File Management Modes
Users can log in to a device or use the FTP, TFTP, SFTP, or SCP mode to manage files.
The device can function as a server or client to manage files.
- When the device functions as a server, you can access the device on a terminal to manage files on the device and transfer files between the device and the terminal.
- When the device functions as a client, you can use the device to manage files on other devices and transfer files between the device and other devices.
NOTE: In TFTP mode, the device can function only as a client. In FTP, SFTP, or SCP mode, the device can function both as a server and a client.
Table 1-51 describes file management modes and their advantages and disadvantages.
| Mode | Usage Scenario | Advantage | Disadvantage |
|---|---|---|---|
| Login to the device | In the scenario of managing directories, and files, log in to the device through the console port, Telnet, or STelnet.This login mode is mandatory for storage device management. |
You can log in to the device directly to manage directories and files. |
Only files on the local device can be managed. File transfer is not supported. |
| FTP (File Transfer Protocol) | The FTP mode is applicable to the file transfer scenario with low network security requirements. The FTP mode is widely used in version upgrade. |
|
In FTP mode, data is transmitted in plain text, causing security risks. |
| TFTP (Trivial File Transfer Protocol) | On the LAN of a lab, the TFTP mode can be used to load or upgrade versions online. The TFTP mode is applicable to the environment without complicated interactions between a client and a server. |
The memory usage in TFTP mode is less than that in FTP mode. |
|
| SFTP (Secure File Transfer Protocol) | The SFTP mode is applicable to the scenario with high network security requirements. The SFTP mode is widely used in log download and file backup. |
|
Configurations are complicated. |
| SCP (Secure Copy Protocol) | The SCP mode is applicable to the highly-efficient file upload and download scenarios with high network security requirements. |
|
Configurations are complicated (similar to SFTP configurations), and interactions are not supported. |
The first three file management modes are simple to learn and configure. The following describes the SFTP mode, and SCP mode.
SFTP Mode
As a part of SSH, the SFTP protocol allows remote users to securely log in to the device and perform file management and transmission through the security channel provided by SSH. Therefore, SFTP improves data transmission security. In addition, the device can function as the SSH client to connect to the remote SSH server for the secure file transmission.
SSH security features:
- Encrypted transmission: When an SSH connection is set up, two devices negotiate an encryption algorithm and a session key to ensure secure communications between them.
- Public key-based authentication: The device supports the RSA, DSA or ECC authentication mode.
- Server authentication: The SSH protocol authenticates a server based on the public key to defend against attacks from bogus servers.
- Interaction data check: The SSH protocol uses the CRC (for SSH1.5) or MD5-based MAC algorithm (for SSH2.0) to check the data integrity and authenticity. This mechanism protects the system from man-in-the-middle attacks.
Establishment of an SSH connection:
- Negotiate the SSH version.
The client and the server negotiate an SSH version by exchanging character strings that specify the SSH version.
- Negotiate the algorithm.
The server and the client negotiate the key exchange algorithm, encryption algorithm, and MAC algorithm for subsequent communications.
- Exchange keys.
Based on the key exchange algorithm, the server and the client obtain the same session key and session ID after calculation.
- Authenticate users.
The client sends an authentication request containing the user identity information to the server. If the authentication succeeds or expires, the client is disconnected from the server.
The public key-based and password-based authentication modes are supported.
- In public key-based (RSA, DSA or ECC) authentication mode, the client must generate the RSA, DSA or ECC key and send it to the server. When a user initiates an authentication request, the client program randomly generates a text that is encrypted with the private key and sends it to the server. The server decrypts the text by using the public key. If decryption succeeds, the server considers this user trusted and grants this user access rights. If decryption fails, the client is disconnected from the server.
- Password-based authentication is implemented by the Authentication, Authorization and Accounting (AAA). Similar to Telnet and FTP, SSH supports local database authentication and remote RADIUS server authentication. The SSH server compares the user name and password of an SSH client with the preset ones. If both are matched, authentication succeeds.
- Request a session.
After user authentication is complete, the client sends a session request to the server. After receiving the request, the server processes it.
- Enter the interactive session.
After the session request is accepted, the SSH connection enters the interactive session mode. In this mode, data is transmitted bidirectionally.
NOTE: Before an SSH connection is set up, the local key pair (RSA, DSA or ECC key pair) must be generated on the server. The key pair is used to generate the session key and session ID and authenticate the server.This step is the key to SSH server configuration.
SCP Mode
SCP, which is based on the SSH remote file copy function, is used to copy, upload, and download files. The SCP commands are easy to use, improving network maintenance efficiency.
Previous
