFTP to access other devices, configure user login.

You can choose one or more configuration tasks (excluding "Checking the Configuration") as
required.
8.5.1 Configuring a Source Address for a TFTP Client

You can configure a source address for a TFTP client and use the source address to establish a
TFTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on a TFTP client and use this IP address as the
source address to establish a TFTP connection.
Perform the following steps on the router that functions as a TFTP client:
Procedure
Step 2 Run tftp client-source { -a ip-address | -i interface-type interface-number }
A source address is configured for the TFTP client.
NOTE
The interface type specified by interface-type must be loopback.

After configuring a source address for a TFTP client, ensure that the source address of the TFTP client
displayed on the server is the same as the configured one.
Step 3 Run commit
----End
8.5.2 Configuring TFTP Access Control

An ACL can be configured to allow the TFTP client to access specified TFTP servers.
Context
An ACL is a set of sequential rules. These rules are described based on source addresses,
destination addresses, and port numbers of packets. ACL rules are used to filter packets. After
ACL rules are applied to a device, the device permits or denies packets based on the ACL
rules.
Multiple rules can be defined for one ACL. ACL rules are classified as interface, basic, or
advanced ACL rules based on their functions.
Perform the following steps on the router that functions as a TFTP client:

Procedure
Step 2 Run acl acl-number or acl-number
The basic ACL view is displayed.
Step 3 Run rule [ rule-id ] [ name rule-name ] { deny | permit } [ [ fragment | fragment-type
fragment-type-name ] | logging | source { source-ip-address source-wildcard | any } | time-
range time-name | vpn-instance vpn-instance-name ] *
An ACL rule is configured.
Step 4 Run quit
Return to the system view.
Step 5 Configure ACL to control the TFTP client's access to TFTP servers.
l For IPv4
Run tftp-server acl { acl-number | acl-name }The ACL is applied to the TFTP client to
control its access to TFTP servers.
l For IPv6
Run tftp-server ipv6 acl { acl-number | acl-name }The ACL is applied to the TFTP
client to control its access to TFTP servers.
Step 6 Run commit
----End
8.5.3 Using TFTP to Download Files from Other Devices

You can run the tftp command to download files from a remote server to the local device.
Context
A virtual private network (VPN) is connected to remote devices or terminals over the Internet.
After a TFTP session is established, you can specify vpn-instance-name in the tftp command
to connect to a remote TFTP server.
To download a file, the TFTP client sends a read request to the TFTP server. After receiving
data, the TFTP client sends an acknowledgment to the server.
Perform one of the following operations based on the IP address type of the server:
Procedure
l Run tftp [ -a source-address | -i interface-type interface-number ] host-ip-address [ vpn-
instance vpn-instance-name | public-net ] get } source-filename [ destination-filename ]
A file is downloaded using TFTP.

l Run tftp ipv6 [ -a source-ipv6-address ] tftp-server-ipv6 [ -oi interface-type interface-

number ] [ vpn-instance vpn-instance-name | public-net ] { get | put } source-filename
[ destination-filename ]
TFTP is used to download files.
----End
8.5.4 Using TFTP to Upload Files to Other Devices

You can run the tftp command to upload files from the local device to a remote server.
Context
To upload a file, the TFTP client sends a write request to the TFTP server. After receiving
data, the TFTP client sends an acknowledgment to the server.
Perform one of the following operations based on the IP address type of the server:
Procedure
l Run tftp [ -a source-address | -i interface-type interface-number ] host-ip-address [ vpn-
instance vpn-instance-name ] put } source-filename [ destination-filename ]
A file is uploaded using TFTP.
l Run tftp ipv6 [ -a source-ip–address ] tftp-server-ipv6 [-oi interface-type interface-
number ] put source-filename [ destination-filename ]
TFTP is used to upload files.
----End
8.5.5 Verifying the Configuration of Using TFTP to Access Other

Devices
After completing the configuration for using TFTP to access other devices, you can view the
source address of the TFTP client and configured ACL rules.
Prerequisites
The configurations for using TFTP to access other devices are complete.
Procedure
l Run the display tftp-client command to check the source address of the TFTP client.
l Run the display acl { acl-number | all } command to check ACL rules configured on the
TFTP client.
----End
Example
Run the display tftp-client command to view the source address of the TFTP client.
<HUAWEI> display tftp-client

----------------------------------------------------------------------
Acl4Number : 0
SrcIPv4Addr : 0.0.0.0
Interface Name : LoopBack0
----------------------------------------------------------------------
Run the display acl { acl-number | all } command to view ACL rules configured on the TFTP
client.
<HUAWEI> display acl 2001
Basic acl 2001, 2 rules
Acl's step is 5
Acl's match-order is config
rule 5 permit ip source 1.1.1.1 0 (2 times matched)
rule 10 permit ip source 9.9.9.9 0 (3 times matched)
8.6 Using FTP to Access Other Devices

You can log in to an FTP server from the device that functions as an FTP client to upload files
to or download files from the server.
Usage Scenario
To transfer files with a remote FTP server or manage directories of the server, configure a
device as an FTP client and use FTP to access the FTP server.
Before using FTP to access other devices, configure the FTP server, including:
1. 6.4.1 Configuring a Local FTP User
2. 6.4.2 (Optional) Specifying a Listening Port Number for the FTP Server
3. 6.4.3 Enabling the FTP Server Function
4. 6.4.4 (Optional) Configuring FTP Server Parameters
5. 6.4.5 (Optional) Configuring FTP Access Control
Figure 8-8 Flowchart for using FTP to operate files

Configure a source address for an
FTP client.
Use FTP to connect an FTP client

to other devices.
Use FTP commands to operate

files.
Change a login user role.
End a connection to the FTP

server.
Mandatory
Optional

8.6.1 (Optional) Configuring a Source Address for an FTP Client

You can configure a source address for an FTP client and use the source address to establish
an FTP connection, ensuring file transfer security.
Context
You can assign an IP address to an interface on an FTP client and use this IP address as the
source address to establish an FTP connection.
Perform the following steps on the router that functions as an FTP client:
Procedure
Step 2 Run ftp client-source { -a ip-address | -i interface-type interface-number }
A source address is configured for the FTP client.
After configuring a source address for an FTP client, run the display ftp-users command on
the FTP server to check that the source address of the FTP client displayed in the command
output is the same as the configured one.
Step 3 Run commit
----End
8.6.2 (Optional) Configuring the IP Address Locking Function

To improve device security and protect user passwords against attacks, configure the FTP-
based IP address locking function.
Context
After a user fails to log in to a device using FTP, the number of FTP login failures is recorded
for the IP address. If the number of login failures within a specified period reaches the
threshold, the IP address is locked, and all users who log in through this IP address cannot set
up an FTP connection with this device.
Procedure
Step 2 Run undo ftp server ip-block disable
The client IP address locking function is enabled on the device that functions as an FTP
server.
Step 3 Run ftp server ip-block failed-times failed-times period period

The maximum number of consecutive authentication failures and an authentication period are
configured for client IP address locking.
Step 4 Run ftp server ip-block reactive reactive-period
A period after which the system automatically unlocks a user is specified.
Step 5 Run commit
Step 6 Run quit
The user view is displayed.
Step 7 Run activate ftp server ip-block ip-address ip-address [ vpn-instance vpn-name ]
The IP address of a user that fails the authentication is unlocked.
----End
8.6.3 Using FTP to Connect an FTP Client to Other Devices

FTP commands can be used to log in to other devices from an FTP client.
Context
Commands can be run in the user or FTP client view to establish connections to remote FTP
servers.
NOTE
l If the ftp command without any parameters is used in the user view to establish a control connection
to an FTP server, the FTP client view is displayed but the connection is not established.
l When you run the ftp command in the user view or the open in the FTP client view to establish a
control connection to a remote FTP server using the default listening port number of the FTP server,
you do not need to specify a listening port number in the command. Otherwise, you must specify a
listening port number in the command.
l Before logging in to the FTP server, you can run the set net-manager vpn-instance command to
configure a default VPN instance. After a default VPN instance is configured, it will be used for
FTP operations.
Perform either of the following operations on the FTP client based on the type of the server's
IP address:
Procedure
l If the server has an IPv4 address, use commands described in Table 8-1 to connect the
client to other devices.
Table 8-1 Using FTP commands to connect the FTP client to other devices
View Operation
User view Run the ftp [ [ -a source-ip-address | -i interface-type interface-

number ] host-ip [ port-number ] [ public-net | vpn-instance vpn-
instance-name ] ] command to establish a connection to the FTP
server.

View Operation
FTP client Run the open { -a source-ip | -i interface-type interface-number }

view host-ip-address [ port-number ] [ public-net | vpn-instance vpn-
instance-name ] command to establish a connection to the FTP server.
l If the server has an IPv6 address, use commands described in Table 8-2 to connect the
client to other devices.
Table 8-2 Using FTP commands to connect the FTP client to other devices
View Operation
User view Run the ftp ipv6 [ -i interface-type interface-number ] host-ipv6-

address [ port-number ] command to establish a connection to the FTP
server.
FTP client Run the open ipv6 [ -i interface-type interface-number ] host-ipv6-

view address [ port-number ] command to establish a connection to the FTP
server.
----End
8.6.4 Using FTP Commands to Operate Files

After logging in to an FTP server, you can use FTP commands to operate files, including
configuring the file transfer mode, viewing online helps about FTP commands, uploading
files, and managing directories and files.
Procedure
Step 1 Perform either of the following steps on the client, based on the type of the server's IP
address:
l Run the ftp [ [ -a source-ip-address | -i interface-type interface-number ] host-ip
[ portnumber ] [ vpn-instance vpn-instance-name ] ] command to use an IPv4 address to
establish a connection to the FTP server and enter the FTP client view.
l Run the ftp ipv6 ipv6-linklocal-address -oi interface-type interface-number [ port-
number ] [ vpn-instance vpn-instance-name | public-net ] command to use an IPv6
address to establish a connection to the FTP server and enter the FTP client view.
Step 2 Perform one or more operations described in Table 8-3 as needed.
Table 8-3 File operations

File Operation Description
Managin Configuring the l Run the ascii command to set the file type to ASCII.
g files file type l Run the binary command to set the file type to binary.
The FTP file type is determined by the client. By default,
the ASCII type is used.

Configuring the l Run the passive command to set the data connection
data connection mode to PASV.
mode l Run the undo passive command to set the data
connection mode to ACTIVE.
Uploading files l Run the put local-filename [ remote-filename ]

command to upload a file from the local device to a
remote server.
l Run the mput local-filenames command to upload files
from the local device to a remote server.
NOTE
You can also run either of the following commands in the user
view to upload the local file to the FTP server:
l On an IPv4 network:
Run the ftp client-transfile put [ -a source-ip-address | -i
interface-type interface-number ] host-ip host-ipaddress
[ port portnumber ] [ vpn-instance vpn-instance-name ]
username username sourcefile local-filename [ destination
remote-filename ] command.
Run the ftp client-transfile put ipv6 host-ip ipv6-address
[ port port-number ] username username sourcefile local-
filename [ destination remote-filename ] command.
Downloading l Run the get remote-filename [ local-filename ]

files command to download a file from a remote server and
save the file on the local device.
l Run the mget remote-filenames command to download
files from a remote server and save the files on the
local device.
NOTE
You can also run either of the following commands in the user
view to download the local file to the FTP server:
Run the ftp client-transfile get [ -a source-ip-address | -i
interface-type interface-number ] host-ip host-ipaddress
[ port portnumber ] [ vpn-instance vpn-instance-name ]
username username sourcefile local-filename [ destination
remote-filename ] command.
Run the ftp client-transfile get ipv6 host-ip ipv6-address
[ port port-number ] username username sourcefile local-
filename [ destination remote-filename ] command.

Enabling the file l If the prompt command is run in the FTP client view
transfer to enable the file transfer notification function, the
notification system prompts you to confirm the upload or download
function operation during file upload or download.
l If the prompt command is run again in the FTP client
view, the file transfer notification function is disabled.
NOTE
The prompt command applies when the mput or mget command
is used to upload or download files. If the local device has the
files to be downloaded by running the mget command, the system
prompts you to replace the existing ones regardless of whether the
file transfer notification function is enabled.
Enabling the FTP Run the verbose command.

verbose function After the verbose function is enabled, all FTP response
information is displayed. After file transfer is complete,
statistics about the transmission rate are displayed.
Enabling the Run the append local-filename [ remote-filename ]

function of command.
appending the If the file specified by remote-filename does not exist on
local file contents the FTP server, the file is automatically created on the FTP
to the file on the server, and the local file contents are automatically
FTP server appended to the end of the created file.
Deleting files Run the delete remote-filename.
Managin Changing the Run the cd pathname command.

g working path of a
directori remote FTP
es server
Changing the Run the cdup command.

working path of
an FTP server to
the parent
directory
Displaying the Run the pwd command.

working path of
an FTP server
Displaying files Run the dir [ remote-directory [ local-filename ] ]

in a directory and command.
the list of sub- If no path name is specified for a specified remote file, the
directories system searches an authorized directory for a specified
file.
Displaying a Run the ls [ remote-directory [ local-filename ] ]

specified remote command.
directory or file
on an FTP server

Displaying or Run the lcd [ directory ] command.

changing the The lcd command displays the local working path of the
working path of FTP client, while the pwd command displays the working
an FTP client path of the remote FTP server.
Creating a Run the mkdir remote-directory command.

directory on an The directory can be a combination of letters and digits
FTP server and must not contain special characters, such as less than
(<), greater than (>), question marks (?), backslashes (\),
and colons (:).
Deleting a Run the rmdir remote-directory command.

directory from an
FTP server
Displaying online help for an Run the remotehelp [ command ] command.

FTP command
----End
8.6.5 (Optional) Changing a Login User Role

You can use different user roles to log in to an FTP server.
Context
After you log in to an FTP server from a device functioning as an FTP client, you can use
another user name to log in to the server. Changing a login user role does not affect the
current FTP connection. That is, FTP control and data connections and the connection status
do not change.
If you entered an incorrect user name or password, the current FTP connection is ended. To
log in to the server again, you must enter a correct user name and name.
NOTE
After logging in to the HUAWEI NetEngine40E, you can log in to the FTP server by using another user
name without logging out of the FTP client view. The established FTP connection is identical with that
established by running the ftp command.
Procedure
address:

Step 2 Run user user-name
The login user role is changed.
After the login user role is changed, the connection between the original user role and the FTP
server is ended.
NOTE
Only FTP users at Level 3 or higher can run the user user-name command to change the user role and
log in to the FTP server.
Step 3 Run commit
----End
8.6.6 Ending a Connection to the FTP Server

To save system resources and ensure successful logins of authorized users to the FTP server,
end connections to the FTP server.
Context
After the number of users logging in to an FTP server reaches the upper limit, no more
authorized users can log in. To allow authorized users to log in to the FTP server, end idle
connections to the FTP server.
Procedure
address:
Step 2 Perform either of the following operations as needed to end an FTP connection.
l Run the bye/quit command to end the connection to the FTP server and return to the
user view.
l Run the close/disconnect command to end both the connection to the FTP server and the
FTP session and remain in the FTP client view.
----End
8.6.7 Verifying the Configuration of Using FTP to Access Other

Devices
After completing the configuration of accessing other devices by using FTP, you can view the
parameters configured on the FTP client.

Prerequisites
The configurations of accessing other devices by using FTP are complete.
Procedure
l Run the display ftp-client command to check the source address of the FTP client.
l Run the display ftp server ip auth-fail information command to check information
about the IP addresses of all the clients that fail to pass authentication.
l Run the display ftp server ip-block list command to check information about the locked
IP addresses of all the clients that fail to pass authentication.
----End
Example
After configuring the source IP address of the FTP client, run the display ftp-client command
to view the configuration.
<HUAWEI> display ftp-client
--------------------------------------------------------------------------------
ACL name :
ACL number :
Source IPv4 address : 0.0.0.0
Interface Name :
--------------------------------------------------------------------------------
After configuring the loopback interface of the FTP client, run the display ftp-client
command to view the configuration.
<HUAWEI> display ftp-client
--------------------------------------------------------------------------------
ACL name :
ACL number :
Source IPv4 address : 0.0.0.0
Interface Name : LoopBack0
--------------------------------------------------------------------------------
After configuring the loopback interface of the FTP client, run the display ftp server ip auth-
fail information command to check information about the IP addresses of all the clients that
fail to pass authentication.
----------------------------------------------------------------------------------
----------------------------------------------
IP Address VPN Name
First Time Auth-fail Auth-fail Count
----------------------------------------------------------------------------------
----------------------------------------------
10.0.0.1 _public_
2016-09-05 11:19:28 1
----------------------------------------------------------------------------------
----------------------------------------------
After configuring the loopback interface of the FTP client, run the display ftp server ip-
block list command to check information about the locked IP addresses of all the clients that
fail to pass authentication.
----------------------------------------------------------------------------------
------------------------
IP Address VPN Name
UnBlock Interval (Seconds)
----------------------------------------------------------------------------------
------------------------
10.0.0.1 _public_
294

----------------------------------------------------------------------------------
------------------------
8.7 Using SFTP to Access Other Devices

SFTP provides secure FTP services. After a device is configured as an SFTP client, the SFTP
server authenticates the client and encrypts data in both directions to provide secure file
transfer.
Usage Scenario
Based on SSH, SFTP ensures that users log in to a remote device securely to manage and
transfer files, enhancing secure file transfer. Because the device can function as an SFTP
client, you can log in to a remote SSH server from the device to transfer files securely.
Before using SFTP to access other devices, complete the following task:
1. Configuring an SSH User and Specifying a Service Type

2. Enabling the SFTP Server Function
3. (Optional) Configuring SFTP Server Parameters
Figure 8-9 Flowchart for using SFTP to access other devices

Configure a source address for an Configure a source address for an SFTP
SFTP client. client.
Configure first login to the SSH server Configure first login to the SSH server
(enabling first authentication on the (binding the SSH client to the public key
SSH client). generated on the SSH server).
Use SFTP to connect the SSH client Use SFTP to connect the SSH client to
to the SSH server. the SSH server.
Use SFTP commands to operate files. Use SFTP commands to operate files.
Mandatory
Optional
8.7.1 (Optional) Configuring a Source Address for an SFTP Client

You can configure a source address for an SFTP client and use the source address to establish
an SFTP connection, ensuring file transfer security.

Context
You can assign an IP address to an interface on the SFTP client and use this IP address as the
source address to establish an SFTP connection.
The source address for an SFTP client can be a source interface or a source IP address.
Perform the following steps on the router functioning as an SFTP client:
Procedure
Step 2 Run sftp client-source { -a source-ip-address | -i interface-type interface-number }
A source address is configured for the SFTP client.
Step 3 Run commit
----End
8.7.2 Configuring First Login to the SSH Server (Enabling First

Authentication on the SSH Client)
After first authentication is enabled on the SSH (SFTP) client, the validity of the RSA, DSA,
or ECC public key of the SSH server is not checked when the SSH client logs in to the SSH
server for the first time.
Context
After the first login, the system automatically allocates an RSA, DSA, or ECC public key and
saves the key for subsequent login authentication.
Perform the following steps on the device that functions as an SSH client:
Procedure
Step 2 Run ssh client first-time enable
First authentication is enabled on the SSH client.
Step 3 Run commit
----End

8.7.3 Configuring First Login to the SSH Server (Binding the SSH
Client to the Public Key Generated on the SSH Server)
To allow the SSH client to successfully log in to the SSH server for the first time, configure
the SSH client to allocate an RSA, DSA, or ECC public key to the SSH server before the
login if first authentication is disabled.
Context
If first authentication is disabled, the SSH client cannot log in to the SSH server because the
validity check of the RSA, DSA, or ECC public key fails. An RSA, DSA, or ECC public key
needs to be allocated to the server before the SSH client logs in to the server.
Procedure
Step 2 Perform any of the following operations based on the selected public key algorithm:
l To enter the RSA public key view, run the rsa peer-public-key key-name command.
l To enter the DSA public key view, run the dsa peer-public-key key-name command.
l To enter the ECC public key view, run the ecc peer-public-key key-name command.
Step 3 Run public-key-code begin
The public key edit view is displayed.
Step 4 Enter hex-data to edit the public key.
The entered public key must be a hexadecimal string complying with the public key format.
The public key is generated randomly on the SSH server.
NOTE
After entering the public key edit view, copy and paste the RSA, DSA, or ECC public key generated on
the server to the client.
Step 5 Run public-key-code end

Exit the public key edit view.
If the configured public key contains invalid characters or does not comply with the public
key format, a message is displayed and the configured public key is discarded. If the
configured public key is valid, it is saved into the client's public key chain table.
l If no valid hex-data is specified, no public key is generated.
l If key-name specified in Step 2 has been deleted in another window, the system displays
an error and returns to the system view.
Step 6 Run peer-public-key end
Exit the public key view and return to the system view.
Step 7 Perform any of the following operations based on the selected algorithm:

l To assign an RSA public key to the SSH server, run the ssh client { server-name |
server-ip } assign rsa-key key-name command.
l To assign a DSA public key to the SSH server, run the ssh client { server-name | server-
ip } assign dsa-key key-name command.
l To assign an ECC public key to the SSH server, run the ssh client { server-name |
server-ip } assign ecc-key key-name command.
Step 8 Run commit
----End
8.7.4 Using SFTP to Connect the SSH Client to the SSH Server
You can log in to an SSH server from an SSH client by using SFTP.
Context
The command used to enable the SFTP client is similar to the command used to enable the
STelnet client. Both commands can carry the source address, key exchange algorithm,
encryption algorithm, HMAC algorithm, and Keepalive interval.
Procedure
aes256_gcm } *
NOTE
security.
| sha2_512 } *
NOTE
Step 4 (Optional) Run ssh client key-exchange { dh_group14_sha1 | dh_group1_sha1 |

dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 |
ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } *
A key exchange algorithm list has been configured on the SSH client.

NOTE
For security purposes, do not use insecure key exchange algorithms such as dh_group1_sha1.
Step 5 Perform either of the following steps based on a network protocol:

Run the sftp [ -a source-ip-address ] [ -force-receive-pubkey ] host-ip-address [ port-
number ] [ prefer_kex prefer_kex | prefer_ctos_cipher prefer_ctos_cipher |
prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac |
prefer_stoc_hmac prefer_stoc_hmac | prefer_ctos_compress zlib | prefer_stoc_compress
zlib | [ public-net | -vpn-instance vpn-instance-name ] | -ki interval | -kc count | identity-key
{ dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } ] * command to use an IPv4 address to
establish a connection to the SSH server over SFTP and enter the SFTP client view.
Run the sftp ipv6 [ -force-receive-pubkey ] [ -a source-ipv6-address ] host-ipv6-address [ -
vpn-instance vpn-instance-name | public-net ] [ -oi interface-type interface-number ] [ port-
zlib | -ki interval | -kc count | identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa |
ecc } ]* command to use an IPv6 address to establish a connection to the SSH server over
SFTP and enter the SFTP client view.
Step 6 Run commit
----End
8.7.5 Using SFTP Commands to Operate Files

You can manage directories and files of the SSH server on the SFTP client and view help for
all SFTP commands on the SFTP client.
Context
After logging in to the SSH server from the SFTP client, you can perform the following
operations on the SFTP client:
l Create and delete directories of the SSH server; view the current working directory; view
files in a directory and the list of sub-directories.
l Rename, delete, upload, and download files.
l View command help on the SFTP client.
Procedure
Run the sftp [ -a source-ip-address ] [ -force-receive-pubkey ] host-ip-address [ port-


zlib | [ public-net | -vpn-instance vpn-instance-name ] | -ki interval | -kc count | identity-key
{ dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } ] * command to use an IPv4 address to
establish a connection to the SSH server over SFTP and enter the SFTP client view.
Run the sftp ipv6 [ -force-receive-pubkey ] [ -a source-ipv6-address ] host-ipv6-address [ -
vpn-instance vpn-instance-name | public-net ] [ -oi interface-type interface-number ] [ port-
zlib | -ki interval | -kc count | identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa |
ecc } ]* command to use an IPv6 address to establish a connection to the SSH server over
SFTP and enter the SFTP client view.
Step 3 Perform one or more operations described in Table 8-4 as needed.
Table 8-4 File operations

Managing Changing the current Run the cd [ path ] command.

directories working directory
Changing the current Run the cdup command.

working directory to
the parent directory
Displaying the current Run the pwd command.

working directory
Displaying files in a Run the dir [ remote-filename [ local-filename ] ]

directory and the list of command.
sub-directories
Deleting directories on Run the rmdir directory-name command.

the server
Creating a directory on Run the mkdir path command.

the server
Managing Renaming a file on the Run the rename old-name new-name command.
files server
Downloading files from Run the get remote-filename [ local-filename ]

a remote server command.
Uploading files to a Run the put local-filename [ remote-filename ]

remote server command.
Deleting files from the Run the remove path &<1-10> or delete file
server command.
Displaying command helps on the Run the help [ command-name ] command.

SFTP client

Step 4 Run commit

An authorized SFTP directory is configured for the SSH user.
By default, the authorized directory of the SFTP service for the SSH user is not configured.
----End
Follow-up Procedure
There is a limit to the maximum number of SFTP clients that can connect to the SFTP server
at the same time. Therefore, after performing the desired operations on the SFTP server,
disconnect the SFTP client from the SFTP server so that other users can access the SFTP
server. You can run the bye, exit, or quit command in the SFTP client view to disconnect the
SFTP client from the SFTP server.
8.7.6 Using SFTP One-click Commands to Operate Files

You can use SFTP one-click file transfer command to uploads files from an SFTP client to an
SFTP server or downloads files from an SFTP server to an SFTP client.
Prerequisites
Before you run the sftp client-transfile command to connect to an SFTP server, ensure that
the following requirements are met:
l The route between the SSH client and server is reachable. If the server does not use a
standard port number, the port number configured on the server must be obtained.
l The IP address of the SSH server and the information about the SSH user used for login
are obtained.
l The SFTP service is enabled on the server; the service types configured for the server
contain SFTP; password authentication is configured for the SSH user.
Procedure
l Establish an SFTP connection based on IPv4
Run the sftp client-transfile { get | put } [ -a source-address | -i interface-type
interface-number ] host-ip host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-
name ] | prefer_kex prefer_kex | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher
prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac
prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki interval | -kc count ] *
username user-name password password sourcefile source-file [ destination
destination ] command to connect to the SFTP server in IPv4 mode and download files
from the server to the SFTP client or upload files from the SFTP client to the server.
l Establish an SFTP connection based on IPv6
Run the sftp client-transfile { get | put } ipv6 [ -a source-ipv6-address ] host-ip host-
ipv6 [ -oi interface-type interface-number ] [ port ] [ [ public-net | -vpn-instance vpn-
instance-name ] | prefer_kex prefer_kex ] | [ identity-key { rsa | dsa | ecc } |

prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher |

prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki
interval | -kc count ] * username user-name password password sourcefile source-file
[ destination destination ] command to connect to the SFTP server in IPv6 mode and
download files from the server to the SFTP client or upload files from the SFTP client to
the server.
Step 3 Run commit
----End
Example
# Configure an SFTP user to download the source file sample.txt from the server at 10.1.1.4
to the SFTP client, and log in to the SFTP server in DSA authentication mode.
<HUAWEI> system-view
[HUAWEI] sftp client-transfile get host-ip 10.1.1.4 identity-key dsa username
huawei password Huawei-123 sourcefile sample.txt
8.7.7 Verifying the Configuration of Using SFTP to Access Other

Devices
After completing the configuration of using SFTP to access other devices, you can view the
source address of the SSH client, mappings between SSH servers and RSA or ECC public
keys on the client, global configurations of the SSH servers, and sessions between the SSH
servers and the client.
Prerequisites
The configurations of using SFTP to access other devices are complete.
Procedure
l Run the display sftp-client command to check the source address of the SFTP client.
----End
Example
Run the display sftp-client command on the client to view the source address of the SFTP
client.
<HUAWEI> display sftp-client
The source address of SFTP client is 1.1.1.1
----------------------------------------------------------------------------------
------------------------------


----------------------------------------------------------------------------------
------------------------------
1000::1 1000::1
RSA CONFIGURE
10.164.39.223 10.164.39.223
RSA CONFIGURE
127.0.0.1 127.0.0.1
RSA CONFIGURE
192.0.0.223 192.0.0.223
RSA CONFIGURE
----------------------------------------------------------------------------------
------------------------------
8.8 Using SCP to Access Other Devices

The Secure Copy Protocol (SCP) client sets up a secure connection to the SCP server so that
the client can upload files to or download files from the server.
Usage Scenario
SCP is a secure file transfer method based on SSH2.0. Unlike SFTP, SCP allows file upload
or download without user authentication or public key allocation. SCP also supports file
upload or download in batches.
Before using SCP to access other devices, ensure that the route between the SCP client and
server is reachable.
Figure 8-10 Flowchart for using SCP to access other devices
Configure an SCP server.
Configure an SCP client.
Mandatory
Procedure
Optional
Procedure
8.8.1 Configuring the SCP Server

This section describes how to configure the SCP server to establish a secure connection to the
SCP client to implement secure remote access.

Context
SCP is a secure file transfer method based on SSH2.0. By default, user interfaces support
Telnet. To use SCP to access other devices, configure user interfaces to support SSH.
Procedure
Step 1 Configure VTY user interfaces to support SSH (for details, see Configuring VTY User
Interfaces to Support SSH).
Step 2 Configure an SSH user (for details, see Configuring an SSH User and Specifying a Service
Type).
Step 3 Enable SCP service.
l Run scp server enable
The SCP service function is enabled.
l Run scp ipv4 server enable
The IPv4 SCP service function is enabled.
l Run scp ipv6 server enable
The IPv6 SCP service function is enabled.
Step 4 (Optional) Configure the minimum key length supported during Diffie-hellman-group-
exchange key exchange between the SSH server and client.
ssh server dh-exchange min-len min-len
If the SSH client supports the Diffie-hellman-group-exchange key of more than 1024 bits, run
the ssh server dh-exchange min-len command to set the minimum key length to 2048 bits to
improve security.
Step 5 Run commit
----End
8.8.2 Configuring the SCP Client

The SCP client sets up a secure connection to the SCP server so that the client can upload
files to or download files from the server.
Procedure
Step 2 (Optional) Run scp client-source { -a source-ip-address [ public-net | -vpn-instance vpn-
instance-name ] | -i interface-type interface-number }
A source IP address or a source interface is configured for the SCP client.
The default source IP address of the SCP client is 0.0.0.0.
aes256_gcm } *

By default, an SSH client supports these encryption algorithms: DES_CBC, 3DES_CBC,

AES128_CBC, AES256_CBC, AES128_CTR, AES256_CTR, AES192_CTR,
AES128_GCM, AES256_GCM, Arcfour128 and Arcfour256.
NOTE
security.
| sha2_512 } *
By default, an SSH client supports these HMAC authentication algorithms: MD5, MD5_96,
SHA2_512, SHA1, SHA1_96, SHA2_256, and SHA2_256_96.
NOTE
Step 5 Choose either of the following steps based on the network protocol to upload files to or
download files from the SCP server.
l For IPv4 configuration:
Run scp [ -port port-number | { public-net | -vpn-instance vpn-instance-name } | { -a
source-ip-address | -i interface-type interface-number } | -r | identity-key { dsa | rsa |
ecc } | -cipher cipher | -prefer-kex prefer-kex | -c | -force-receive-pubkey ] * source-
filename destination-filename
l For IPv6 configuration:
Run scp ipv6 [ -port port-number | { public-net | -vpn-instance vpn-instance-name } | -
a source-ipv6-address | -r | identity-key { dsa | rsa | ecc | sm2 } | -cipher cipher | -
prefer-kex prefer-kex | -c | -force-receive-pubkey ]* source-filename destination-
filename [ -oi interface-type interface-number ]
NOTE
To ensure high security, do not use the des algorithm, 3des algorithm, and rsa algorithm whose length is
less than 2048 digits.
Step 6 Run commit
----End
8.8.3 Verifying the Configuration of Using SCP to Access Other

Devices
After completing the configuration for using SCP to access other devices, you can view the
source IP address of the SCP client.

Prerequisites
The configurations for using SCP to access other devices are complete.
Procedure
l Run the display scp-client command to check the source IP address of the SCP client.
----End
Example
Run the display scp-client command to view the source IP address of the SCP client.
<HUAWEI> display scp-client
The source address of the SCP client is 1.1.1.1.
----------------------------------------------------------------------------------
------------------------------
----------------------------------------------------------------------------------
------------------------------
1000::1 1000::1
RSA CONFIGURE
10.164.39.223 10.164.39.223
RSA CONFIGURE
127.0.0.1 127.0.0.1
RSA CONFIGURE
192.0.0.223 192.0.0.223
RSA CONFIGURE
----------------------------------------------------------------------------------
------------------------------
8.9 Logging In to a Device Using HTTP

Hypertext Transfer Protocol (HTTP) is an application-layer protocol that transports hypertext
from WWW servers to local browsers. HTTP uses the client/server model in which requests
and replies are exchanged.
Context
To download a certificate from an HTTP server, use HTTP. HTTP transfers web page
information on the Internet.
NOTE
HTTP has security risks.
Before logging in to a device using HTTP, configure a reachable route between the desired
terminal and device.

Figure 8-11 Flowchart for logging in to a device using HTTP
Upload digital certificate and

private key files to the server.
Configure an SSL policy and load

the digital certificate.
Configure the HTTP client.
Mandatory
Optional
Procedure
l If the server does not support SSL policies, perform the following steps on the HTTP
client:
a. Run system-view

b. Run http
HTTP is enabled, and the HTTP view is displayed.

c. Run commit

l If the server supports SSL policies, you are advised to perform the following steps to
configure an SSL policy on the HTTP client to improve data transmission security:
a. Run system-view

b. Run ssl policy policy-name
An SSL policy is configured, and the SSL policy view is displayed.

c. Run certificate load
A certificate is loaded for the SSL policy.
The HTTP client needs to load a certificate for the SSL policy according to the
format of the certificate loaded on the HTTP server.
n Run the certificate load pem-cert cert-filename key-pair { dsa | rsa } key-
file key-filename auth-code cipher auth-code command to load a certificate in
the PEM format for the SSL policy.
n Run the certificate load pfx-cert cert-filename key-pair { dsa | rsa } { mac
cipher mac-code | key-file key-filename } auth-code cipher auth-code
command to load a certificate in the PFX format for the SSL policy.

n Run the certificate load pem-chain cert-filename key-pair { dsa | rsa } key-
file key-filename auth-code cipher auth-code command to load a certificate in
the PEM-chain format for the SSL policy.
d. Run trusted-ca load
A trusted-CA file is loaded for the SSL policy.
The HTTP client needs to load a trusted-CA file for the SSL policy according to the
format of the trusted-CA file loaded on the HTTP server.
n Run the trusted-ca load pem-ca ca-filename command to load a trusted-CA
file in the PEM format for the SSL policy.
n Run the trusted-ca load pfx-ca ca-filename auth-code cipher auth-code
command to load a trusted-CA file in the PFX format for the SSL policy.
e. Run commit
f. Run quit
g. Run http
HTTP is enabled, and the HTTP view is displayed.
h. Run client ssl-policy policy-name
An SSL policy is configured for the HTTP client.
i. Run client ssl-verify peer
The HTTP client is configured to perform SSL verification on the HTTP server.
j. Run commit
----End
Checking the Configurations

After the HTTP client is configured, run the display this command to check the
configurations.
8.10 Enabling or Disabling a Public Key Algorithm
Context
You can disable an insecure public key algorithm to deny device login using this algorithm,
improving device security. A public key algorithm can be used for login only after it is
enabled on both the client and server.
Procedure

Step 2 Run either of the following commands based on the SSH service type to enable or disable the
algorithm function.
1. Run ssh client publickey { dsa | ecc | rsa } *
A public key encryption algorithm allowed on the SSH client is configured.
2. Run ssh server publickey { dsa | ecc | rsa } *
A public key encryption algorithm allowed on the SSH server is configured.
By default, DSA, ECC and RSA algorithm is enabled.
NOTE
To configure a public key algorithm to be allowed and other algorithms to be denied, run the preceding
command with the algorithm specified. For example, after the ssh client publickey dsa command is run,
the DSA algorithm is allowed but the ECC, or RSA algorithm is not.
If this command is run for multiple times, the last configuration takes effect.
Step 3 Run either of the following commands based on the SSH service type to restore the default
algorithm.
1. Run undo ssh client publickey [ dsa | ecc | rsa ] *
The public key encryption algorithm of the SSH client is restored to the default value.
2. Run undo ssh server publickey [ dsa | ecc | rsa ] *
The public key encryption algorithm of the SSH server is restored to the default value.
Step 4 Run commit
----End
8.11 Configuring a DSCP Value for Telnet/SSH Packets

This section describes how to configure a DSCP value for Telnet/SSH packets.
Context
A device can send multiple types of protocol packets, such as NETCONF, Telnet, and SSH
packets. You can run the host-packet type command to uniformly configure a DSCP value
for the protocol packets. If a large number of protocol packets with the same DSCP value are
sent, network congestion may occur. To address this issue, configure different DSCP values
for the packets.
Procedure
Step 2 Run one or more of the following commands based on the service type and protocol packet
type:
1. Run ssh client dscp
A DSCP value is configured for the SSH packets sent by a client.

2. Run telnet client dscp
A DSCP value is configured for the Telnet packets sent by a client.

3. Run ssh servert dscp
A DSCP value is configured for the SSH packets sent by a server.

4. Run telnet server dscp
A DSCP value is configured for the Telnet packets sent by a server.
Step 3 Run commit
----End
Example
Run the display current-configuration command to check the configured DSCP value.
[~HUAWEI] display current-configuration include-default | include dscp
Info: It will take a long time if the content you search is too much or the
string you input is too long, you can press CTRL_C to break.
telnet server dscp 10
telnet client dscp 10
ssh server dscp 10
ssh client dscp 10
8.12 Configuration Examples for Accessing Other Devices

This section provides examples for configuring one device to access other devices.
8.12.1 Example for Using Telnet to Log In to Other Devices

This example shows how to log in to another device by using Telnet. You can configure the
user authentication mode and password to log in to another device by using Telnet.
Networking Requirements
have logged in to.
As shown in Figure 8-12, you can use Telnet on the PC to log in to P1 but cannot directly use
Telnet to log in to P2. P1 and P2 are routable. To remotely manage and configure P2, use
Telnet on P1 to log in to P2.
Figure 8-12 Using Telnet to log in to another device

NOTE
In this example, the interface is GE1/0/1.

Session Session
Interface1
Interface1
1.1.1.1/24
2.1.1.1/24
Network Network
PC P1 P2
Precautions
l P1 and P2 must be routable.
l You must be able to log in to P1.
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the Telnet authentication mode and password on P2.
2. Use Telnet on P1 to log in to P2.
Data Preparation
To complete the configuration, you need the following data:
l Host address of P2: 2.1.1.1
l Authentication mode: password; password: Hello-hello
Procedure
Step 1 Configure the Telnet authentication mode and password.
[~HUAWEI] sysname P2
[*HUAWEI] commit
[~P2] user-interface vty 0 4
[~P2-ui-vty0-4] authentication-mode password
[~P2-ui-vty0-4] set authentication-mode password
Please configure the login password (8-16)
Enter Password:
Confirm Password:

NOTE
l A password is entered in man-machine interaction mode. The system does not display the entered
password.
l A password is a string of 8 to 16 case-sensitive characters and must contain at least two types of the
following characters: uppercase letters, lowercase letters, digits, and special characters.
Special characters do not include question marks (?) or spaces. However, when double quotation
marks are used around a password, spaces are allowed in the password.
– Double quotation marks cannot contain double quotation marks if spaces are used in a
password.
– Double quotation marks can contain double quotation marks if no space is used in a password.
For example, the password "Aa123"45"" is valid, but the password "Aa 123"45"" is invalid.
The configured password is displayed in ciphertext in the configuration file.
[*P2-ui-vty0-4] commit
[~P2-ui-vty0-4] quit
If an ACL is configured to access other devices by using Telnet, perform the following
configurations on P2:
[~P2] acl 2000
[*P2-acl4-basic-2000] rule permit source 1.1.1.1 0
[*P2-acl4-basic-2000] quit
[*P2] user-interface vty 0 4
[*P2-ui-vty0-4] acl 2000 inbound
[*P2-ui-vty0-4] commit
[~P2-ui-vty0-4] quit
NOTE
The ACL configurations are optional.
Step 2 Verify the configuration.

After the configurations are complete, use Telnet on P1 to log in to P2.
[~HUAWEI] sysname P1
[*HUAWEI] commit
[~P1] quit
<P1> telnet 2.1.1.1
Trying 2.1.1.1
Press CTRL+K to abort
Connected to 2.1.1.1
Username: root
Password:
<P2>
----End
Configuration Files
l P1 configuration file
#
sysname P1
#
interface gigabitethernet1/0/1
undo shutdown
ip address 1.1.1.1 255.255.255.0
#
admin
return
l P2 configuration file
#
sysname P2

#
acl number 2000
rule 5 permit source 1.1.1.1 0
#
interface gigabitethernet1/0/1
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
user-interface vty 0 4
authentication-mode password
set authentication password cipher @%@%(t7h+Qu=a#pz`3Kylk1/,JXR%iy(DA!x8&+!|
#b&.dEW65~.lEqGm~Np$O#2M]xJM@%@%
acl 2000 inbound
#
return
8.12.2 Example for Using STelnet to Log In to Other Devices (RSA

Authentication Mode)
This example shows how to log in to another device by using STelnet. To allow the STelnet
client to connect to the SSH server, configure the client and server to generate local key pairs,
configure the server to generate an RSA public key, and bind the public key to the client.
interception. As shown in Figure 8-13, after the STelnet server function is enabled on the
SSH server, the STelnet client can log in to the SSH server in password, ECC, password-ECC,
DSA, password-ECC, RSA, password-RSA, SM2, password-SM2 or all authentication mode.
Figure 8-13 Using STelnet to log in to another device

NOTE
In this example, the interface is Gigabit0/0/0.
SSH server
Interface1
10.1.1.1/16
Interface1 Interface1
10.1.2.2/16 10.1.3.3/16
Client 001 Client 002

Precautions
Client001 and client002 are configured to log in to the SSH server in password and RSA
authentication modes, respectively.
1. Configure users client001 and client002 on the SSH server to use different authentication
modes to log in to the SSH server.
2. Configure client002 and the SSH server to generate local key pairs, and bind client002 to
the RSA public key of the SSH server to authenticate the client when the client attempts
to log in to the server.
3. Enable the STelnet server function on the SSH server.
4. Set the service type of client001 and client002 to STelnet.
5. Enable first authentication on the SSH client.
6. Use STelne on client001 and client002t to log in to the SSH server.
Data Preparation
l Client001: password authentication (password: Hello-huawei123)
l Client002: RSA authentication (public key: RsaKey001)
l IP address of the SSH server: 10.1.1.1
Procedure
Step 1 Configure the server to generate a local key pair.
[~HUAWEI] sysname SSH Server
[*HUAWEI] commit
[~SSH Server] rsa local-key-pair create
The key name will be:SSH Server_Host
The range of public key size is (2048 ~ 2048).
NOTE: Key pair generation will take a short while.
Step 2 Create SSH users on the server.

NOTE
There are several authentication modes for SSH users: password, RSA, password-RSA, ECC, password-
ECC, and All.
l If the authentication mode is password, password-ECC, or password-RSA, configure a local user on
the server with the same user name.
l If the authentication mode is RSA, password-RSA, ECC, password-ECC, or All, save the RSA or
ECC public key generated on the SSH client to the server.
# Configure VTY user interfaces.

[*SSH Server] user-interface vty 0 4
[*SSH Server-ui-vty0-4] authentication-mode aaa
[*SSH Server-ui-vty0-4] protocol inbound ssh
[*SSH Server-ui-vty0-4] user privilege level 5
[*SSH Server-ui-vty0-4] commit
[~SSH Server-ui-vty0-4] quit

l Create an SSH user named client001.

# Create an SSH user named client001 and configure password authentication for the
user.
[~SSH Server] ssh user client001
[*SSH Server] ssh user client001 authentication-type password
[*SSH Server] commit
# Set the password of client001 to Hello-huawei123.

[~SSH Server] aaa
[*SSH Server-aaa] local-user client001 password
Please configure the password (8-128)
Enter Password:
Confirm Password:
NOTE
A password is entered in man-machine interaction mode. The system does not display the entered
password.
password.
– Double quotation marks can contain double quotation marks if no space is used in a
password.
[*SSH Server-aaa] local-user client001 service-type ssh
[*SSH Server-aaa] commit
[~SSH Server-aaa] quit

# Create an SSH user named client002 and configure RSA authentication for the user.
[*SSH Server] ssh user client002 authentication-type rsa
[*SSH Server] ssh authorization-type default root
Step 3 Configure an RSA public key for the server.

# Configure client002 to generate a local key pair.
[~HUAWEI] sysname client002
[*HUAWEI] commit
[~client002] rsa local-key-pair create
The key name will be: client002_Host
[*client002] commit
# Check the RSA public key generated on the client.

[~client002] display rsa local-key-pair public
======================Host Key==========================
Time of Key pair created : 13:22:1 2010/10/25
Key Name : client002_Host
Key Type : RSA Encryption Key
========================================================
Key Code:
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B

40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5

1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001
Host Public Key for PEM format Code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw98
25XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn
+8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIX
GJb7H/w4zQ==
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri
89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3Qqi
SqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ== rsa-key
Host Public key for SSH1 format code:

1024 65537 125048203250833642388841080101906750228075076456213955541037945628567
57310398880086451511608221218821171562865637463140847157102422109476944363593619
24637760514734544191988044752471924402237145321162849626052751701862381759745461
33321165741031171160914926309797395278974490949461701171569544048167828558985421
======================Server Key========================
Key Name : client002_Server
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
# Copy the RSA public key generated on the client to the server.
[~SSH Server] rsa peer-public-key rsakey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[*SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[*SSH Server-rsa-public-key-rsa-key-code] 308188
[*SSH Server-rsa-public-key-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0
006BB1BB
[*SSH Server-rsa-public-key-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7
36FDFD5F
[*SSH Server-rsa-public-key-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A
7336150B
[*SSH Server-rsa-public-key-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275
2DF7E4C5
[*SSH Server-rsa-public-key-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931
[*SSH Server-rsa-public-key-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153
7FB7D5B2
[*SSH Server-rsa-public-key-rsa-key-code] 171896FB 1FFC38CD
[*SSH Server-rsa-public-key-rsa-key-code] public-key-code end
[*SSH Server-rsa-public-key] peer-public-key end

Step 4 Bind the RSA public key to client002.

[~SSH Server] ssh user client002 assign rsa-key RsaKey001
Step 5 Enable the STelnet server function on the SSH server.

# Enable the STelnet server function.
[~SSH Server] stelnet server enable
Step 6 Set the service type of client001 and client002 to STelnet.

[~SSH Server] ssh user client001 service-type stelnet
[*SSH Server] ssh user client002 service-type stelnet
Step 7 Connect STelnet clients to the SSH server.

# If the client logs in to the server for the first time, enable first authentication on the client.
Enable first authentication on client001.
[*HUAWEI] commit
[~client001] ssh client first-time enable
[*client001] commit

[*client002] ssh client first-time enable
[*client002] commit
# Log in to the SSH server in password authentication mode on client001 by entering the user
name and password.
[~client001] stelnet 10.1.1.1
Please input the username:client001
Trying 10.1.1.1 ...
Connected to 10.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Enter password:
Enter the password Hello-huawei123. The information indicating a successful login is

displayed as follows:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 6.
The current login time is 2011-01-06 11:42:42.
<SSH Server>
# Log in to the SSH server in RSA authentication mode on client002.

Please input the username: client002
Trying 10.1.1.1 ...

<SSH Server>
If the login succeeds, the user view is displayed. If the login fails, the message Session is
disconnected is displayed.
After the configuration is complete, run the display ssh server status and display ssh server
session commands on the SSH server. The command outputs show that the STelnet server
function has been enabled and that the STelnet client has logged in to the server successfully.
# Check the status of the SSH server.
[~SSH Server] display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Enable
SSH server keepalive : Disable
SFTP IPv4 server : Disable
STELNET IPv4 server : Disable
SNETCONF IPv4 server : Enable
SNETCONF IPv4 server port(830) : Disable
SCP IPv4 server : Enable
SSH server DES : Disable
SSH IPv4 server port : 22
SSH server source address : 10.1.1.1
SSH ipv6 server source address : 0::0
SSH ipv6 server source vpnName :
ACL name :
ACL number :
ACL6 name :
ACL6 number :
SSH server ip-block : Enable
# Check the connection to the SSH server.

[~SSH Server] display ssh server session
--------------------------------------------------------------------------------
Session : 1
Conn : SFTP 0
Version : 2.0
State : Started
Username : user1
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-md5
STOC Hmac : hmac-md5
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group-exchange-sha1
Public Key : ecc
Service Type : SFTP
Authentication Type : password
Connection Port Number : 22
Idle Time : 00:00:49
Total Packet Number : 90
Packet Number after Rekey : 0
Total Data(MB) : 0
Data after Rekey(MB) : 0
Time after Session Established(Minute) : 0

Time after Rekey(Minute) : 1

--------------------------------------------------------------------------------
# Check information about SSH users.

[~SSH Server] display ssh user-information
----------------------------------------------------
Username : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : -
Service-type : stelnet
Authentication-type : rsa
User-public-key-name : rsakey001
Sftp-directory : -
----------------------------------------------------
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
interface GigabitEthernet0/0/0
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
rsa peer-public-key rsakey001
public-key-code begin
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 assign rsa-key rsakey001
ssh user client002 authentication-type rsa
ssh authorization-type default root
#
aaa
local-user client001 password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user client001 service-type ssh
#
authentication-mode aaa
protocol inbound ssh
#
return
l Client001 configuration file

#
sysname client001
#
ip address 10.1.2.2 255.255.255.0
#
ssh client first-time enable
#
return

#
sysname client002
#
ip address 10.1.3.3 255.255.255.0
#
#
return
8.12.3 Example for Using STelnet to Log In to Other Devices

(DSA Authentication Mode)
configure the server to generate a DSA public key, and bind the public key to the client.
STelnet provides secure Telnet services based on SSH connections. Providing encryption and
authentication, SSH protects devices against attacks of IP address spoofing and simple
password interception. As shown in Figure 8-14, after the STelnet server function is enabled
on the SSH server, the STelnet client can log in to the SSH server in the authentication mode
of password, ECC, password-ECC, DSA, password-ECC, RSA, password-RSA or all.
Figure 8-14 Networking diagram for logging in to another device by using STelnet
NOTE
SSH server
Interface1
10.1.1.1/16
10.1.2.2/16 10.1.3.3/16

Precautions
Two users client001 and client002 are configured to log in to the SSH server in the
authentication mode of password and DSA respectively.
the DSA public key of the SSH server to authenticate the client when the client attempts
6. Client001 and client002 log in to the SSH server by using STelnet.
Data Preparation
l Client002: DSA authentication (public key: dsakey001)
Procedure
[*HUAWEI] commit
[~SSH Server] dsa local-key-pair create
Info: The key name will be: SSH SERVER_Host_DSA
Info: The key modulus can be any one of the following : 2048.
Info: Key pair generation will take a short while.
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.

NOTE
There are several authentication modes for SSH users: password, RSA, password-RSA, DSA, password-
DSA, ECC, password-ECC, and all.
l If the authentication mode is password or password-RSA, password-DSA and password-ECC,
configure a local user on the server with the same user name.
l If the authentication mode is RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, or
all, save the RSA or DSA or ECC public key generated on the SSH client to the server.

[~SSH Server] user-interface vty 0 4



user.

[~SSH Server] aaa
Enter Password:
Confirm Password:
NOTE
password.
password.
password.

# Create an SSH user named client002 and configure DSA authentication for the user.
[*SSH Server] ssh user client002 authentication-type dsa
Step 3 Configure a DSA public key for the server.

[*HUAWEI] commit
[~client002] dsa local-key-pair create
Info: The key name will be: client002_Host_DSA
[*client002] commit
# Check the DSA public key generated on the client.

[~client002] display dsa local-key-pair public
========================================================
Time of Key pair created : 2013-05-21 17:18:17
Key name : client002_Host_DSA
Key modulus : 1024
Key type : DSA Encryption Key

========================================================
Key code:
3082019F
028180
A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C
9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
0B752AC7 817E877F
0214
CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
028180
6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
F459F826 B9A5CF6D
028180
409C0AE7 1DDDDA8C F3924608 DC32728C D6FA51FB
B4933D03 E30780E1 676AA9EE E3A9B677 97DB1D3A
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
6192B926 9AD8764E E9F8661C 8EC08D08 BD83BCE3
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
Host public Key for PEM format Code:

AAAAB3NzaC1kc3MAAACBAKScXq+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4Y
jLfYWGtQ7rxUv7CJYaDdMV9/MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiY
Q/rQWZi47qjnOV/Hyp0WVUeSc2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/
AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXK
osjQDD1mb2HU8uNkRUAn/QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMM
FBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun88oNGYs+2UNoRbpe
ifGtt570WfgmuaXPbQAAAIBAnArnHd3ajPOSRgjcMnKM1vpR+7STPQPjB4DhZ2qp
7uOptneX2x06V69HnDvcQJYpG0VIQ9iIUdz+sE1ZPxRZkUX7Cwcc7uVflR5kymxM
FmGSuSaa2HZO6fhmHI7AjQi9g7zj4FTuOSAgdolDOwehEhm585ReiPA6j8D7mIOQ
Ww==

ssh-dss AAAAB3NzaC1kc3MAAACBAKScXq
+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4YjLfYWGtQ7rxUv7CJYaDdMV9/
MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiYQ/rQWZi47qjnOV/
Hyp0WVUeSc2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/AAAAFQDLxcC8LXtt/hWn
+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXKosjQDD1mb2HU8uNkRUAn/
QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G
+s8bPioRMowUun88oNGYs+2UNoRbpeifGtt570WfgmuaXPbQAAAIBAnArnHd3ajPOSRgjcMnKM1vpR
+7STPQPjB4DhZ2qp7uOptneX2x06V69HnDvcQJYpG0VIQ9iIUdz
+sE1ZPxRZkUX7Cwcc7uVflR5kymxMFmGSuSaa2HZO6fhmHI7AjQi9g7zj4FTuOSAgdolDOwehEhm585Rei
PA6j8D7mIOQWw== dsa-key
# Copy the DSA public key generated on the client to the server.
[*SSH Server] dsa peer-public-key dsakey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[*SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return last view with "public-key-code end".
[*SSH Server-dsa-public-key-dsa-key-code] 3082019F
[*SSH Server-dsa-public-key-dsa-key-code] 028180
[*SSH Server-dsa-public-key-dsa-key-code] A49C5EAF 906C80B1 C474CCB0 D47C6965
22DFCF3C
[*SSH Server-dsa-public-key-dsa-key-code] 9602BAD8 FCE8F7E3 7A69BE18 8CB7D858
6B50EEBC

[*SSH Server-dsa-public-key-dsa-key-code] 54BFB089 61A0DD31 5F7F3080 F0DB47E4

ECDCC10E
[*SSH Server-dsa-public-key-dsa-key-code] 7EC18D31 35CD78F7 E002FB6B 4CB59BA5
E2CDB898
[*SSH Server-dsa-public-key-dsa-key-code] 43FAD059 98B8EEA8 E7395FC7 CA9D1655
47927368
[*SSH Server-dsa-public-key-dsa-key-code] 9914AF09 6CFDC125 6CC8A07F DDDE603B
F31C4EA4
[*SSH Server-dsa-public-key-dsa-key-code] 0B752AC7 817E877F
[*SSH Server-dsa-public-key-dsa-key-code] CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B
6ECC9F27
[*SSH Server-dsa-public-key-dsa-key-code] 6D3202E7 4DCAC5DB 97034305 8D79FDB2
76D5CAA2
[*SSH Server-dsa-public-key-dsa-key-code] C8D00C3D 666F61D4 F2E36445 4027FD04
0D61B2A3
[*SSH Server-dsa-public-key-dsa-key-code] AF3CED6B C36CC68D E8DF35F9 FAF802ED
73BCBD66
[*SSH Server-dsa-public-key-dsa-key-code] C55AE0F6 69530C14 1B33A5A1 CF77D636
75A5EF3B
[*SSH Server-dsa-public-key-dsa-key-code] 264AB66E 2A8CFFB1 690E45F8 6FACF1B3
E2A11328
[*SSH Server-dsa-public-key-dsa-key-code] C14BA7F3 CA0D198B 3ED94368 45BA5E89
F1ADB79E
[*SSH Server-dsa-public-key-dsa-key-code] F459F826 B9A5CF6D
[*SSH Server-dsa-public-key-dsa-key-code] 409C0AE7 1DDDDA8C F3924608 DC32728C
D6FA51FB
[*SSH Server-dsa-public-key-dsa-key-code] B4933D03 E30780E1 676AA9EE E3A9B677
97DB1D3A
[*SSH Server-dsa-public-key-dsa-key-code] 57AF479C 3BDC4096 291B4548 43D88851
DCFEB04D
[*SSH Server-dsa-public-key-dsa-key-code] 593F1459 9145FB0B 071CEEE5 5F951E64
CA6C4C16
[*SSH Server-dsa-public-key-dsa-key-code] 6192B926 9AD8764E E9F8661C 8EC08D08
BD83BCE3
[*SSH Server-dsa-public-key-dsa-key-code] E054EE39 20207689 433B07A1 1219B9F3
945E88F0
[*SSH Server-dsa-public-key-dsa-key-code] 3A8FC0FB 9883905B
[*SSH Server-dsa-public-key-dsa-key-code] public-key-code end
[*SSH Server-dsa-public-key] peer-public-key end
Step 4 Bind the DSA public key to client002.

[~SSH Server] ssh user client002 assign dsa-key dsakey001



[*HUAWEI] commit


[*client001] commit

[*client002] commit
name and password.
Trying 10.1.1.1 ...
Enter password:
Enter the password Hello-huawei123, and information indicating a successful login is

<SSH Server>
# Client002 logs in to the SSH server in DSA authentication mode.

Trying 10.1.1.1 ...
Press CTRL + K to abort
Please select public key type for user authentication [R for RSA/D for DSA/E for
ECC] Please select [R/D/E]:
Enter password:
Warning: The initial password poses security risks.
The password needs to be changed. Change now? [Y/N]:n
Info: The max number of VTY users is 15, the number of current VTY users online
is 1, and total number of terminal users online is 1.
The last login time is 2015-07-13 15:26:18 from 127.0.0.1 through SSH.
<SSH Server>
session commands on the SSH server. You can find that the STelnet server function has been
enabled, and the STelnet client has logged in to the server successfully.
SSH Version : 2.0


ACL name :
ACL number :
ACL6 name :
ACL6 number :

--------------------------------------------------------------------------------
Session : 1
Conn : SFTP 0
Version : 2.0
State : Started
Username : user1
Retry : 1
Public Key : ecc
Service Type : SFTP
Total Data(MB) : 0
--------------------------------------------------------------------------------

----------------------------------------------------
User Name : client001
Authentication-Type : password
Sftp-directory : -

Authentication-Type : dsa
User-public-key-name : dsakey001
Sftp-directory : -
----------------------------------------------------
----End

Configuration Files
#
sysname SSH Server
#
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
dsa peer-public-key dsakey001
3082019F
028180
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
0B752AC7 817E877F
0214
028180
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
F459F826 B9A5CF6D
028180
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
public-key-code end
peer-public-key end
#
ssh user client001
ssh user client002
ssh user client002 assign dsa-key dsakey001
ssh user client002 authentication-type dsa
#
aaa
#
#
return

#
sysname client001
#
ip address 10.1.2.2 255.255.255.0
#


#
return

#
sysname client002
#
ip address 10.1.3.3 255.255.255.0
#
#
return
8.12.4 Example for Using STelnet to Log In to Other Devices (ECC

configure the server to generate an ECC public key, and bind the public key to the client.
interception. After the STelnet server function is enabled on the SSH server, the STelnet client
can log in to the SSH server in password, ECC, password-ECC, DSA, password-ECC, RSA,
password-RSA, SM2, password-SM2 or all authentication mode. As shown in Figure 8-15,
client001 and client002 are configured to log in to the SSH server in password and ECC
authentication modes, respectively.
Figure 8-15 Using STelnet to log in to another device

NOTE
SSH server
Interface1
10.1.1.1/16
10.1.2.2/16 10.1.3.3/16

the ECC public key of the SSH server to authenticate the client when the client attempts
6. Use STelnet on client001 and client002 to log in to the SSH server.
Data Preparation
l Client001: password authentication (password: Hello-huawei123).
l Client002: ECC authentication (public key: ecckey001).
l IP address of the SSH server: 10.1.1.1.
Procedure
[*HUAWEI] commit
[~SSH Server] ecc local-key-pair create
Info: The key name will be: SSH Server_Host_ECC
Info: The key modulus can be any one of the following: 256, 384, 521.
Please input the modulus [default=521]:521
Info: Succeeded in creating the ECC host keys.

NOTE
l If the authentication mode is password, password-RSA, or password-ECC, configure a local user

with the same user name on the server.

[~SSH Server-ui-vty0-4] authentication-mode aaa

user.



[~SSH Server] aaa
Enter Password:
Confirm Password:
NOTE
password.
password.
password.

# Create an SSH user named client002 and configure ECC authentication for the user.
[*SSH Server] ssh user client002 authentication-type ecc
Step 3 Configure an ECC public key for the server.

[*HUAWEI] commit
[~client002] ecc local-key-pair create
Info: The key name will be: client002_Host_ECC
[*client002] commit
# Check the ECC public key generated on the client.

[~client002] display ecc local-key-pair public
======================Host Key==========================
Key Name : client002_Host_ECC
Key Type : ECC Encryption Key
========================================================
Key
Code:
04D7635B C047B02E 20C1E6CB E04B5E5C

7DCADD88
F676AB0E C91ACB3C B0394B18 FA29E5C2

0426F924
DAD9AA02 C531E5ED C6783FFA 41235A16

8D7723E0
7E63D68D E7

AAAAE2VjZHNhLXNoYTItbmlzdHAxOTIAAABBBL+PCqbAEJKKKUpCYdSfyiyY5Iq3
DM9ZB3mjx62wShmmNMiZJAV+02aMJ6CsHBuWCbVLO/Zg8Ng3kGXC4ltmLXM=
# Copy the ECC public key generated on the client to the server.
[~SSH Server] ecc peer-public-key ecckey001
Enter "ECC public key" view, return system view with "peer-public-key end".
[*SSH Server-ecc-public-key] public-key-code begin
Enter "ECC key code" view, return last view with "public-key-code end".
[*SSH Server-ecc-public-key-ecc-key-code] 04BF8F0A A6C01092 8A294A42 61D49FCA
2C98E48A
[*SSH Server-ecc-public-key-ecc-key-code] B70CCF59 0779A3C7 ADB04A19 A634C899
24057ED3
[*SSH Server-ecc-public-key-ecc-key-code] 668C27A0 AC1C1B96 09B54B3B F660F0D8
379065C2
[*SSH Server-ecc-public-key-ecc-key-code] E25B662D 73
[*SSH Server-ecc-public-key-ecc-key-code] public-key-code end
[*SSH Server-ecc-public-key] peer-public-key end
Step 4 Bind the ECC public key to client002.

[~SSH Server] ssh user client002 assign ecc-key ecckey001



[*HUAWEI] commit
[*client001] commit

[*client002] commit
name and password.
<~client001> stelnet 10.1.1.1
Trying 10.1.1.1 ...
Enter password:


First login successfully.
<SSH Server>
# Log in to the SSH server in ECC authentication mode on client002.

<~client002> stelnet 10.1.1.1
Trying 10.1.1.1 ...
<SSH Server>
session commands on the SSH server. The command outputs show that the STelnet server
function has been enabled and that the STelnet client has logged in to the server successfully.
SSH Version : 2.0
ACL name :
ACL number :
ACL6 name :
ACL6 number :

--------------------------------------------------------------------------------
Session : 1

Conn : SFTP 0
Version : 2.0
State : Started
Username : user1
Retry : 1
Public Key : ecc
Service Type : SFTP
Total Data(MB) : 0
--------------------------------------------------------------------------------

----------------------------------------------------
User-public-key-name :
Sftp-directory : -
Authentication-type : ecc
User-public-key-name : ecckey001
User-public-key-type : ECC
Sftp-directory : -
----------------------------------------------------
Total 2, 2 printed
----End
Configuration Files
#
sysname SSH Server
#
ecc peer-public-key ecckey001
04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3
668C27A0 AC1C1B96 09B54B3B F660F0D8 379065C2
E25B662D 73
public-key-code end
peer-public-key end
#
ssh user client001
ssh user client002
ssh user client002 assign ecc-key ecckey001

ssh user client002 authentication-type ecc

#
aaa
#
#
return

#
sysname client001
#
ip address 10.1.2.2 255.255.0.0
#
#
return

#
sysname client002
#
ip address 10.1.3.3 255.255.0.0
#
#
return
8.12.5 Example for Using TFTP to Access Other Devices

You can run the TFTP software on the TFTP server and set the directory of source files on the
server to upload and download files.
In the TCP/IP protocol suite, FTP is most commonly used to transfer files. However, FTP
brings complex interactions between terminals and servers, which is hard to implement on
terminals that do not run advanced operating systems. TFTP is designed for file transfer that
does not require complex interactions between terminals and servers. It is simple, requiring a
few costs. TFTP can be used only for simple file transfer without authentication.
As shown in Figure 8-16, you can log in to the TFTP client from a PC and upload files to or
download files from the TFTP server.
Figure 8-16 Using TFTP to access another device

10.111.16.160/24
PC TFTP client TFTP server

1. Run the TFTP software on the TFTP server and set the directory of source files on the
server.
2. Use TFTP commands on the TFTP client to download files.
3. Use TFTP commands on the TFTP client to upload files.
Data Preparation
l TFTP software to be installed on the TFTP server
l Name of the file to be downloaded and path of the file on the TFTP server
l Name of the file to be uploaded and path of the file on the TFTP client
Procedure
Step 1 Enable the TFTP server function.
In the Current Directory column, set the directory in which the file to be downloaded resides
on the TFTP server, as shown in Figure 8-17.
Figure 8-17 Setting the current directory on the TFTP server
NOTE
The displayed window may vary with the TFTP software.
Run the tftpservermt command on the client to enter the TFTP server path and run the
following command:

/home/tftpservermt # ./tftpserver -v -i tftpserver.ini

TFTP Server MultiThreaded Version 1.61 Unix Built 1611
starting TFTP...
username: root
alias / is mapped to /home/
permitted clients: all
server port range: all
max blksize: 65464
default blksize: 512
default timeout: 3
file read allowed: Yes
file create allowed: Yes
file overwrite allowed: Yes
thread pool size: 1
listening on: 0.0.0.0:69
Accepting requests..
Step 2 Log in to the TFTP client from the HyperTerminal to download a file.
<HUAWEI> tftp 10.18.26.141 get a.txt cfcard:/b.txt
Warning: cfcard:/b.txt exists, overwrite? Please select
[Y/N]:y
Transfer file in binary mode.
Please wait for a while...
/
3338 bytes transferred
File transfer completed

Run the dir command on the TFTP client to view the directory in which the downloaded file
is saved.
<HUAWEI> dir
Directory of 0/17#cfcard:/
Idx Attr Size(Byte) Date Time(LMT) FileName

0 -rw- 3,338 Jan 25 2011 09:27:41 b.txt
1 -rw- 103,265,123 Jan 25 2011 06:49:07 V800R010C10B020D0123.cc
2 -rw- 92,766,274 Jan 25 2011 06:49:10 V800R010C10SPC007B008D1012.cc
109,867,396 KB total (102,926,652 KB free)
Step 4 Log in to the TFTP client from the HyperTerminal to upload a file.
<HUAWEI> tftp 10.111.16.160 put sample.txt
Info: Transfer file in binary mode.
Please wait for a while...
\ 100% [***********]
File transfer completed
----End
Configuration Files
None
8.12.6 Example for Using FTP to Access Other Devices

You can log in to the FTP server from the FTP client to download system software and
configuration files from the FTP server to the client.
To transfer files with a remote FTP server or manage directories of the server, configure a
device as an FTP client and use FTP to access the FTP server.

As shown in Figure 8-18, the FTP client and server are routable. To download system
software and configuration files from the FTP server to the FTP client, log in to the FTP
server from the FTP client.
Figure 8-18 Using FTP to access another device

NOTE
2.1.1.1/24 1.1.1.1/24
Network
FTP client FTP server
1. Configure the user name and password for an FTP user to log in to the FTP server and
the directory that the user will access.
2. Enable the FTP server function.
3. Run login commands to log in to the FTP server.
4. Configure the file transfer mode and working directory to allow the client to download
files from the server.
Data Preparation
l User name: huawei; password: Hello-huawei123
l IP address of the FTP server: 1.1.1.1
l Name of the file to be downloaded and directory of the file
Procedure
Step 1 Configure an FTP user on the FTP server.
[~HUAWEI] aaa
[*HUAWEI-aaa] local-user huawei password
Enter Password:
Confirm Password:

NOTE
password.
Special characters do not include question marks (?) or spaces. However, when double quotation marks
are used around a password, spaces are allowed in the password.
l Double quotation marks cannot contain double quotation marks if spaces are used in a password.
l Double quotation marks can contain double quotation marks if no space is used in a password.
[*HUAWEI-aaa] local-user huawei service-type ftp
[*HUAWEI-aaa] local-user huawei ftp-directory cfcard:/
[*HUAWEI-aaa] local-user huawei level 3
[*HUAWEI-aaa] commit
[*HUAWEI-aaa] quit
Step 2 Enable the FTP server function.

[*HUAWEI] ftp server enable
[*HUAWEI] commit
[~HUAWEI] quit
Step 3 Log in to the FTP server from the FTP client.

<HUAWEI> ftp 1.1.1.1
Trying 1.1.1.1 ...
Connected to 1.1.1.1.
220 FTP service ready.
User(1.1.1.1:(none)):huawei
331 Password required for huawei.
Enter password:
230 User logged in.
[ftp]
Step 4 Set the file transfer mode to dir and the working directory to new_dir:/ on the FTP client.
[ftp] binary
200 Type set to I.
[ftp] lcd new_dir:/
The current local directory is new_dir:.
[ftp] commit
Step 5 Download the latest system software from the FTP server to the FTP client.
[ftp] get V800R010C10B020D0123.cc
200 Port command okay.
150 Opening BINARY mode data connection for V800R010C10B020D0123.cc.
226 Transfer complete.
FTP: 1127 byte(s) received in 0.156 second(s) 7.22Kbyte(s)/sec.
[ftp] quit
Run the dir command to check whether the required file has been downloaded to the client.
----End
Configuration Files
l FTP server configuration file
#
aaa
local-user huawei password cipher @%@%UyQs4,KTtSwJo(4QmW#K,LC:@%@%
local-user huawei ftp-directory cfcard:/
local-user huawei level 3
local-user huawei service-type ftp
#
undo shutdown

ip address 1.1.1.1 255.255.255.0

#
ftp server enable
#
return
l FTP client configuration file

#
undo shutdown
ip address 2.1.1.1 255.255.255.0
#
return
8.12.7 Example for Using SFTP to Access Other Devices (RSA

To allow the SFTP client to connect to the SSH server, configure the client and server to
generate local key pairs, configure the client to generate an RSA public key, and bind the
public key to the client.
As shown in Figure 8-19, after the SFTP server function is enabled on the SSH server, the
SFTP client can log in to the SSH server in password, ECC, password-ECC, DSA, password-
ECC, RSA, password-RSA, SM2, password-SM2 or all authentication mode.
Figure 8-19 Using SFTP to access another device

NOTE
SSH server
Interface1
10.1.1.1/16
10.1.2.2/16 10.1.3.3/16

3. Enable the SFTP server function on the SSH server.
4. Configure the service type and authorized directory for the SSH users.
5. Use SFTP on client001 and client002 to log in to the SSH server.
Data Preparation

Procedure
[*HUAWEI] commit

NOTE
ECC, and All.


user.

[~SSH Server] aaa
[*SSH Server-aaa]local-user client001 password
Enter Password:
Confirm Password:

NOTE
password.
password.
password.
[*SSH Server-aaa] local-user client001 level 3

# Create an SSH user named client002 and configure RSA authentication for the user.
Step 3 Configure an RSA public key for the server.

[*HUAWEI] commit
The key name will be: client002_Host
[*client002] commit

======================Host Key==========================
Key Name : client002_Host
========================================================
Key Code:
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001

AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw98
25XYSkri89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn
+8J1LffkxRmHF4uMNk1X3QqiSqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIX
GJb7H/w4zQ==


ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCyExXdhZrX5KbQ2bgSHyPwAGuxu6RDEw9825XYSkri
89lKc9c2/f1fQRuLczzdSUojbzWrm7/hmnM2FQtAo13mLGqC11xfLDZn+8J1LffkxRmHF4uMNk1X3Qqi
SqDC+H9HTHkxqffo/uDVobUJL3ESZgvRU3+31bIXGJb7H/w4zQ== rsa-key
Host Public key for SSH1 format code:

1024 65537 125048203250833642388841080101906750228075076456213955541037945628567
57310398880086451511608221218821171562865637463140847157102422109476944363593619
24637760514734544191988044752471924402237145321162849626052751701862381759745461
33321165741031171160914926309797395278974490949461701171569544048167828558985421
======================Server Key========================
Key Name : client002_Server
========================================================
Key Code:
3067
0260
BDCEC48F 1EDA55AF 80C71881 CF22D6A4 02682F2F
E50035C8 E1539F1F 9EB3FCAC 2BFEF147 EEF59F23
7270C3DD 22135C16 AAC236DE EFBF9865 E50D8D26
B7651BCB 6D87BC2B 96559C38 04FC034B 54CFE7B3
2B1BBA18 A96FFC29 EF70069D DD1EE053
0203
010001
[~SSH Server] rsa peer-public-key RsaKey001
[*SSH Server-rsa-public-key-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0
006BB1BB
[*SSH Server-rsa-public-key-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7
36FDFD5F
[*SSH Server-rsa-public-key-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A
7336150B
[*SSH Server-rsa-public-key-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275
2DF7E4C5
[*SSH Server-rsa-public-key-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931
[*SSH Server-rsa-public-key-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153
7FB7D5B2
[*SSH Server-rsa-public-key-rsa-key-code] 171896FB 1FFC38CD
[*SSH Server-rsa-key-code] public-key-code end
Step 4 Bind the RSA public key to client002.

[~SSH Server] ssh user client002 assign rsa-key RsaKey001
Step 5 Enable the SFTP server function on the SSH server.

# Enable the SFTP server function.
[~SSH Server] sftp server enable
Step 6 Configure the service type and authorized directory for the SSH users.

Two SSH users are configured on the SSH server: client001 in password authentication mode
and client002 in RSA authentication mode.
[~SSH Server] ssh user client001 service-type sftp
[*SSH Server] ssh user client001 sftp-directory cfcard:
[*SSH Server] ssh user client002 service-type sftp
Step 7 Connect SFTP clients to the SSH server.

[*HUAWEI] commit
[*client001] commit

[*client002] commit
# Connect client001 to the SSH server in password authentication mode.

[~client001] sftp 10.1.1.1
Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] : y
The server's public key will be saved with the name 10.1.1.1. Please wait
Enter password:
# Connect client002 to the SSH server in RSA authentication mode.

[~client002] sftp 10.1.1.1
Trying 10.1.1.1 ...
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.1.1.1. Please wait.

session commands on the SSH server. The command outputs show that the SFTP server
function has been enabled and that the SFTP client has logged in to the server.
SSH Version : 2.0


ACL name :
ACL number :
ACL6 name :
ACL6 number :

--------------------------------------------------------------------------------
Session : 1
Conn : SFTP 0
Version : 2.0
State : Started
Username : user1
Retry : 1
Public Key : ecc
Service Type : SFTP
Total Data(MB) : 0
--------------------------------------------------------------------------------

----------------------------------------------------
Sftp-directory : cfcard:
Service-type : sftp
Authentication-type : rsa
User-public-key-name : rsakey001
Sftp-directory : -
Service-type : sftp
----------------------------------------------------
----End
Configuration Files
#
sysname SSH Server

#
308188
028180
0203
010001
public-key-code end
peer-public-key end
#
sftp server enable
ssh user client001
ssh user client001 sftp-directory cfcard:
ssh user client001 service-type sftp
ssh user client002
#
aaa
local-user client001 level 3
#
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
#
return

#
sysname client001
#
undo shutdown
ip address 10.1.2.2 255.255.0.0
#
#
return

#
sysname client002
#
undo shutdown
ip address 10.1.3.3 255.255.0.0
#
#
return

8.12.8 Example for Using SFTP to Access Other Devices (DSA

generate local key pairs, configure the client to generate a DSA public key, send the public
key to the server, and bind the public key to the client.
SFTP is based on SSH connections. SFTP ensures that users log in to a remote device
securely to manage and transfer files, enhancing secure file transfer. As the device can
function as an SFTP client, you can log in to a remote SSH server from the device to transfer
files securely.
SFTP client can log in to the SSH server in the authentication mode of password, ECC,
password-ECC, DSA, password-ECC, RSA, password-RSA, SM2, password-SM2 or all.
Figure 8-20 Networking diagram for access another device by using SFTP
NOTE
SSH server
Interface1
10.1.1.1/16
10.1.2.2/16 10.1.3.3/16
the DSA public key of the SSH server to authenticate the client when the client attempts
5. Client001 and client002 log in to the SSH server chain SFTP mode to obtain files on the
server.

Data Preparation
l Client002: DSA authentication (public key: dsakey001)
Procedure
[*HUAWEI] commit
[~SSH Server] dsa local-key-pair create
Info: The key name will be: SSH SERVER_Host_DSA

NOTE
There are several authentication modes for SSH users: password, RSA, password-RSA, DSA, password-
DSA, ECC, password-ECC, and all.
l If the authentication mode is password or password-RSA, password-DSA, and password-ECC
configure a local user on the server with the same user name.
l If the authentication mode is RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, or
all, save the RSA or DSA or ECC public key generated on the SSH client to the server.


user.

[~SSH Server] aaa
Enter Password:
Confirm Password:

NOTE
password.
password.
password.

# Create an SSH user named client002 and configure DSA authentication for the user.
[*SSH Server] ssh user client002 authentication-type dsa
Step 3 Configure the DSA public key on the server.

# Configure the client to generate a local key pair.
[*HUAWEI] commit
[~client002] dsa local-key-pair create
Info: The key name will be: client002_Host_DSA
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
[*client002] commit
# Check the DSA public key generated on the client.

[~client002] display dsa local-key-pair public
========================================================
Key name : client002_Host_DSA
Key modulus : 1024
Key type : DSA Encryption Key
========================================================
Key code:
3082019F
028180
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
0B752AC7 817E877F
0214
028180
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3


F459F826 B9A5CF6D
028180
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
E054EE39 20207689 433B07A1 1219B9F3 945E88F0
3A8FC0FB 9883905B
Host public Key for PEM format Code:

AAAAB3NzaC1kc3MAAACBAKScXq+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4Y
jLfYWGtQ7rxUv7CJYaDdMV9/MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiY
Q/rQWZi47qjnOV/Hyp0WVUeSc2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/
AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXK
osjQDD1mb2HU8uNkRUAn/QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMM
FBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun88oNGYs+2UNoRbpe
ifGtt570WfgmuaXPbQAAAIBAnArnHd3ajPOSRgjcMnKM1vpR+7STPQPjB4DhZ2qp
7uOptneX2x06V69HnDvcQJYpG0VIQ9iIUdz+sE1ZPxRZkUX7Cwcc7uVflR5kymxM
FmGSuSaa2HZO6fhmHI7AjQi9g7zj4FTuOSAgdolDOwehEhm585ReiPA6j8D7mIOQ
Ww==

ssh-dss AAAAB3NzaC1kc3MAAACBAKScXq
+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4YjLfYWGtQ7rxUv7CJYaDdMV9/
MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiYQ/rQWZi47qjnOV/
Hyp0WVUeSc2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/AAAAFQDLxcC8LXtt/hWn
+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXKosjQDD1mb2HU8uNkRUAn/
QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G
+s8bPioRMowUun88oNGYs+2UNoRbpeifGtt570WfgmuaXPbQAAAIBAnArnHd3ajPOSRgjcMnKM1vpR
+7STPQPjB4DhZ2qp7uOptneX2x06V69HnDvcQJYpG0VIQ9iIUdz
+sE1ZPxRZkUX7Cwcc7uVflR5kymxMFmGSuSaa2HZO6fhmHI7AjQi9g7zj4FTuOSAgdolDOwehEhm585Rei
PA6j8D7mIOQWw== dsa-key
# Copy the DSA public key generated on the client to the server.
[~SSH Server] dsa peer-public-key dsakey001 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end".
[*SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return last view with "public-key-code end".
[*SSH Server-dsa-public-key-dsa-key-code] 3082019F
[*SSH Server-dsa-public-key-dsa-key-code] A49C5EAF 906C80B1 C474CCB0 D47C6965
22DFCF3C
[*SSH Server-dsa-public-key-dsa-key-code] 9602BAD8 FCE8F7E3 7A69BE18 8CB7D858
6B50EEBC
[*SSH Server-dsa-public-key-dsa-key-code] 54BFB089 61A0DD31 5F7F3080 F0DB47E4
ECDCC10E
[*SSH Server-dsa-public-key-dsa-key-code] 7EC18D31 35CD78F7 E002FB6B 4CB59BA5
E2CDB898
[*SSH Server-dsa-public-key-dsa-key-code] 43FAD059 98B8EEA8 E7395FC7 CA9D1655
47927368
[*SSH Server-dsa-public-key-dsa-key-code] 9914AF09 6CFDC125 6CC8A07F DDDE603B
F31C4EA4
[*SSH Server-dsa-public-key-dsa-key-code] 0B752AC7 817E877F
[*SSH Server-dsa-public-key-dsa-key-code] CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B
6ECC9F27
[*SSH Server-dsa-public-key-dsa-key-code] 6D3202E7 4DCAC5DB 97034305 8D79FDB2
76D5CAA2
[*SSH Server-dsa-public-key-dsa-key-code] C8D00C3D 666F61D4 F2E36445 4027FD04
0D61B2A3
[*SSH Server-dsa-public-key-dsa-key-code] AF3CED6B C36CC68D E8DF35F9 FAF802ED
73BCBD66

[*SSH Server-dsa-public-key-dsa-key-code] C55AE0F6 69530C14 1B33A5A1 CF77D636

75A5EF3B
[*SSH Server-dsa-public-key-dsa-key-code] 264AB66E 2A8CFFB1 690E45F8 6FACF1B3
E2A11328
[*SSH Server-dsa-public-key-dsa-key-code] C14BA7F3 CA0D198B 3ED94368 45BA5E89
F1ADB79E
[*SSH Server-dsa-public-key-dsa-key-code] F459F826 B9A5CF6D
[*SSH Server-dsa-public-key-dsa-key-code] 409C0AE7 1DDDDA8C F3924608 DC32728C
D6FA51FB
[*SSH Server-dsa-public-key-dsa-key-code] B4933D03 E30780E1 676AA9EE E3A9B677
97DB1D3A
[*SSH Server-dsa-public-key-dsa-key-code] 57AF479C 3BDC4096 291B4548 43D88851
DCFEB04D
[*SSH Server-dsa-public-key-dsa-key-code] 593F1459 9145FB0B 071CEEE5 5F951E64
CA6C4C16
[*SSH Server-dsa-public-key-dsa-key-code] 6192B926 9AD8764E E9F8661C 8EC08D08
BD83BCE3
[*SSH Server-dsa-public-key-dsa-key-code] E054EE39 20207689 433B07A1 1219B9F3
945E88F0
[*SSH Server-dsa-public-key-dsa-key-code] 3A8FC0FB 9883905B
[*SSH Server-dsa-public-key-dsa-key-code] public-key-code end
[*SSH Server-dsa-public-key] peer-public-key end
Step 4 Bind the DSA public key to client002.

[~SSH Server] ssh user client002 assign dsa-key dsakey001

and client002 in DSA authentication mode.
Step 7 Connect the SFTP client to the SSH server.

[*HUAWEI] commit
[*client001] commit

[*client002] commit
# Client001 logs in to the SSH server in password authentication mode.

[~client001] sftp 10.1.1.1
Trying 10.1.1.1 ...


Save the server's public key? [Y/N] : y
The server's public key will be saved with the name 10.1.1.1. Please wait
Enter password:
# Client002 logs in to the SSH server in DSA authentication mode.

[~lient002] sftp 10.1.1.1
Trying 10.1.1.1 ...

session commands on the SSH server. You can find that the SFTP server function has been
enabled, and the SFTP client has logged in to the server.
SSH Version : 2.0
ACL name :
ACL number :
ACL6 name :
ACL6 number :

--------------------------------------------------------------------------------
Session : 1
Conn : SFTP 0
Version : 2.0
State : Started
Username : user1
Retry : 1

Public Key : ecc

Service Type : SFTP
Total Data(MB) : 0
--------------------------------------------------------------------------------

----------------------------------------------------
Authentication-Type : password
Service-type : sftp

Authentication-Type : dsa
Sftp-directory : -
Service-type : sftp
----------------------------------------------------
----End
Configuration Files
#
sysname SSH Server
#
dsa peer-public-key dsakey001
3082019F
028180
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
0B752AC7 817E877F
0214
028180
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
F459F826 B9A5CF6D
028180
57AF479C 3BDC4096 291B4548 43D88851 DCFEB04D
593F1459 9145FB0B 071CEEE5 5F951E64 CA6C4C16
E054EE39 20207689 433B07A1 1219B9F3 945E88F0

3A8FC0FB 9883905B
public-key-code end
peer-public-key end
#
sftp server enable
ssh user client001
ssh user client002
ssh user client002 assign dsa-key dsakey001
ssh user client002 authentication-type dsa
#
aaa
#
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
#
return

#
sysname client001
#
undo shutdown
ip address 10.1.2.2 255.255.0.0
#
#
return

#
sysname client002
#
undo shutdown
ip address 10.1.3.3 255.255.0.0
#
#
return
8.12.9 Example for Using SFTP to Access Other Devices (ECC

generate local key pairs, configure the client to generate an ECC public key, and bind the
public key to the client.

SFTP client can log in to the SSH server in password, ECC, password-ECC, DSA, password-
ECC, RSA, password-RSA, SM2, password-SM2 or all authentication mode.
Figure 8-21 Using SFTP to access another device

NOTE
SSH server
Interface1
10.1.1.1/16
10.1.2.2/16 10.1.3.3/16
the ECC public key of the SSH server to authenticate the client when the client attempts
5. Use SFTP on client001 and client002 to log in to the SSH server.
Data Preparation
l Client002: ECC authentication (public key: ecckey001)
Procedure

[*HUAWEI] commit
[~SSH Server] ecc local-key-pair create
Info: The key name will be: SSH Server_Host_ECC

NOTE
l If the authentication mode is password, password-RSA, or password-ECC, configure a local user

with the same user name on the server.
user.
[*SSH Server] ssh user client001

[~SSH Server] aaa
Enter Password:
Confirm Password:
NOTE
password.
password.
password.

# Create an SSH user named client002 and configure ECC authentication for the user.
[*SSH Server] ssh user client002 authentication-type ecc
Step 3 Configure an ECC public key for the server.

[*HUAWEI] commit

[~client002] ecc local-key-pair create

Info: The key name will be: client002_Host_ECC
[*client002] commit
# Check the ECC public key generated on the client.

[~client002] display ecc local-key-pair public
======================Host Key==========================
Key Name : client002_Host_ECC
Key Type : ECC Encryption Key
========================================================
Key
Code:
04D7635B C047B02E 20C1E6CB E04B5E5C

7DCADD88
F676AB0E C91ACB3C B0394B18 FA29E5C2

0426F924
DAD9AA02 C531E5ED C6783FFA 41235A16

8D7723E0
7E63D68D E7

AAAAE2VjZHNhLXNoYTItbmlzdHAxOTIAAABBBL+PCqbAEJKKKUpCYdSfyiyY5Iq3
DM9ZB3mjx62wShmmNMiZJAV+02aMJ6CsHBuWCbVLO/Zg8Ng3kGXC4ltmLXM=
# Copy the ECC public key generated on the client to the server.
[~SSH Server] ecc peer-public-key ecckey001
Enter "ECC public key" view, return system view with "peer-public-key end".
[*SSH Server-ecc-public-key] public-key-code begin
Enter "ECC key code" view, return last view with "public-key-code end".
[*SSH Server-ecc-public-key-ecc-key-code] 04BF8F0A A6C01092 8A294A42 61D49FCA
2C98E48A
[*SSH Server-ecc-public-key-ecc-key-code] B70CCF59 0779A3C7 ADB04A19 A634C899
24057ED3
[*SSH Server-ecc-public-key-ecc-key-code] 668C27A0 AC1C1B96 09B54B3B F660F0D8
379065C2
[*SSH Server-ecc-public-key-ecc-key-code] E25B662D 73
[*SSH Server-ecc-public-key-ecc-key-code] public-key-code end
[*SSH Server-ecc-public-key] peer-public-key end
Step 4 Bind the ECC public key to client002.

[~SSH Server] ssh user client002 assign ecc-key eccKey001

and client002 in ECC authentication mode.


Step 7 Connect SFTP clients to the SSH server.

[*HUAWEI] commit
[*client001] commit

[*client002] commit
# Connect client001 to the SSH server in password authentication mode.

[~client001] sftp 10.1.1.1
Trying 10.1.1.1 ...
Enter password:
# Connect client002 to the SSH server in ECC authentication mode.

[~client002] sftp 10.1.1.1
Trying 10.1.1.1 ...
Please select public key type for user authentication [R for RSA/E for ECC]
Please select [R/E]:e

session commands on the SSH server. The command outputs show that the SFTP server
function has been enabled and that the SFTP client has logged in to the server.
SSH Version : 2.0


ACL name :
ACL number :
ACL6 name :
ACL6 number :

--------------------------------------------------------------------------------
Session : 1
Conn : SFTP 0
Version : 2.0
State : Started
Username : user1
Retry : 1
Public Key : ecc
Service Type : SFTP
Total Data(MB) : 0
--------------------------------------------------------------------------------

----------------------------------------------------
User-public-key-name :
Service-type : sftp
Authentication-type : ecc
User-public-key-name : ecckey001
User-public-key-type : ECC
Service-type : sftp
----------------------------------------------------
Total 2, 2 printed
----End
Configuration Files
#
sysname SSH Server

#
ecc peer-public-key ecckey001
04BF8F0A A6C01092 8A294A42 61D49FCA 2C98E48A
B70CCF59 0779A3C7 ADB04A19 A634C899 24057ED3
668C27A0 AC1C1B96 09B54B3B F660F0D8 379065C2
E25B662D 73
public-key-code end
peer-public-key end
#
sftp server enable
ssh user client001
ssh user client002
ssh user client002 assign ecc-key ecckey001
ssh user client002 authentication-type ecc
#
aaa
#
undo shutdown
ip address 10.1.1.1 255.255.0.0
#
#
return

#
sysname client001
#
undo shutdown
ip address 10.1.2.2 255.255.0.0
#
#
return

#
sysname client002
#
undo shutdown
ip address 10.1.3.3 255.255.0.0
#
#
return
8.12.10 Example for Using a Non-default Listening Port Number

to Access the SSH Server
A non-default listening port number can be configured for the SSH server to allow only
authorized users to establish SSH connections with the server.

The default listening port number is 22. If attackers continuously access this port, bandwidth
resources are consumed and performance of the server deteriorates. As a result, authorized
users cannot access the server.
If the listening port number of the SSH server is changed to a non-default one, attackers do
not know the change and continue to send requests for socket connections to port 22. The
SSH server denies the connection requests because the listening port number is incorrect.
Authorized users can set up socket connections with the SSH server by using the new
listening port number to implement the following functions: negotiate the version of the SSH
protocol, negotiate the algorithm, generate the session key, authenticate, send the session
request, and attend the session.
Figure 8-22 Using a non-default listening port number to access the SSH server
NOTE
SSH server
Interface1
10.1.1.1/16
10.1.2.2/16 10.1.3.3/16
3. Enable the STelnet and SFTP server functions on the SSH server.
5. Configure a non-default listening port number of the SSH server to allow only
authorized users to access the server.
6. Use STelnet and SFTP respectively on client001 and client002 to log in to the SSH
server.
Data Preparation

l Client001: password authentication (password: Hello-huawei123) and STelnet service

type
l Client002: RSA authentication (public key: RsaKey001) and SFTP service type
l Listening port number of the SSH server: 1025
Procedure
[*HUAWEI] commit
Step 2 Configure the RSA public key on the server.

[*HUAWEI] commit
[*client002] commit

=====================================================
Time of Key pair created: 16:38:51 2007/5/25
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
1D7E3E1B
0203
010001
Host public key for PEM format code:
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Key name: client002_Server
=====================================================
Key code:
3067
0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E

BC89D3DB 5A83698C 9063DB39 A279DD89

0203
010001
[~SSH Server] rsa peer-public-key RsaKey001
[*SSH Server-rsa-key-code] 3047
[*SSH Server-rsa-key-code] BFF35E4B C61BD786 F907B5DE 7D6770C3 E5FD17AB
[*SSH Server-rsa-key-code] 203C8FCB BBC8FDF2 F7CB674E 519E8419 0F6B97A8
[*SSH Server-rsa-key-code] EA91FC4B B9E18836 5E74BFD5 4C687767 A89C6B43
[*SSH Server-rsa-key-code] 1D7E3E1B
[*SSH Server-rsa-key-code] public-key-code end
[*SSH Server-rsa-public-key] commit

NOTE
ECC, and All.

user.
[~SSH Server] aaa
Enter Password:
Confirm Password:
NOTE
password.
password.
password.


# Set the service type of client001 to STelnet.


# Create an SSH user named client002, configure RSA authentication for the user, and
bind the RSA public key to client002.
[*SSH Server] ssh user client002 assign rsa-key RsaKey001
# Set the service type of client002 to SFTP and configure the authorized directory for the
user.
Step 4 Enable the STelnet and SFTP server functions on the SSH server.
[*SSH Server] sftp server enable
Step 5 Configure a new listening port number on the SSH server.

[*SSH Server] ssh server port 1025
Step 6 Connect the SSH client and the SSH server.

[*HUAWEI] commit
[*client001] commit

[*client002] commit
# Connect client001 to the SSH server using the new listening port number.
[~client001] stelnet 1.1.1.1 1025
Trying 1.1.1.1 ...
Enter password:

<SSH Server>
# Connect client002 to the SSH server using the new listening port number.

[~client002] sftp 1.1.1.1 1025

Trying 1.1.1.1 ...
..
sftp-client>

Attackers fail to log in to the SSH server using the default listening port number 22.
[~client002] sftp 1.1.1.1
Trying 1.1.1.1 ...
Error: Failed to connect to the server.
session commands on the SSH server. The current listening port number of the SSH server
can be displayed in the command output. The command output also shows that the STelnet or
SFTP client has logged in to the server successfully.
SSH Version : 2.0
ACL name :
ACL number :
ACL6 name :
ACL6 number :

--------------------------------------------------------------------------------
Session : 1
Conn : SFTP 0
Version : 2.0
State : Started
Username : user1
Retry : 1


Public Key : ecc
Service Type : SFTP
Total Data(MB) : 0
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SSH Server
#
308188
028180
0203
010001
public-key-code end
peer-public-key end
#
ssh server port 1025
sftp server enable
ssh user client001
ssh user client002
#
aaa
#
undo shutdown
ip address 1.1.1.1 255.255.0.0
#
#
return

#
sysname client001
#

undo shutdown
ip address 1.1.2.2 255.255.0.0
#
#
return

#
sysname client002
#
undo shutdown
ip address 1.1.3.3 255.255.0.0
#
#
return
8.12.11 Example for Configuring SSH Clients on the Public

Network to Access an SSH Server on a Private Network
This example shows how to configure an SSH client on the public network to access an SSH
server on a private network. You can configure SSH-related attributes for public users to
allow them to access devices on private networks in STelnet or SFTP mode.
As shown in Figure 8-23, PE1 is an SSH client located on the MPLS backbone network, and
CE1 functions as an SSH server located on the private network with the AS number of 65410.
Public network users need to securely access and manage CE1 after logging in to PE1.
Figure 8-23 Configuring an SSH client on the public network to access an SSH server on a
private network
NOTE
In this example, Interface1, Interface2 and Interface3 are GE1/0/1, GE2/0/1 and GE1/0/2, respectively.

MPLS backbone
AS: 100
Loopback1 Loopback1 Loopback1
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
PE1 Interface1 Interface1
(SSH 10.2.1.1/30 10.3.1.2/30
PE2
client) Interface1 Interface3
Interface2 10.2.1.2/30 P 10.3.1.1/30 Interface2
10.1.1.2/24 10.1.2.2/24
CE1 10.1.1.1/24 10.1.2.1/24
(SSH CE2
server)
VPN site VPN site
1. Configure a VPN instance on PE1 to allow CE1 to access PE1.
2. Set up EBGP peer relationships between PEs and CEs and import VPN routes.
4. Enable the STelnet and SFTP server functions on the SSH server.
5. Connect client001 and client002 to CE1 using STelnet and SFTP, respectively.
Data Preparation
l Name of the VPN instance on the PEs: vpn1
l VPN target on the PEs: 111:1
l IP address of PE1: 10.1.1.2; IP address of PE2: 10.1.2.2
l IP address of CE1: 10.1.1.1
Procedure
Step 1 Configure the MPLS backbone network.

Configure an IGP to allow PEs and the P on the MPLS backbone network to communicate
with each other. Configure basic MPLS functions, enable MPLS LDP, and establish LDP
LSPs on the MPLS backbone network.
For configuration details, see Configuration Files in this section.
Step 2 Configure VPN instances on PEs and connect CEs to PEs.
# Configure PE1.
[*PE1] ip vpn-instance vpn1
[*PE1-vpn-instance-vpn1] route-distinguisher 100:1
[*PE1-vpn-instance-vpn1] vpn-target 111:1 both
[*PE1-vpn-instance-vpn1] quit
[*PE1] interface gigabitethernet 2/0/1
[*PE1-GigabitEthernet2/0/1] ip binding vpn-instance vpn1
[*PE1-GigabitEthernet2/0/1] undo shutdown
[*PE1-GigabitEthernet2/0/1] ip address 10.1.1.2 24
[*PE1-GigabitEthernet2/0/1] quit
[*PE1] commit
# Configure PE2.
[*PE2] ip vpn-instance vpn1
[*PE2-vpn-instance-vpn1] route-distinguisher 200:1
[*PE2-vpn-instance-vpn1] vpn-target 111:1 both
[*PE2-vpn-instance-vpn1] quit
[*PE2] interface gigabitethernet 2/0/1
[*PE2-GigabitEthernet2/0/1] ip binding vpn-instance vpn1
[*PE2-GigabitEthernet2/0/1] undo shutdown
[*PE2-GigabitEthernet2/0/1] ip address 10.1.2.2 24
[*PE2-GigabitEthernet2/0/1] quit
[*PE2] commit
# Configure IP addresses for interfaces on CEs according to Figure 8-23. For configuration
details, see Configuration Files in this section.
After the configuration is complete, run the display ip vpn-instance verbose command on
PEs. You can view the configurations of VPN instances. Each PE can successfully ping its
connected CE.
NOTE
When there are multiple interfaces on a PE bound to the same VPN instance, specify the source address
in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-address command to ping the
CE connected to the peer PE. Otherwise, the ping may fail.
[~PE1] ping -vpn-instance vpn1 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=260 ms
--- 10.1.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/108/260 ms
Step 3 Establish EBGP peer relationships between the PEs and the CEs to import VPN routes.
# Configure CE1.
[*CE1] bgp 65410
[*CE1-bgp] peer 10.1.1.2 as-number 100
[*CE1-bgp] import-route direct
[*CE1-bgp] quit

[*CE1] commit
# Configure PE1.
[*PE1] bgp 100
[*PE1-bgp] ipv4-family vpn-instance vpn1
[*PE1-bgp-vpn1] peer 10.1.1.1 as-number 65410
[*PE1-bgp-vpn1] import-route direct
[*PE1-bgp-vpn1] quit
[*PE1-bgp] quit
[*PE1] commit
# Configure CE2.
[*CE2] bgp 65420
[*CE2-bgp] peer 10.1.2.2 as-number 100
[*CE2-bgp] import-route direct
[*CE2-bgp] quit
[*CE2-bgp] commit
# Configure PE2.
[*PE2] bgp 100
[*PE2-bgp] ipv4-family vpn-instance vpn1
[*PE2-bgp-vpn1] peer 10.1.2.1 as-number 65420
[*PE2-bgp-vpn1] import-route direct
[*PE2-bgp-vpn1] quit
[*PE2-bgp] quit
[*PE2-bgp] commit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer command
on PEs. The command output shows that the EBGP peer relationships between PEs and the
CEs are in the Established state.
The following example uses the command output on PE1.
[~PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 3 3 0 00:00:37 Established 1
# Set up an MP-IBGP peer relationship between PEs.

For configuration details, see Configuration Files in this section.
[*CE1] rsa local-key-pair create
The key name will be:CE1_Host
Generating keys...
[*CE1] commit
Step 5 Configure the RSA public key on the server.

[*PE1] rsa local-key-pair create
The key name will be:PE1_Host
Generating keys...
[*PE1] commit

[~PE1] display rsa local-key-pair public

=====================================================
Key name: PE1_Host
=====================================================
Key code:
3047
0240
BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
E2EE8EB5
0203
010001
Host public key for PEM format code:
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg7
2x/w0h8F2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC8ARBVi8y4hzhOWhQe+YKoykSjdod4cTg72x/w0h8F
2EG+z1ay+gaVj3bxsl0+LzWoBRzh4CNCdJ2Lsg3i7o61 rsa-key
=====================================================
Key name: PE1_Server
=====================================================
Key code:
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F
23AC8DE2 BDB58E1E D46856B5 419CAEDF 3A33DD40
278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437
D720D3D8 9A3F9DE5 4FE062DF F2DC443E 9092A0F4
970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
[*CE1] rsa peer-public-key RsaKey001
[*CE1-rsa-public-key] public-key-code begin
[*CE1-rsa-key-code] 3067
[*CE1-rsa-key-code] BC011055 8BCCB887 384E5A14 1EF982A8 CA44A376
[*CE1-rsa-key-code] 87787138 3BDB1FF0 D21F05D8 41BECF56 B2FA0695
[*CE1-rsa-key-code] 8F76F1B2 5D3E2F35 A8051CE1 E0234274 9D8BB20D
[*CE1-rsa-key-code] E2EE8EB5
[*CE1-rsa-key-code] public-key-code end
[*CE1-rsa-public-key] peer-public-key end
[*CE1-rsa-public-key] quit
[*CE1] commit

NOTE
ECC, and All.

[~CE1] user-interface vty 0 4

[~CE1-ui-vty0-4] authentication-mode aaa
[*CE1-ui-vty0-4] protocol inbound ssh
[*CE1-ui-vty0-4] commit
[~CE1-ui-vty0-4] quit

user.
[~CE1] ssh user client001
[*CE1] ssh user client001 authentication-type password

[*CE1] aaa
[*CE1-aaa] local-user client001 password
Enter Password:
Confirm Password:
NOTE
password.
password.
password.
[*CE1-aaa] local-user client001 service-type ssh
[*CE1-aaa] quit
# Set the service type of client001 to STelnet.

[*CE1] ssh user client001 service-type stelnet
l # Create an SSH user named client002, configure RSA authentication for the user, and
bind the RSA public key to client002.
[*CE1] ssh user client002
[*CE1] ssh user client002 authentication-type rsa
[*CE1] ssh user client002 assign rsa-key RsaKey001
# Set the service type of client002 to SFTP and configure the authorized directory for the
user.
[*CE1] ssh user client002 service-type sftp
[*CE1] ssh user client002 sftp-directory cfcard:
[*CE1] commit
Step 7 Enable the STelnet and SFTP server functions on the SSH server.
[~CE1] stelnet server enable
[*CE1] sftp server enable
[*CE1] commit
Step 8 Configure PE1 (the SSH client) to log in to CE1 (the SSH server).
[~PE1] ssh client first-time enable
[*PE1] commit
# Use STelnet to log in to the SSH server.

[~PE1] stelnet 10.1.1.1 -vpn-instance vpn1

Trying 10.1.1.1 ...

The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
The server's public key will be saved with the name:10.1.1.1. Please wait...
Enter password:

Info: The max number of VTY users is 10, and the current number
of VTY users on line is 1.
<CE1>
# Use SFTP to log in to the SSH server.

[~PE1] sftp 10.1.1.1 -vpn-instance vpn1
Trying 10.1.1.1 ...
The server is not authenticated. Do you continue to access it?(Y/N):y
Do you want to save the server's public key?(Y/N):y
The server's public key will be saved with the name:10.1.1.1. Please wait...
After the login succeeds, the following information is displayed.

<sftp-client>
After the configuration is complete, run the display this command in the interface view on
PE1. The command output shows the VPN instance has been successfully configured. Run
the display ssh server session command on CE1. The command output shows the STelnet or
SFTP client has been successfully connected to the SSH server.

[~PE1] display ssh server session
--------------------------------------------------------------------------------
Session : 1
Conn : SFTP 0
Version : 2.0
State : Started
Username : user1
Retry : 1
Public Key : ecc
Service Type : SFTP
Total Data(MB) : 0
--------------------------------------------------------------------------------
----End

Configuration Files
l CE1 configuration file
#
sysname CE1
#
3067
0260
9E6EDDE7 AEFF3F9F 5090ECA5 11DE117E 6660707F 23AC8DE2 BDB58E1E D46856B5
419CAEDF 3A33DD40 278C6403 24ADC2E6 B110A8ED B6CC644F 055C5437 D720D3D8
9A3F9DE5 4FE062DF F2DC443E 9092A0F4 970B8CC9 C8684678 CF0682F3 6301F5F3
0203
010001
public-key-code end
peer-public-key end
#
sftp server enable
ssh user client001
ssh user client002
#
aaa
#
undo shutdown
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
#
return
l PE1 configuration file

#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
#
mpls
#
mpls ldp
#
undo shutdown

ip address 100.1.1.1 255.255.255.0

mpls
mpls ldp
#
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 100.1.1.0 0.0.0.255
#
#
return
l P configuration file
#
sysname P
#
mpls lsr-id 2.2.2.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip address 200.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 100.1.1.0 0.0.0.255
network 200.1.1.0 0.0.0.255
#
return

l PE2 configuration file

#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
#
mpls
#
mpls ldp
#
undo shutdown
ip address 200.1.1.2 255.255.255.0
mpls
mpls ldp
#
undo shutdown
ip binding vpn-instance vpn1
ip address 10.1.2.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 200.1.1.0 0.0.0.255
#
return
l CE2 configuration file

#
sysname CE2
#
undo shutdown
ip address 10.1.2.1 255.255.255.0
#
bgp 65420
#
ipv4-family unicast
import-route direct
peer 10.1.2.2 enable

#
return
8.12.12 Example for Using SCP to Access Files on Other Devices

To allow SCP client to access the SSH server and download files.
Unlike SFTP, SCP allows file upload or download without user authentication or public key
allocation. SCP also supports file upload or download in batches.
As shown in Figure 8-24, the device functioning as the SCP client has a reachable route to
the SSH server and can download files from the SSH server.
Figure 8-24 Using SCP to access another device
SCP Server
172.16.104.110/24
1.1.1.1/32
SCP Client
1. Create a local RSA key pair on the SSH server.

2. Create an SSH user on the SSH server.
3. Enable the SCP service function on the SSH server.
5. Specify the IP address of the source interface on the SCP client.
6. Download files from the SSH server to the SCP client.
Data Preparation
l SSH user name, authentication mode, and authentication password

l IP address of the source interface on the SCP client
l Names and paths of the source and destination files

Procedure
Step 1 Configure the SSH server to generate a local RSA key pair.
[*HUAWEI] commit
Step 2 Create an SSH user on the SSH server.

[*SSH Server] user-interface vty 0 4
[*SSH Server-ui-vty0-4] quit
# Create an SSH user named Client001 and configure password authentication for the user.
[*SSH Server] ssh user client001
Info: Succeeded in adding a new SSH user.
# Set the password of the SSH user to %TGB6yhn7ujm.

[*SSH Server] aaa
[*SSH Server-aaa] local-user client001 password irreversible-cipher %TGB6yhn7ujm
Info: A new user is added.
[*SSH Server-aaa] quit
# Set the service type of the SSH user to all.

[*SSH Server] ssh user client001 service-type all
Step 3 Enable the SCP service function on the SSH server.

[*SSH Server] scp server enable
Info: Succeeded in starting the SCP server.
Step 4 Download files from the SSH server to the SCP client.
# For the first login, enable first authentication on the SSH client.
[~HUAWEI] sysname SCP Client
[*SCP Client] ssh client first-time enable
# Set the source IP address of the SCP client to 1.1.1.1 (the IP address of a loopback
interface).
[*SCP Client] scp client-source -a 1.1.1.1
Info: Succeeded in setting the source address of the SCP client to 1.1.1.1.
# Use the AES128 algorithm to encrypt the file license.txt, and download the file to the local
working directory from the remote SSH server with an IP address of 172.16.104.110.
[*SCP Client] scp -a 1.1.1.1 -cipher aes128 client001@172.16.104.110:license.txt
license.txt
[*SCP Client] commit

Run the display scp-client command on the SCP client. The command output is as follows:

<HUAWEI> display scp-client

The source address of SCP client is 1.1.1.1.
----End
Configuration Files
#
sysname SSH Server
#
aaa
local-user client001 password irreversible-cipher @%@%1-w$!
gvBa#6W,ZUm2EN*BYqNWwI3BV\uV`%_oauS;RQB&Y%>>~GV#QzO~k/8;U6;@%@%
#
scp server enable
ssh user client001
ssh user client001 service-type all
#
#
return
l SCP client configuration file

#
sysname SCP Client
#
scp client-source 1.1.1.1
#
return
8.12.13 Example for Configuring HTTP for Device Login

This section provides an example for configuring HTTP for device login, so that you can log
in to an HTTP server from an HTTP client to download the desired certificate.
To enable an HTTP client to download a certificate from an HTTP server, use HTTP. On the
network shown in Figure 8-25, the route between the device functioning as an HTTP client
and the HTTP server is reachable. You can log in to the HTTP server from the HTTP client to
download a certificate from the server.
The server supports SSL policies. To improve data transmission security, configure an SSL
policy on the HTTP client.
Figure 8-25 Device login using HTTP
Network
HTTP client HTTP server

1. Configure an SSL policy on the HTTP client.
2. Configure the HTTP client.
Data Preparation
l SSL policy name policy1 to used configured on the HTTP client
Procedure
Step 1 Configure an SSL policy on the HTTP client.
[~HUAWEI] ssl-policy policy1
[*HUAWEI-ssl-policy-policy1] certificate load pem-cert
a_servercertchain2_pem_dsa.pem key-pair dsa key-file
a_serverkeychain2_pem_dsa.pem auth-code cipher 123456
[*HUAWEI-ssl-policy-policy1] trusted-ca load pem-ca a_rootcertchain2_pem_dsa.pem
[*HUAWEI-ssl-policy-policy1] commit
[~HUAWEI-ssl-policy-policy1] quit
Step 2 Configure the HTTP client.

[~HUAWEI] http
[*HUAWEI-http] client ssl-policy policy1
[*HUAWEI-http] client ssl-verify peer
[*HUAWEI-http] commit
[~HUAWEI-http] quit
Step 3 Check whether the HTTP client is successfully configured.

[~HUAWEI] display ssl policy
SSL Policy Name: policy1
Policy Applicants: HTTP-CLIENT
Key-pair Type: DSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: a_servercertchain2_pem_dsa.pem
Key-file Filename: a_serverkeychain2_pem_dsa.pem
Auth-code: ******
MAC:
Issuer name: HUAWEI
Validity Not Before: 2008-07-04 06:30:11Z
Validity Not After: 2018-07-02 06:30:11Z
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = PEM, Filename = a_rootcertchain2_pem_dsa.pem
----End
Configuration Files
l HTTP client configuration file
#
ssl policy policy1
certificate load pem-cert a_servercertchain2_pem_dsa.pem key-pair dsa key-
file a_serverkeychain2_pem_dsa.pem auth-code cipher %^%#<`c/:cbTs/'sK\S
+ct)8ia_d!Ukn|&7pOM!5|dT6%^%#
trusted-ca load pem-ca a_rootcertchain2_pem_dsa.pem
#
http

client ssl-policy policy1

client ssl-verify peer
#
return

01-08 Accessing Other Devices PDF

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

01-08 Accessing Other Devices PDF

Încărcat de

Drepturi de autor:

Formate disponibile

HUAWEI NetEngine40E Universal Service Router

Configuration Guide - Basic Configuration Guides 8 Accessing Other Devices

8 Accessing Other Devices

About This Chapter

8.1 Overview of Accessing Other Devices

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 216

8.1 Overview of Accessing Other Devices

Figure 8-1 Accessing other devices

Figure 8-2 Telnet server providing the Telnet client service

Telnet session 1 Telnet session 2

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 217

l Telnet service interruption

Figure 8-3 Usage of Telnet shortcut keys

Telnet session 1 Telnet session 2

After you enter Ctrl_] on P2, the <P1> prompt is displayed.

If the network connection is disconnected, shortcut keys do not take effect.

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 218

FTP has two file transfer modes:

The device provides the following FTP functions:

TFTP transfer requests are initiated by clients:

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 219

8.2 Licensing Requirements and Limitations for Accessing

Restrictions and Guidelines

Restrictions Guidelines Impact

8.3 Using Telnet to Log In to Other Devices

PC Telnet client Telnet server

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 220

l Configure Telnet login.

Figure 8-5 Flowchart for using Telnet to log in to other devices

Use Telnet to log in to other

Use the STelnet protocol because this protocol is not secure.

8.3.1 (Optional) Configuring a Source Address for the Telnet

8.3.2 Using Telnet to Log In to Other Devices

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 221

8.3.3 Verifying the Configuration of Using Telnet to Log In to

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 222

0x30666bb4/9 10.137.217.222:23 10.137.217.223:53930 2 Established

8.4 Using STelnet to Log In to Other Devices

Figure 8-6 Using STelnet to log in to the SSH server

SSH client SSH server

Figure 8-7 Flowchart for using STelnet to log in to other devices

Configure first login to the SSH

Configure the Keepalive feature on Configure the Keepalive feature on

Use STelnet to log in to other Use STelnet to log in to other

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 223

8.4.1 Configuring First Login to the SSH Server (Enabling First

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 224

Step 5 Run public-key-code end

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 225

8.4.3 (Optional) Configuring the Keepalive Feature on the SSH

8.4.4 Using STelnet Command to Log In to Other Devices

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 226

The encryption algorithms are configured for the SSH client.

Step 4 (Optional) Run ssh client key-exchange { dh_group14_sha1 | dh_group1_sha1 |

8.4.5 Verifying the Configuration of Using STelnet to Log In to

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 227

8.5 Using TFTP to Access Other Devices

The HUAWEI NetEngine40E can function only as a TFTP client.

Issue 01 (2018-12-05) Copyright © Huawei Technologies Co., Ltd. 228

8.5.1 Configuring a Source Address for a TFTP Client

The system view is displayed.

Step 2 Run tftp client-source { -a ip-address | -i interface-type interface-number }

A source address is configured for the TFTP client.