No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Examples

Configuration Examples

This section describes the examples for logging in to the device through a console port, Telnet, and STelnet and for configuring the device to log in to another device.

Example for Logging In to the Device Through a Console Port

Networking Requirements

When you cannot remotely log in to the device, you can perform local login through a console port. If you log in to the device through a console port, only password authentication is required. To improve security, use AAA on the console user interface.

Figure 1-13 Networking diagram of user login through a console port

Configuration Roadmap

The configuration roadmap is as follows:

  1. Use the terminal simulation software to log in to the device through a console port.
  2. Configure the authentication mode of the console user interface.

Procedure

  1. Use the terminal simulation software to log in to the device through a console port.

    NOTE:

    The settings of the terminal communication parameters must be consistent with those of the physical attribute parameters on the user interface of the console port. If the user authentication mode is set on the user interface of the console port, you can log in to the device only after you are authenticated.

    1. Insert the DB9 connector of the console cable delivered with the product to the 9-pin serial port on the PC, and insert the RJ45 connector to the console port of the device.
    2. Start the terminal simulation software on the PC. Establish a connection, and set the connected interface and communication parameters.

      NOTE:

      A PC may have multiple connection interfaces; therefore, the interface connected through the console cable is selected in this example. Generally, COM1 is selected.

      If the serial port communication parameters of the device are modified, modify the communication parameters on the PC accordingly (ensure that the parameter values are the same) and re-establish the connection.

    3. Press Enter until the following information is displayed. Enter the password and confirm password. (The following information is only for reference.)

      An initial password is required for the first login via the console. 
      Continue to set it? [Y/N]: y   
      Set a password and keep it safe! Otherwise you will not be able to login via the console.                                           
                                                           
      Please configure the login password (8-16) 
      Enter Password:  
      Confirm Password: 
      NOTE:
      • If the authentication password is not configured, users can log in to the device without entering the password. This mode has potential security risks. It is recommended that the authentication password be configured.

      • The password is a string of 8 to 16 case-sensitive characters. The password must contain at least two of the following character types: upper-case and lower-case letters, digits, and special characters except the question mark (?) and space.

      • The password entered in interactive mode is not displayed on the screen.

      • When you log in to the system again in password authentication mode, enter the password that is set during the initial login.

      You can run commands to configure the device. Enter a question mark (?) whenever you need help.

  2. Configure the authentication mode of the console user interface.

    <HUAWEI> system-view
    [~HUAWEI] user-interface console 0
    [~HUAWEI-ui-console0] authentication-mode aaa
    [~HUAWEI-ui-console0] user privilege level 15
    [~HUAWEI-ui-console0] commit
    [~HUAWEI-ui-console0] quit
    [~HUAWEI] aaa
    [~HUAWEI-aaa] local-user huawei password irreversible-cipher huawei2012
    [~HUAWEI-aaa] local-user huawei level 3
    [~HUAWEI-aaa] local-user huawei service-type terminal
    [~HUAWEI-aaa] commit

    After the preceding operations, you can re-log in to the device on the console user interface only by entering the user name huawei and password huawei2012.

Configuration Files
#
aaa
 local-user huawei password irreversible-cipher $1a$v!=.5/:(q-$xL=\K+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$
 local-user ahuawei service-type terminal
 local-user huawei level 3
#
user-interface con 0
 authentication-mode aaa
#
return

Example for Logging In to the Device Through Telnet

Networking Requirements

As shown in Figure 1-14, users require simplified configurations and manage the device. Configure AAA authentication for Telnet users on the server, and configure a security policy to ensure that only PC1 can be used to log in to the device.

Figure 1-14 Networking diagram of logging in to the device through Telnet

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the Telnet login mode to implement remote network device maintenance.

  2. Configure the administrator's user name and password and the AAA authentication mode to ensure that only the administrator can log in to the device.

  3. Configure a security policy to ensure that only PC1 can be used to log in to the device.

Procedure

  1. Set the server listening port number and enable the server function.

    <HUAWEI> system-view
    [~HUAWEI] sysname Telnet Server
    [*HUAWEI] commit
    [~Telnet Server] undo telnet server disable
    [*Telnet Server] telnet server port 1025

  2. Set the VTY user interface parameters.

    # Set the maximum number of VTY user interfaces.

    [*Telnet Server] user-interface maximum-vty 8
    [*Telnet Server] commit

    # Set the IP address of the device to which the user is allowed to log in.

    [*Telnet Server] acl 2001
    [*Telnet Server-acl4-basic-2001] rule permit source 10.137.217.10 32
    [*Telnet Server-acl4-basic-2001] rule deny source 10.137.217.20 32
    [*Telnet Server-acl4-basic-2001] quit
    [*Telnet Server] user-interface vty 0 7
    [*Telnet Server-ui-vty0-7] acl 2001 inbound

    # Configure the terminal attributes of the VTY user interface.

    [*Telnet Server-ui-vty0-7] shell
    [*Telnet Server-ui-vty0-7] idle-timeout 20
    [*Telnet Server-ui-vty0-7] screen-length 30
    [*Telnet Server-ui-vty0-7] history-command max-size 20

    # Configure the user authentication mode of the VTY user interface.

    [*Telnet Server-ui-vty0-7] authentication-mode aaa
    [*Telnet Server-ui-vty0-7] quit

  3. Configure the login user information.

    # Configure the login authentication mode.

    [*Telnet Server] aaa
    [*Telnet Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
    [*Telnet Server-aaa] local-user admin1234 service-type telnet
    [*Telnet Server-aaa] local-user admin1234 level 3
    [*Telnet Server-aaa] commit
    [~Telnet Server-aaa] quit

  4. Configure the client login.

    Enter commands at the command line prompt to log in to the device through Telnet.

    C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025

    Press Enter, and enter the user name and password in the login window. If the authentication is successful, the command line prompt of the user view is displayed. The user view configuration environment is displayed.

    Username:admin1234
    Password:
    Info: The max number of VTY users is 8, the number of current VTY users online is 1, and total number of terminal users online is 1.
          The current login time is 2012-08-04 19:49:11.
          First login successfully.
    <Telnet Server>

Configuration Files

Telnet server configuration file

#
sysname Telnet Server
#
telnet server port 1025
#
acl number 2001
 rule 5 permit source 10.137.217.10 0
 rule 10 deny source 10.137.217.20 0 
#
aaa
 local-user admin1234 password irreversible-cipher $1a$W%5UO7^fqT$f5Kr+,t$(ETvQk%bVeb,fR.aQsT:&0[W+0B6;=S3$
 local-user admin1234 service-type telnet
 local-user admin1234 level 3
#
user-interface maximum-vty 8
#
user-interface vty 0 7
 acl 2001 inbound
 authentication-mode aaa
 history-command max-size 20
 idle-timeout 20 0
 screen-length 30
#
return

Example for Logging In to the Device Through STelnet

Networking Requirements

As shown in Figure 1-15, users require secure login, but Telnet cannot provide a secure authentication method. In this scenario, STelnet can be configured to ensure security of remote login. PC1 and PC2 have reachable routes to the SSH server, and 10.137.217.203 is the IP address of the management interface on the SSH server. Two login users client001 and client002 need to be configured on the SSH server. PC1 uses the account of client001 to log in to the SSH server through password authentication; PC2 uses the account of client002 to log in to the SSH server through RSA authentication. Configure a security policy to ensure that only PC1 and PC2 can be used to log in to the device.

Figure 1-15 Networking diagram of logging in to the device through STelnet

Configuration Roadmap

The configuration roadmap is as follows:

  1. Install the SSH server software on PC1. Install the key pair generation software, public key conversion software, and SSH server login software on PC2.

  2. Generate a local key pair on the SSH server to implement secure data exchange between the server and client.

  3. Configure different authentication modes for the SSH users client001 and client002 on the SSH server.

  4. Enable the STelnet service on the SSH server.

  5. Configure a security policy to ensure that only PC1 and PC2 can be used to log in to the device.
  6. Configure the STelnet server type for the SSH users client001 and client002 on the SSH server.

  7. Log in to the SSH server as the client001 and client002 users through STelnet.

Procedure

  1. Generate a local key pair on the server.

    <HUAWEI> system-view
    [~HUAWEI] sysname SSH Server
    [*HUAWEI] commit
    [~SSH Server] rsa local-key-pair create
    The key name will be: SSH Server_Host
    The range of public key size is (512 ~ 2048).
    NOTE: Key pair generation will take a short while.
    Input the bits in the modulus [default = 2048] : 2048

  2. Create an SSH user on the server.

    NOTE:

    There are eight authentication modes for an SSH user: password, RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, and all.

    # Configure the VTY user interface.

    [*SSH Server] user-interface vty 0 4
    [*SSH Server-ui-vty0-4] authentication-mode aaa
    [*SSH Server-ui-vty0-4] protocol inbound ssh
    [*SSH Server-ui-vty0-4] quit
    • Create an SSH user named client001.

      # Create an SSH user named client001 and configure the password authentication mode for the user.

      [*SSH Server] aaa
      [*SSH Server-aaa] local-user client001 password irreversible-cipher Huawei@123
      [*SSH Server-aaa] local-user client001 level 3
      [*SSH Server-aaa] local-user client001 service-type ssh
      [*SSH Server-aaa] quit
      [*SSH Server] ssh user client001 authentication-type password
    • Create an SSH user named client002.

      # Create an SSH user named client002 and configure the RSA authentication mode for the user.

      [*SSH Server] ssh user client002 authentication-type rsa
      [*SSH Server] commit

      # Generate a local key pair of the client on PC2.

      1. Run puttygen.exe on the client. It is used to generate the public and private key files.

        Select SSH2 RSA and click Generate. By moving the cursor in the blank area, you can find that the key is being generated.

        Figure 1-16 PuTTY Key Generate page (1)

        After the key is generated, click Save public key to save the key in the key.pub file.

        Figure 1-17 PuTTY Key Generate page (2)

        Click Save private key. The PuTTYgen Warning dialog box is displayed. Click Yes. The private key is saved in the private.ppk file.

        Figure 1-18 PuTTY Key Generate page (3)

      2. Run sshkey.exe on the client. Convert the generated public key to the character string required for the device.

        Open the key.pub file required by SSH that is generated in the previous step.

        Figure 1-19 ssh key converter page (1)

        Click Convert(C). You can see the public keys before and after conversion.

        Figure 1-20 ssh key converter page (2)

      # Enter the RSA public key generated on PC2 to the SSH server.
      [~SSH Server] rsa peer-public-key rsakey001
      [*SSH Server-rsa-public-key] public-key-code begin
      [*SSH Server-rsa-public-key-rsa-key-code] 30820108 02820101 00DD8904 1A5E30AA 976F384B 5DB366A7
      [*SSH Server-rsa-public-key-rsa-key-code] 048C0E79 06EC6B08 8BB9567D 75914B5B 4EA7B2E5 1938D118
      [*SSH Server-rsa-public-key-rsa-key-code] 4B863A38 BA7E0F0D BE5C5AE4 CA55B192 B531AC48 B07D21E3
      [*SSH Server-rsa-public-key-rsa-key-code] 62E3F2A5 8C04C443 CF51CF51 136B5B9E 812AB1B7 1250EB24
      [*SSH Server-rsa-public-key-rsa-key-code] A4AE5083 A1DB18EC E2395C9B B806E8F0 0BE24FB5 16958784
      [*SSH Server-rsa-public-key-rsa-key-code] 403B617F 8AAAB1F8 C6DE8C3C F09E4D23 7D1C17BF 4AAF09C4
      [*SSH Server-rsa-public-key-rsa-key-code] 74C083AF 17CD3075 3396B322 32C57FF0 B1991971 02F1033B
      [*SSH Server-rsa-public-key-rsa-key-code] 81AA6D47 44520F23 685FAF72 04BA4B6E 615EF224 14E64E2A
      [*SSH Server-rsa-public-key-rsa-key-code] 331EEB7F 188D9805 96DBFD30 0C947A5A BA879DC4 F848B769
      [*SSH Server-rsa-public-key-rsa-key-code] 513C35CD B52B2917 02B77693 F79910EE 5287F252 977F985E
      [*SSH Server-rsa-public-key-rsa-key-code] 5F186C94 93F26780 4E7F5F9D 5287350A 0A4F4988 1BF6AB7C
      [*SSH Server-rsa-public-key-rsa-key-code] 1B020125
      [*SSH Server-rsa-public-key-rsa-key-code] public-key-code end
      [*SSH Server-rsa-public-key] peer-public-key end

      # Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.

      [*SSH Server] ssh user client002 assign rsa-key rsakey001

  3. Enable the STelnet service on the SSH server.

    # Enable the STelnet service.

    [*SSH Server] stelnet server enable

  4. Configure a security policy to ensure that only PC1 and PC2 can be used to log in to the device.

    [*SSH Server] acl 2001
    [*SSH Server-acl4-basic-2001] rule permit source 10.137.217.10 32
    [*SSH Server-acl4-basic-2001] rule permit source 10.137.217.20 32
    [*SSH Server-acl4-basic-2001] rule deny source 10.137.217.30 32
    [*SSH Server-acl4-basic-2001] quit
    [*SSH Server] ssh server acl 2001

  5. Configure the STelnet service type for the client001 and client002 users.

    [*SSH Server] ssh user client001 service-type stelnet
    [*SSH Server] ssh user client002 service-type stelnet
    [*SSH Server] commit

  6. Verify the configuration.

    • Log in to the SSH server as the client001 user from PC1 using the password authentication mode.

      # Use the PuTTY software to log in to the device, enter the device IP address, and select the SSH protocol type.
      Figure 1-21 PuTTY Configuration page - password authentication mode

      # Click Open. Enter the user name and password at the prompt, and press Enter. You have logged in to the SSH server.

      login as: client001
      Sent username "client001"
      client001@10.137.217.203's password:
       Warning: The initial password poses security risks. The password needs to be changed. Change now? [Y/N]:n
      Info: The max number of VTY users is 21, the number of current VTY users online is 2, and total number of terminal users online is 2.
            The current login time is 2012-08-04 20:09:11+00:00.
            First login successfully.
      <SSH Server>
    • Log in to the SSH server as the client002 user from PC2 using the RSA authentication mode.

      # Use the PuTTY software to log in to the device, enter the device IP address, and select the SSH protocol type.

      Figure 1-22 PuTTY Configuration page - RSA authentication mode (1)

      # Choose Connection > SSH in the navigation tree. The page shown in Figure 1-23 is displayed. Select 2 for Preferred SSH protocol version

      Figure 1-23 PuTTY Configuration page - RSA authentication mode (2)

      # Choose Connection > SSH > Auth in the navigation tree. The page shown in Figure 1-24 is displayed. Select the private.ppk file corresponding to the public key configured on the server.

      Figure 1-24 PuTTY Configuration page - RSA authentication mode (3)

      # Click Open. Enter the user name at the prompt, and press Enter. You have logged in to the SSH server.
      login as: client002
      Authenticating with public key "rsa-key"
      
      Info: The max number of VTY users is 21, the number of current VTY users online is 2, and total number of terminal users online is 2.
            The current login time is 2012-08-06 04:30:23+00:00.
            First login successfully.
      <SSH Server>

Configuration Files

SSH server configuration file

#
sysname SSH Server
#
rsa peer-public-key rsakey001
 public-key-code begin
 30820108
  02820101
    00DD8904 1A5E30AA 976F384B 5DB366A7 048C0E79 06EC6B08 8BB9567D 75914B5B
    4EA7B2E5 1938D118 4B863A38 BA7E0F0D BE5C5AE4 CA55B192 B531AC48 B07D21E3
    62E3F2A5 8C04C443 CF51CF51 136B5B9E 812AB1B7 1250EB24 A4AE5083 A1DB18EC
    E2395C9B B806E8F0 0BE24FB5 16958784 403B617F 8AAAB1F8 C6DE8C3C F09E4D23
    7D1C17BF 4AAF09C4 74C083AF 17CD3075 3396B322 32C57FF0 B1991971 02F1033B
    81AA6D47 44520F23 685FAF72 04BA4B6E 615EF224 14E64E2A 331EEB7F 188D9805
    96DBFD30 0C947A5A BA879DC4 F848B769 513C35CD B52B2917 02B77693 F79910EE
    5287F252 977F985E 5F186C94 93F26780 4E7F5F9D 5287350A 0A4F4988 1BF6AB7C
    1B
  0201
    25
 public-key-code end
 peer-public-key end
#
acl number 2001 
 rule 5 permit source 10.137.217.10 0 
 rule 10 permit source 10.137.217.20 0  
 rule 15 deny source 10.137.217.30 0
#
aaa
 local-user client001 password irreversible-cipher $1a$v!=.5/:(q-$xL=\K+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$
 local-user client001 service-type ssh
 local-user client001 level 3
#
stelnet server enable
ssh server acl 2001
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key rsakey001
ssh user client002 service-type stelnet
#
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
#
return

Example for Configuring the Device as the Telnet Client to Log In to Another Device

Networking Requirements

As shown in Figure 1-25, the PC and Switch Module1 have reachable routes to each other; Switch Module1 and Switch Module2 have reachable routes to each other. The user needs to manage and maintain Switch Module2 remotely. However, the PC cannot directly log in to Switch Module2 through Telnet because it has no reachable route to Switch Module2. The user can log in to Switch Module1 through Telnet, and then log in to Switch Module2 from Switch Module1. To prevent unauthorized devices from logging in to Switch Module2 through Telnet, an ACL needs to be configured to allow only the Telnet connection from Switch Module1 to Switch Module2.

Figure 1-25 Networking diagram of configuring the device as the Telnet client to log in to another device

Configuration Roadmap

The configuration roadmap is as follows:

  1. Configure the Telnet authentication mode and password on Switch Module2.
  2. Configure the Switch Module2 to allow Switch Module1 access with ACL.
  3. Log in to Switch Module2 from Switch Module1 through Telnet.

Procedure

  1. Configure the Telnet authentication mode and password on Switch Module2.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch Module2
    [*HUAWEI] commit
    [~Switch Module2] user-interface vty 0 4
    [*Switch Module2-ui-vty0-4] user privilege level 15
    [*Switch Module2-ui-vty0-4] authentication-mode aaa
    [*Switch Module2-ui-vty0-4] quit

  2. Configure the login user information.

    [*Switch Module2] aaa
    [*Switch Module2-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
    [*Switch Module2-aaa] local-user admin1234 service-type telnet
    [*Switch Module2-aaa] local-user admin1234 level 3
    [*Switch Module2-aaa] commit
    [~Telnet Server-aaa] quit

  3. Configure the Switch Module2 to allow Switch Module1 access with ACL.

    [*Switch Module2] acl 2000
    [*Switch Module2-acl4-basic-2000] rule permit source 10.1.1.1 0
    [*Switch Module2-acl4-basic-2000] quit
    [*Switch Module2] user-interface vty 0 4
    [*Switch Module2-ui-vty0-4] acl 2000 inbound
    [*Switch Module2-ui-vty0-4] commit
    [~Switch Module2-ui-vty0-4] quit
    NOTE:

    It is optional to configure an ACL for Telnet services.

  4. Verify the configuration.

    # After the preceding configuration, you can log in to Switch Module2 from Switch Module1 through Telnet. You cannot log in to Switch Module2 from other devices.

    <HUAWEI> system-view
    [~HUAWEI] sysname Switch Module1
    [*HUAWEI] commit
    [~Switch Module1] quit
    <Switch Module1> telnet 10.2.1.1
    Username:admin1234
    Password:
    Info: The max number of VTY users is 8, the number of current VTY users online is 1, and total number of terminal users online is 1.
          The current login time is 2012-08-04 19:49:11.
          First login successfully.
    <Switch Module2>

Configuration Files

Switch Module2 configuration file

#
sysname Switch Module2
#
acl number 2000
 rule 5 permit source 10.1.1.1 0
#
aaa
 local-user admin1234 password irreversible-cipher $1a$W%5UO7^fqT$f5Kr+,t$(ETvQk%bVeb,fR.aQsT:&0[W+0B6;=S3$
 local-user admin1234 level 3
 local-user admin1234 service-type telnet
#
user-interface vty 0 4
 acl 2000 inbound
 authentication-mode aaa
 user privilege level 15
#
return

Example for Configuring the Device as the STelnet Client to Log In to Another Device

Networking Requirements

The enterprise requires that secure data exchange should be performed between the server and client. As shown in Figure 1-26, two login users client001 and client002 are configured and they use the password and RSA authentication modes respectively to log in to the SSH server. A new port number is configured and the default port number is not used.

Figure 1-26 Networking diagram of logging in to another device through STelnet

Configuration Roadmap

The configuration roadmap is as follows:

  1. Generate a local key pair on the SSH server to implement secure data exchange between the server and client.

  2. Configure different authentication modes for the SSH users client001 and client002 on the SSH server.

  3. Enable the STelnet service on the SSH server.

  4. Configure the STelnet server type for the SSH users client001 and client002 on the SSH server.

  5. Set the SSH server listening port number on the SSH server to prevent attackers from accessing the SSH service standard port and ensure security.

  6. Log in to the SSH server as the client001 and client002 users through STelnet.

Procedure

  1. Generate a local key pair on the server.

    <HUAWEI> system-view
    [~HUAWEI] sysname SSH Server
    [*HUAWEI] commit
    [~SSH Server] rsa local-key-pair create
    The key name will be: SSH Server_Host
    The range of public key size is (512 ~ 2048).
    NOTE: Key pair generation will take a short while.
    Input the bits in the modulus [default = 2048] :
    

  2. Create an SSH user on the server.

    NOTE:

    There are eight authentication modes for an SSH user: password, RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, and all.

    # Configure the VTY user interface.

    [*SSH Server] user-interface vty 0 4
    [*SSH Server-ui-vty0-4] authentication-mode aaa
    [*SSH Server-ui-vty0-4] protocol inbound ssh
    [*SSH Server-ui-vty0-4] quit
    • Create an SSH user named client001.

      # Create an SSH user named client001 and configure the password authentication mode for the user.

      [*SSH Server] aaa
      [*SSH Server-aaa] local-user client001 password irreversible-cipher Huawei@123
      [*SSH Server-aaa] local-user client001 level 3
      [*SSH Server-aaa] local-user client001 service-type ssh
      [*SSH Server-aaa] quit
      [*SSH Server] ssh user client001
      [*SSH Server] ssh user client001 authentication-type password
    • Create an SSH user named client002.

      # Create an SSH user named client002 and configure the RSA authentication mode for the user.

      [*SSH Server] ssh user client002
      [*SSH Server] ssh user client002 authentication-type rsa
      [*SSH Server] commit

      # Generate a local key pair for Client002.

      <HUAWEI> system-view
      [~HUAWEI] sysname client002
      [*HUAWEI] commit
      [~client002] rsa local-key-pair create
      The key name will be: client002_Host
      The range of public key size is (512 ~ 2048).
      NOTE: Key pair generation will take a short while. 
      Input the bits in the modulus [default = 2048] : 
      
      [*client002] commit
      # Check the public key in the RSA key pair generated on the client.
      [~client002] display rsa local-key-pair public
      ======================Host key==========================
      Time of key pair created : 2014-03-03 08:56:38
      Key name                 : client002_Host
      Key type                 : RSA encryption key
      ========================================================
      Key code:
      
      3082010A
        02820101
          00A4BAB8 B964077E F7657F7F E4BE1DE8 71EE1707
          E4EE2864 2D06FBE0 BFC1CB52 F99B7A99 0132B709
          3F841CA2 3544B8B2 6EE0A9ED 04B19FE3 FB3DA86D
          BE68FFE2 2303108D BDC24B80 A1793A08 FDA0B6C1
          13C31EA5 298EC9B1 2B0BC8BD 32CFF896 29F8CA98
          8B1724AF 5DA8A390 20906ADE 6A8AD77D 6234F0C8
          DC965BA0 1771D9C0 A89ED49B 5ECF7EE2 D5997527
          FC87FE03 E51658C1 0996DFDF DC456376 2FA4B268
          4345131D 431419D2 DD5E4003 6A7D3295 145F3175
          22E80686 E6B39A05 799D6BCF A78F69B6 BC2D0836
          F5013421 77D68B89 A9EC182A 04B87BE3 500FCE14
          9C95CF78 75704359 0C70FD60 1EFC0B99 32F02142
          4CE781E4 36A60BFC 2CBD07F6 9E700CEE 4D
        0203
          010001
      
      Host public key for PEM format code:
      ---- BEGIN SSH2 PUBLIC KEY ----
      AAAAB3NzaC1yc2EAAAADAQABAAABAQCkuri5ZAd+92V/f+S+Hehx7hcH5O4oZC0G
      ++C/wctS+Zt6mQEytwk/hByiNUS4sm7gqe0EsZ/j+z2obb5o/+IjAxCNvcJLgKF5
      Ogj9oLbBE8MepSmOybErC8i9Ms/4lin4ypiLFySvXaijkCCQat5qitd9YjTwyNyW
      W6AXcdnAqJ7Um17PfuLVmXUn/If+A+UWWMEJlt/f3EVjdi+ksmhDRRMdQxQZ0t1e
      QANqfTKVFF8xdSLoBobms5oFeZ1rz6ePaba8LQg29QE0IXfWi4mp7BgqBLh741AP
      zhSclc94dXBDWQxw/WAe/AuZMvAhQkzngeQ2pgv8LL0H9p5wDO5N
      ---- END SSH2 PUBLIC KEY ----
      
      Public key code for pasting into OpenSSH authorized_keys file:
      ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkuri5ZAd+92V/f+S+Hehx7hcH5O4oZC0G++C/wctS+Zt6mQEytwk/hByiNUS4sm7gqe0EsZ/j+z2obb5o/+IjAxCNvcJLgKF5Ogj9oLbBE8MepSmOybErC8i9Ms/4lin4ypiLFySvXaijkCCQat5qitd9YjTwyNyWW6AXcdnAqJ7Um17PfuLVmXUn/If+A+UWWMEJlt/f3EVjdi+ksmhDRRMdQxQZ0t1eQANqfTKVFF8xdSLoBobms5oFeZ1rz6ePaba8LQg29QE0IXfWi4mp7BgqBLh741APzhSclc94dXBDWQxw/WAe/AuZMvAhQkzngeQ2pgv8LL0H9p5wDO5N rsa-key
      
      Host public key for SSH1 format code:
      2048 65537 20795157856672359848547361269858029949242843585831182669194523227368193104900346497515640628387799944148117565743190560372839866518650826334570789434967748421758059819009372933406081783806078095544912659974962619265553249834353410753332354430547806044311868210891515536106321547674857755678562420627679242838953538641596303196319735544945586785624824422470182431294302701416123117839753539711135324233355004409377261990948860154217079946282631363906997434029648498179488817443035430749115657263252509381070628794959223309539977269992957151749764061913059943557804219705266011480071185559202342216149175188942626811469
      
      ======================Server key========================
      Time of key pair created : 2014-03-03 08:56:39
      Key name                 : client002_Server
      Key type                 : RSA encryption key
      ========================================================
      Key code:       
      
      3081B9
        0281B1
          00B9AE42 B8419F19 35C49A7B A55DBB6F 67D931F3
          9C19ECF9 9E17961B D01ED5DD 3AE68CFA 38C57113
          C93663F2 86768B19 AD0F603E 98F2C6AB A71A6C26
          8813411D 4AA56BC4 6505EC15 94647621 AB7D03BB
          79DA9B24 09BB1FD2 3927E2F9 00F79116 466411CD
          AC3D8FF6 A051FA5A 9BCE84CE 20842134 D2D27B4A
          219CB801 9F5A90E0 518DEEFC F48F5ED4 49215B1F
          11E1AC81 5E168A97 3AA5320D 7B158556 AF5CC95C
          9B508BBC 6EEFEEF9 0E23AA13 59E1F746 D5
        0203
          010001
      # Configure the RSA public key on the SSH server. (Information in bold in the display command output is the RSA public key. Copy the information to the server.)
      [~SSH Server] rsa peer-public-key rsakey001
      [*SSH Server-rsa-public-key] public-key-code begin
      [*SSH Server-rsa-public-key-rsa-key-code] 3082010A
      [*SSH Server-rsa-public-key-rsa-key-code] 2820101
      [*SSH Server-rsa-public-key-rsa-key-code] 00A4BAB8 B964077E F7657F7F E4BE1DE8 71EE1707
      [*SSH Server-rsa-public-key-rsa-key-code] E4EE2864 2D06FBE0 BFC1CB52 F99B7A99 0132B709
      [*SSH Server-rsa-public-key-rsa-key-code] 3F841CA2 3544B8B2 6EE0A9ED 04B19FE3 FB3DA86D
      [*SSH Server-rsa-public-key-rsa-key-code] BE68FFE2 2303108D BDC24B80 A1793A08 FDA0B6C1
      [*SSH Server-rsa-public-key-rsa-key-code] 13C31EA5 298EC9B1 2B0BC8BD 32CFF896 29F8CA98
      [*SSH Server-rsa-public-key-rsa-key-code] 8B1724AF 5DA8A390 20906ADE 6A8AD77D 6234F0C8
      [*SSH Server-rsa-public-key-rsa-key-code] DC965BA0 1771D9C0 A89ED49B 5ECF7EE2 D5997527
      [*SSH Server-rsa-public-key-rsa-key-code] FC87FE03 E51658C1 0996DFDF DC456376 2FA4B268
      [*SSH Server-rsa-public-key-rsa-key-code] 4345131D 431419D2 DD5E4003 6A7D3295 145F3175
      [*SSH Server-rsa-public-key-rsa-key-code] 22E80686 E6B39A05 799D6BCF A78F69B6 BC2D0836
      [*SSH Server-rsa-public-key-rsa-key-code] F5013421 77D68B89 A9EC182A 04B87BE3 500FCE14
      [*SSH Server-rsa-public-key-rsa-key-code] 9C95CF78 75704359 0C70FD60 1EFC0B99 32F02142
      [*SSH Server-rsa-public-key-rsa-key-code] 4CE781E4 36A60BFC 2CBD07F6 9E700CEE 4D
      [*SSH Server-rsa-public-key-rsa-key-code] 203
      [*SSH Server-rsa-public-key-rsa-key-code] 10001
      [*SSH Server-rsa-public-key-rsa-key-code] public-key-code end
      [*SSH Server-rsa-public-key] peer-public-key end

      # Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.

      [*SSH Server] ssh user client002 assign rsa-key rsakey001

  3. Enable the STelnet service on the SSH server.

    # Enable the STelnet service.

    [*SSH Server] stelnet server enable

  4. Configure the STelnet service type for the client001 and client002 users.

    [*SSH Server] ssh user client001 service-type stelnet
    [*SSH Server] ssh user client002 service-type stelnet

  5. Configure a new listening port number on the SSH server.

    [*SSH Server] ssh server port 1025
    [*SSH Server] commit

  6. Connect the STelnet client to the SSH server.

    # Enable the first authentication function on the SSH client upon the first login.

    Enable the first authentication function for Client001.

    <HUAWEI> system-view
    [~HUAWEI] sysname client001
    [*HUAWEI] commit
    [~client001] ssh client first-time enable
    [*client001] commit
    [~client001] quit

    Enable the first authentication function for Client002.

    [~client002] ssh client first-time enable
    [*client002] commit
    [~client002] quit

    # Log in to the SSH server from Client001 in password authentication mode by entering the user name and password.

    <client001> stelnet 10.1.1.1 1025
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Connected to 10.1.1.1 ...
    The server's public key does not match the one cached before. 
    The server is not authenticated. Continue to access it?[Y/N]:y
    The keyname:10.1.1.1 already exists. Update it? [Y/N]:n
    
    Please input the username: client001    
    Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please select [R/D/E]:r 
    Enter password:

    Enter the password. The following information indicates that you have logged in successfully:

    Warning: The initial password poses security risks.                             
    The password needs to be changed. Change now? [Y/N]:n
    
    Info: The max number of VTY users is 21, the number of current VTY users online 
    is 4, and total number of terminal users online is 4.                           
          The current login time is 2013-12-31 11:22:06.                            
          The last login time is 2013-12-31 10:24:13 from 10.1.2.2 through SSH.
    <SSH Server>

    # Log in to the SSH server from Client002 in RSA authentication mode.

    <client002> stelnet 10.1.1.1 1025
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Connected to 10.1.1.1 ...
    The server's public key does not match the one cached before.  
    The server is not authenticated. Continue to access it?[Y/N]:y
    The keyname:192.168.1.182 already exists. Update it? [Y/N]: n
    
    Please input the username: client002
    Please select public key type for user authentication [R for RSA/D for DSA/E for ECC] Please select [R/D/E]:r
    
    Info: The max number of VTY users is 21, the number of current VTY users online 
    is 4, and total number of terminal users online is 4.                           
          The current login time is 2013-12-31 11:36:06. 
    
    <SSH Server>

    If the user view is displayed, you have logged in successfully. If the message "Session is disconnected" is displayed, the login fails.

  7. Verify the configuration.

    Attackers fail to log in to the SSH server using the default listening port number 22.

    <client002> stelnet 10.1.1.1
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Error: Failed to connect to the remote host.

    Run the display ssh server status commands. You can see that the STelnet service has been enabled. Run the display ssh user-information command. Information about the configured SSH users is displayed.

    # Check the status of the SSH server.

    [~SSH Server] display ssh server status
    SSH Version                                : 2.0
    SSH authentication timeout (Seconds)       : 60
    SSH authentication retries (Times)         : 3
    SSH server key generating interval (Hours) : 0
    SSH version 1.x compatibility              : Disable
    SSH server keepalive                       : Enable
    SFTP server                                : Enable
    STelnet server                             : Enable
    SNETCONF server                            : Disable
    SNETCONF server port(830)                  : Enable
    SCP server                                 : Disable
    SSH server DES                             : Disable
    SSH server port                            : 1025
    ACL name                                   : --
    ACL number                                 : --
    ACL6 name                                  : --
    ACL6 number                                : --
    SSH server source address                  : 0.0.0.0  

    # Check information about SSH users.

    [~SSH Server] display ssh user-information
    --------------------------------------------------------------------------------
    User Name             : client001
    Authentication type   : password
    User public key name  : --
    User public key type  : --
    Sftp directory        : flash:
    Service type          : stelnet
    
    User Name             : client002
    Authentication type   : rsa
    User public key name  : --
    User public key type  : --
    Sftp directory        : flash:
    Service type          : stelnet
    --------------------------------------------------------------------------------
    Total 2, 2 printed                                                              

Configuration Files
  • SSH server configuration file

    #
    sysname SSH Server
    #
    rsa peer-public-key rsakey001
     public-key-code begin
     3082010A
      02820101
        00A4BAB8 B964077E F7657F7F E4BE1DE8 71EE1707 E4EE2864 2D06FBE0 BFC1CB52
        F99B7A99 0132B709 3F841CA2 3544B8B2 6EE0A9ED 04B19FE3 FB3DA86D BE68FFE2
        2303108D BDC24B80 A1793A08 FDA0B6C1 13C31EA5 298EC9B1 2B0BC8BD 32CFF896
        29F8CA98 8B1724AF 5DA8A390 20906ADE 6A8AD77D 6234F0C8 DC965BA0 1771D9C0
        A89ED49B 5ECF7EE2 D5997527 FC87FE03 E51658C1 0996DFDF DC456376 2FA4B268
        4345131D 431419D2 DD5E4003 6A7D3295 145F3175 22E80686 E6B39A05 799D6BCF
        A78F69B6 BC2D0836 F5013421 77D68B89 A9EC182A 04B87BE3 500FCE14 9C95CF78
        75704359 0C70FD60 1EFC0B99 32F02142 4CE781E4 36A60BFC 2CBD07F6 9E700CEE
        4D
      0203
        010001
     public-key-code end
     peer-public-key end
    #
    aaa
     local-user client001 password irreversible-cipher $1a$v!=.5/:(q-$xL=\K+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$
     local-user client001 service-type ssh
     local-user client001 level 3
    #
    ssh server port 1025
    stelnet server enable
    ssh user client001
    ssh user client001 authentication-type password
    ssh user client001 service-type stelnet
    ssh user client002
    ssh user client002 authentication-type rsa
    ssh user client002 assign rsa-key rsakey001
    ssh user client002 service-type stelnet
    #
    user-interface vty 0 4
     authentication-mode aaa
     protocol inbound ssh
    #
    return
  • Client001 configuration file

    #
    sysname client001
    #
    ssh client first-time enable
    #
    return
  • Client002 configuration file

    #
    sysname client002
    #
    ssh client first-time enable
    #
    return
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59682

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next