Configuring the Device as the Client to Log In to Another Device
A user can log in to another device on the network through Telnet or STelnet from the current device to manage and maintain the remote device.
Configuring the Device as the Telnet Client to Log In to Another Device
Pre-configuration Tasks
Before configure the device as the Telnet client to log in to another device, complete the following tasks:
- Logging in to the device from a terminal
- Configuring a route between the device and Telnet server
- Enabling the Telnet service on the Telnet server
- Obtaining the Telnet user name, password, and port number configured on the Telnet server
Configuration Process
NOTE: The Telnet protocol poses a security risk, and therefore the STelnet protocol is recommended.
Table 1-40 describes the tasks in the process of configuring the device as the Telnet client to log in to another device.
No. |
Task |
Description |
Remarks |
|---|---|---|---|
1 |
Configure the Telnet client source address. The source address can be set to a source IP address or source interface information, ensuring communication security. |
- |
|
2 |
Use the Telnet command to log in to the device from a terminal. |
Procedure
- (Optional) Configure the source address of the Telnet client.
Table 1-41 Configure the source address of the Telnet client.
Action
Command
Description
Enter the system view.
system-view
-
Configure the Telnet client source address.
telnet client source { -a source-ip-address | -i interface-type interface-number }
The Telnet client source address on the server must be the same as the address configured running this command.
Commit the configuration.
commit
-
Return to user view.
quit
-
- Log in to another device through Telnet.
Table 1-42 Actions for logging in to another device through Telnet
Action
Command
Description
Use the IPv4 address to log in to the server through Telnet.
telnet [ [ vpn-instance vpn-instance-name ] -a source-ip-address | -i interface-type interface-number ] host-ip [ port-number ]
Perform either of the following steps by determining whether the network protocol is based on IPv4 or IPv6.
The Telnet client can log in successfully with no port specified only when the server is listening on port 23. If the server is listening on another port, the port number must be specified upon login.
Use the IPv6 address to log in to the server through Telnet.
telnet ipv6 host-ipv6 [ -oi interface-type interface-number ] [ port-number ]
Configuring the Device as the STelnet Client to Log In to Another Device
Pre-configuration Tasks
Before configure the device as the STelnet client to log in to another device, complete the following tasks:
- Logging in to the device from a terminal
- Configuring a route between the device and STelnet server
- Enabling the STelnet service on the STelnet server
- Obtaining the SSH user information and port number configured on the STelnet server
Configuration Process
NOTE: The STelnet V1 protocol poses a security risk, and therefore the STelnet V2 mode is recommended.
Table 1-43 describes the tasks in the process of configuring the device as the STelnet client to log in to another device.
No. |
Task |
Description |
Remarks |
|---|---|---|---|
1 |
Generate a local key pair and configure the public key on the SSH server. Perform this step only when the device logs in to the SSH server in RSA, DSA, or ECC authentication mode, not the password authentication mode. |
Tasks 1, 2, and 3 can be performed in any sequence. |
|
2 |
Configuring the mode for connecting the device to the SSH server for the first time |
You can enable the first authentication function of the SSH client or configure the SSH client to assign a public key to the SSH server. |
|
3 |
Set the interval for sending keepalive packets on the SSH client and the maximum number of keepalive packets sent by the SSH client. |
||
4 |
Use the STelnet command to log in to the device from a terminal. |
- |
Default Configuration
Parameter |
Default Setting |
|---|---|
First authentication on the SSH client |
Disabled |
Whether the SSH client assigns the RSA, DSA, or ECC public key to the SSH server |
No |
Procedure
- Generating a local key pair
![]()
NOTE: Perform this step only when the device logs in to the SSH server in RSA, DSA, or ECC authentication mode, not the password authentication mode.
Table 1-45 Actions for generating a local key pairAction
Command
Description
Enter the system view.
system-view
-
Generate a local key pair.
rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create
Perform one of the operations based on the key type.
Run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to view the public key in the local RSA, DSA, or ECC key pair. Configure the public key on the SSH server.
Commit the configuration.
commit
-
- Configuring the mode for connecting the device to the SSH server for the first time
If the public key of the SSH server has not been saved on the client, the system cannot check SSH server validity when the device that works as the client connects to the SSH server for the first time. The connection fails. Perform one of the following operations:
- Enabling the first authentication mode on the SSH client: The system does not check the public key of the SSH server, which ensures that the first connection is successful. The system then assigns and saves the public key for subsequent authentication. For details, see Table 1-46. This configuration method is simple.
- Configuring the SSH client to assign a public key to the SSH server. The public key generated on the server is saved on the client, which ensures that the SSH server validity check is successful for the first connection. For details, see Table 1-47. This configuration method is complex but has high security.
Select either of the preceding configuration method as required.
Table 1-46 Actions for enabling first authentication for the SSH clientAction
Command
Description
Enter the system view.
system-view
-
Enable first authentication for the SSH client.
ssh client first-time enable
By default, first authentication is disabled on the SSH client.
Commit the configuration.
commit
-
Table 1-47 Actions for configuring the SSH client to assign the RSA, DSA, or ECC public key to the SSH serverAction
Command
Description
Enter the system view.
system-view
-
Enter the RSA, DSA, or ECC public key view.
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]
or
dsa peer-public-key key-name encoding-type { der | openssh | pem }
or
ecc peer-public-key key-name
Perform one of the operations based on the key type.
Enter the public key editing view.
public-key-code begin
-
Edit the public key.
hex-data
- The public key must be a hexadecimal character string in the public key encoding format, and generated by the SSH server.
- After entering the public key editing view, you must enter the RSA, DSA, or ECC public key that is generated on the server to the client.
Quit the public key editing view.
public-key-code end
- If no key public code hex-data is entered, the public key cannot be generated after you run this command.
- If the specified key key-name has been deleted, the system displays a message indicating that the key does not exist and returns to the system view directly when you run this command.
Return to the system view.
peer-public-key end
-
Bind the RSA, DSA, or ECC public key to the SSH server.
ssh client server-ip-address assign { rsa-key | dsa-key | ecc-key } key-name
If the SSH server public key saved in the SSH client does not take effect, run the undo ssh client server-ip-address assign { rsa-key | dsa-key | ecc-key } command to cancel the binding between the SSH server and RSA, DSA, or ECC public key, and run this command to assign a new RSA, DSA, or ECC public key to the SSH server.
Commit the configuration.
commit
-
- Setting the SSH client parameters
If the SSH client does not receive any data packet from the server within a period, the client sends the maximum number of keepalive packets to the server. If the client does not receive any keepalive response packet from the server, the client disconnects from the server.
Table 1-48 Actions for setting the SSH client parametersAction
Command
Description
Enter the system view.
system-view
-
Set the interval for sending keepalive packets on the SSH client.
ssh client keepalive-interval seconds
If the client does not send any keepalive packet (the interval is 0), the maximum number of keepalive packets does not take effect.
Set the maximum number of keepalive packets sent by the SSH client.
ssh client keepalive-maxcount count
Commit the configuration.
commit
-
- Logging in to another device through STelnetTable 1-49 Actions for logging in to another device through STelnet
Action
Command
Description
Use the IPv4 address to log in to the SSH server through STelnet.
stelnet [ -a source-address | -i interface-type interface-number ] host-ip [ port-number ] [ -vpn-instance vpn-instance-name | prefer_kex kex-type | prefer_ctos_cipher cipher-type | prefer_stoc_cipher cipher-type | prefer_ctos_hmac hmac-type | prefer_stoc_hmac hmac-type | prefer_ctos_compress zlib | prefer_stoc_compress zlib | -ki aliveinterval | -kc alivecountmax | identity-key { rsa | dsa | ecc } ] *
Run either of the commands based on the network address type.
The STelnet client can log in successfully with no port specified only when the server is listening on port 22. If the server is listening on another port, the port number must be specified upon login.
When logging in to the SSH server, the STelnet client can carry the source IP address and VPN instance name and select a key exchange algorithm, an encryption algorithm, compression algorithm, and an HMAC algorithm, and configure the keepalive function.
If the source interface is specified using -i interface-type interface-number, the -vpn-instance vpn-instance-name parameter is not supported.
Use the IPv6 address to log in to the SSH server through STelnet.
stelnet ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] [ prefer_kex kex-type | prefer_ctos_cipher cipher-type | prefer_stoc_cipher cipher-type | prefer_ctos_hmac hmac-type | prefer_stoc_hmac hmac-type | prefer_ctos_compress zlib | prefer_stoc_compress zlib | -ki aliveinterval | -kc alivecountmax | identity-key { rsa | dsa | ecc } ] *
Previous
