Typical File Management Configuration
Example for Logging In to the Switch to Manage Files
Overview
You can log in to the switch using the console port, Telnet, or STelnet to manage storage, directories, and local files. Only logged in users can manage the storage. To transfer files, you can use FTP, TFTP, Secure Copy Protocol (SCP), or FTPS.
Configuration Notes
- Before logging in to the switch to manage files, complete the following task:
- Log in to the switch from a terminal.
- This example applies to all versions of all S series switches.
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an example.
Networking Requirements
A user logs in to the Switch using the console port, Telnet, or STelnet from the PC, and needs to perform the following operations on the files on the Switch:
- View the files and subdirectories in the current directory.
- Create the directory test. Copy the file vrpcfg.zip to test and rename the file as backup.zip.
- View files in test.
Procedure
- View the files and subdirectories in the current directory.
<HUAWEI> system-view [HUAWEI] sysname Switch [Switch] quit <Switch> dir Directory of flash:/ Idx Attr Size(Byte) Date Time FileName 0 -rw- 889 Mar 01 2012 14:41:56 private-data.txt 1 -rw- 6,311 Feb 17 2012 14:05:04 backup.cfg 2 -rw- 2,393 Mar 06 2012 17:20:10 vrpcfg.zip 3 -rw- 812 Dec 12 2011 15:43:10 hostkey 4 drw- - Mar 01 2012 14:41:46 compatible 5 -rw- 540 Dec 12 2011 15:43:12 serverkey ... 509,256 KB total (52,752 KB free)
- Create the directory test. Copy the file vrpcfg.zip to test and rename the file as backup.zip.
# Create the directory test.
<Switch> mkdir test Info: Create directory flash:/test......Done.
# Copy the file vrpcfg.zip to test and rename the file as backup.zip.
<Switch> copy vrpcfg.zip flash:/test/backup.zip //Set the target file name to backup.zip. If not specified, the target file name is the same as the source file name. Copy flash:/vrpcfg.zip to flash:/test/backup.zip?[Y/N]:y 100% complete/ Info: Copied file flash:/vrpcfg.zip to flash:/test/backup.zip...Done.
- View files in test.
# Access test.
<Switch> cd test
# View the current directory.
<Switch> pwd flash:/test
# View files in test.
<Switch> dir Directory of flash:/test/ Idx Attr Size(Byte) Date Time FileName 0 -rw- 2,399 Mar 12 2012 11:16:44 backup.zip 509,256 KB total (52,748 KB free)
Example for Managing Files Using FTP
Overview
After a switch is configured as an FTP server, users can access the switch using the FTP client software on the local terminals. Users can then manage files between the switch and local terminals. The configuration for managing files using FTP is simple, and FTP supports file transfer and file directory management.
FTP provides the authorization and authentication functions for managing files. However, data is transferred in plaintext, which brings security risks.
FTP is applicable to file management when high network security is not required, and is often used in version upgrades.
Configuration Notes
- Before managing files using FTP, complete the following tasks:
- Ensure that routes are reachable between the terminal and the switch.
- Ensure that FTP client software is installed on the terminal.
- FTP is an insecure protocol. Using SFTP V2, Secure Copy Protocol (SCP), or FTPS is recommended.
- If the number of FTP users on the switch reaches the maximum value (5), new authorized users cannot log in. To ensure that new FTP users successfully log in to the switch, FTP users who have completed file operations need to get offline.
- This example applies to all versions of all S series switches.
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an example.
Networking Requirements
As shown in Figure 3-17, the PC connects to the switch, and the IP address of the management network interface on the switch is 10.136.23.5. The switch needs to be upgraded. The switch is required to function as the FTP server so that you can upload the system software from the PC to the switch and back up the configuration file to the PC.
Configuration Roadmap
The configuration roadmap is as follows:
- Configure the FTP function for the switch and information about an FTP user, including the user name and password, user level, service type, and authorized directory.
- Save the current configuration file on the switch.
- Establish an FTP connection between the PC and the switch.
- Upload the system software to the switch and back up the configuration file of the switch to the PC.
Procedure
- Configure the FTP function for the switch and information about an FTP user.
<HUAWEI> system-view [HUAWEI] sysname FTP_Server [FTP_Server] ftp server enable //Enable the FTP server function. [FTP_Server] ftp server-source -i Vlanif 10 //Configure the source interface of the server as the interface corresponding to 10.136.23.5. Assume that the interface is Vlanif 10. [FTP_Server] aaa [FTP_Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789 //Set the login password to Helloworld@6789. [FTP_Server-aaa] local-user admin1234 privilege level 15 //Set the user level to 15. [FTP_Server-aaa] local-user admin1234 service-type ftp //Set the user service type to FTP. [FTP_Server-aaa] local-user admin1234 ftp-directory flash:/ //Set the FTP service authorized directory to flash:/. [FTP_Server-aaa] quit [FTP_Server] quit
- Save the current configuration file on the switch.
<FTP_Server> save
- Establish an FTP connection between the PC and the switch. Enter the user name admin1234 and password Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating system.
C:\Documents and Settings\Administrator> ftp 10.136.23.5 Connected to 10.136.23.5. 220 FTP service ready. User (10.136.23.5:(none)): admin1234 331 Password required for admin1234. Password: 230 User logged in. ftp> binary //Set the file transfer mode to binary. The default mode is ASCII. 200 Type set to I. ftp>
The ASCII mode is used to transfer text files, and the binary mode is used to transfer programs including the system software (with the file name extension of .cc, .bin, or .pat), images, voices, videos, compressed packages, and database files.
- Upload the system software to the switch and back up the configuration file of the switch to the PC.
# Upload the system software to the switch.
ftp> put devicesoft.cc 200 Port command okay. 150 Opening BINARY mode data connection for devicesoft.cc 226 Transfer complete. ftp: 106616955 bytes sent in 151.05 Seconds 560.79Kbytes/sec.
# Back up the configuration file of the switch to the PC.
ftp> get vrpcfg.zip 200 Port command okay. 150 Opening BINARY mode data connection for vrpcfg.zip. 226 Transfer complete. ftp: 1257 bytes received in 0.03Seconds 40.55Kbytes/sec.
Before uploading and downloading files to the FTP server, determine the FTP working directory on the FTP client. For example, the default FTP working directory on the Windows XP operating system is the login user working directory (such as C:\Documents and Settings\Administrator). This directory also stores the system software to be uploaded and backup configuration file.
- Verify the configuration.
# Run the dir command on the switch to check whether the system software is uploaded to the switch.
<FTP_Server> dir Directory of flash:/ Idx Attr Size(Byte) Date Time FileName 0 -rw- 14 Mar 13 2012 14:13:38 back_time_a 1 drw- - Mar 11 2012 00:58:54 logfile 2 -rw- 4 Nov 17 2011 09:33:58 snmpnotilog.txt 3 -rw- 11,238 Mar 12 2012 21:15:56 private-data.txt 4 -rw- 1,257 Mar 12 2012 21:15:54 vrpcfg.zip 5 -rw- 14 Mar 13 2012 14:13:38 back_time_b 6 -rw- 106,616,955 Mar 13 2012 14:24:24 devicesoft.cc 7 drw- - Oct 31 2011 10:20:28 sysdrv 8 drw- - Feb 21 2012 17:16:36 compatible 9 drw- - Feb 09 2012 14:20:10 selftest 10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg 11 -rw- 23,496 Dec 15 2011 20:59:36 20111215.zip 12 -rw- 588 Nov 04 2011 13:54:04 servercert.der 13 -rw- 320 Nov 04 2011 13:54:26 serverkey.der 14 drw- - Nov 04 2011 13:58:36 security ... 509,256 KB total (52,752 KB free)# Check whether the file vrpcfg.zip is stored in the FTP working directory on the PC.
Configuration Files
FTP_Server configuration file
# sysname FTP_Server # FTP server enable # aaa local-user admin1234 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-\}Fqpe$E<#H$J<6@KTSL/J'\}I-%^%# local-user admin1234 privilege level 15 local-user admin1234 ftp-directory flash:/ local-user admin1234 service-type ftp # return
Example for Managing Files Using SFTP
Overview
After a switch is configured as an SFTP server, users can communicate with the switch using SFTP. The SSH protocol can be used to ensure connection security. SFTP implements data encryption and protects data integrity, ensuring high security. Both SFTP and FTP configured for the switch.
SFTP is applicable to file management when high network security is required, and is often used for downloading logs and backing up the configuration file.
Configuration Notes
- Before managing files using SFTP, complete the following tasks:
- Ensure that routes are reachable between the terminal and the switch.
- Ensure that SSH client software is installed on the terminal.
- SFTP V1 is an insecure protocol. Using SFTP V2 or FTPS is recommended.
- This example applies to all versions of all S series switches.
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an example.
Networking Requirements
As shown in Figure 3-18, the PC connects to the switch, and the IP address of the management network interface on the switch is 10.136.23.4. Files need to be securely transferred between the PC and switch to prevent man-in-the-middle attacks and some network attacks (such as DNS spoofing and IP spoofing). Configure the switch as the SSH server to provide the SFTP service so that the SSH server can authenticate the client and encrypt data in bidirectional mode to ensure secure file transfer.
Configuration Roadmap
The configuration roadmap is as follows:
Generate a local key pair on the SSH server and enable the SFTP server function to implement secure data exchange between the server and client.
Configure VTY user interfaces on the SSH server.
Configure an SSH user, including the authentication mode, service type, SFTP authorized directory, user name, and password.
Use the third-party software OpenSSH to access the SSH server.
Procedure
- Generate a local key pair on the SSH server and enable the SFTP server function.
<HUAWEI> system-view [HUAWEI] sysname SSH_Server [SSH_Server] dsa local-key-pair create //Generate a local DSA key pair. Info: The key name will be: SSH_Server_Host_DSA. Info: The key modulus can be any one of the following : 1024, 2048. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=2048]: //Press Enter. The default key length (2048 bits) is used. Info: Generating keys... Info: Succeeded in creating the DSA host keys. [SSH_Server] sftp server enable //Enable the SFTP server function. [SSH_Server] ssh server-source -i Vlanif 10 //Configure the source interface of the server as the interface corresponding to 10.136.23.4. Assume that the interface is Vlanif 10.
- # Configure VTY user interfaces on the SSH_Server.
[SSH_Server] user-interface vty 0 14 //Enter the user interface views of VTY 0 to VTY 14. [SSH_Server-ui-vty0-14] authentication-mode aaa //Set the authentication mode of users in VTY 0 to VTY 14 to AAA. [SSH_Server-ui-vty0-14] protocol inbound ssh //Configure the user interface views of VTY 0 to VTY 14 to support SSH. [SSH_Server-ui-vty0-14] quit
- Configure an SSH user, including the authentication mode, service type, SFTP authorized directory, user name, and password.
[SSH_Server] ssh user client001 authentication-type password //Set the authentication mode to password authentication. [SSH_Server] ssh user client001 service-type sftp //Set the user service type to SFTP. [SSH_Server] ssh user client001 sftp-directory flash: //Set the SFTP service authorized directory to flash:. [SSH_Server] aaa [SSH_Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789 //Set the login password to Helloworld@6789. [SSH_Server-aaa] local-user client001 privilege level 15 //Set the user level to 15. [SSH_Server-aaa] local-user client001 service-type SSH //Set the user service type to SSH. [SSH_Server-aaa] quit
- Access the SFTP server using OpenSSH.
OpenSSH commands can be used in the Windows Command Prompt window only after the OpenSSH software is installed.
Ensure that the OpenSSH version matches the operating system of the PC. Otherwise, you may fail to access the switch using SFTP.
Figure 3-19 Windows Command Prompt windowAfter the PC connects to the switch using the third-party software, enter the SFTP view to perform file operations.
Configuration Files
SSH_Server configuration file
# sysname SSH_Server # aaa local-user client001 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-\}Fqpe$E<#H$J<6@KTSL/J'\}I-%^%# local-user client001 privilege level 15 local-user client001 service-type ssh # sftp server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type sftp ssh user client001 sftp-directory flash: # user-interface vty 0 14 authentication-mode aaa # return
Example for Accessing Files on Other Devices Using TFTP
Overview
After a switch is configured as a TFTP client, it can access the remote TFTP server to upload and download files on the TFTP server. When you access other devices using TFTP, you do not need to enter the user name or password, simplifying information exchange. TFTP has no authorization or authentication mechanism and transfers data in plaintext, which brings security risks and is vulnerable to network viruses and attacks. Exercise caution when using TFTP.
On a good-performance LAN in a lab, TFTP can be used for the system software loading and upgrade.
Configuration Notes
- Before accessing files on the TFTP server, ensure that routes are reachable between the switch and TFTP server.
- The switch can only function as a TFTP client.
- The TFTP mode supports only file transfer, but does not support interaction.
- TFTP has no authorization or authentication mechanism and transfers data in plaintext, which brings security risks and is vulnerable to network viruses and attacks.
- This example applies to all versions of all S series switches.
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an example.
Networking Requirements
As shown in Figure 3-20, the remote server at IP address 10.1.1.1/24 functions as the TFTP server. The switch at IP address 10.2.1.1/24 functions as the TFTP client and has reachable routes to the TFTP server.
The switch needs to be upgraded. You need to download the system software from the TFTP server to the switch and back up the current configuration file of the switch to the TFTP server.
Configuration Roadmap
The configuration roadmap is as follows:
- Run the TFTP software on the TFTP server and set the TFTP working directory.
- Upload and download files on the switch using TFTP commands.
Procedure
- Run the TFTP software on the TFTP server and set the TFTP working directory. For the detailed operations, see the help document of the third-party TFTP software.
- Upload and download files on the switch using TFTP commands.
<HUAWEI> tftp 10.1.1.1 get devicesoft.cc //Download devicesoft.cc. Info: Transfer file in binary mode. Downloading the file from the remote TFTP server. Please wait... | TFTP: Downloading the file successfully. 106616955 byte(s) received in 722 second(s). <HUAWEI> tftp 10.1.1.1 put vrpcfg.zip //Upload vrpcfg.zip. Info: Transfer file in binary mode. Uploading the file to the remote TFTP server. Please wait... 100% TFTP: Uploading the file successfully. 7717 byte(s) sent in 1 second(s).
- Verify the configuration.
# Run the dir command on the switch to check whether the system software is downloaded to the switch.
<HUAWEI> dir Directory of flash:/ Idx Attr Size(Byte) Date Time FileName 0 -rw- 14 Mar 13 2012 14:13:38 back_time_a 1 drw- - Mar 11 2012 00:58:54 logfile 2 -rw- 4 Nov 17 2011 09:33:58 snmpnotilog.txt 3 -rw- 11,238 Mar 12 2012 21:15:56 private-data.txt 4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip 5 -rw- 14 Mar 13 2012 14:13:38 back_time_b 6 -rw- 106,616,955 Mar 13 2012 14:24:24 devicesoft.cc 7 drw- - Oct 31 2011 10:20:28 sysdrv 8 drw- - Feb 21 2012 17:16:36 compatible 9 drw- - Feb 09 2012 14:20:10 selftest 10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg 11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip 12 -rw- 588 Nov 04 2011 13:54:04 servercert.der 13 -rw- 320 Nov 04 2011 13:54:26 serverkey.der 14 drw- - Nov 04 2011 13:58:36 security ... 509,256 KB total (52,752 KB free)
# Check whether the file vrpcfg.zip is stored in the working directory on the TFTP server.
Example for Accessing Files on Other Devices Using FTP
Overview
After a switch is configured as an FTP client, it can log in to the FTP server for transferring files and managing files and directories on the FTP server. The configuration for accessing other devices using FTP is simple, and FTP supports file transfer and file directory management. FTP provides the authorization and authentication functions for managing files. However, data is transferred in plaintext, which brings security risks.
FTP is applicable to file transfer when high network security is not required, and is often used for downloading the system software from the FTP server and backing up the configuration file.
Configuration Notes
- Before accessing files on the FTP server, ensure that routes are reachable between the switch and FTP server.
- FTP is an insecure protocol. Using SFTP V2, Secure Copy Protocol (SCP), or FTPS is recommended.
- This example applies to all versions of all S series switches.
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an example.
Networking Requirements
As shown in Figure 3-21, the remote server at IP address 10.1.1.1/24 functions as the FTP server. The switch at IP address 10.2.1.1/24 functions as the FTP client and has reachable routes to the FTP server.
The switch needs to be upgraded. You need to download the system software from the FTP server to the switch and back up the current configuration file of the switch to the FTP server.
Configuration Roadmap
The configuration roadmap is as follows:
- Run the FTP software on the FTP server and configure an FTP user.
- Establish an FTP connection between the switch and the FTP server.
- Upload and download files on the switch using FTP commands.
Procedure
- Run the FTP software on the FTP server and configure an FTP user. For the detailed operations, see the help document of the third-party FTP software.
- Establish an FTP connection between the switch and the
FTP server.
<HUAWEI> ftp 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1. 220 FTP service ready. User(10.1.1.1:(none)):admin 331 Password required for admin. Enter password: 230 User logged in.
- Upload and download files on the switch using FTP commands.
[ftp] binary //Set the file transfer mode to binary. The default mode is ASCII. [ftp] get devicesoft.cc //Download the system software on the FTP server to the switch. [ftp] put vrpcfg.zip //Upload the backup configuration file on the switch to the FTP server. [ftp] quit
The ASCII mode is used to transfer text files, and the binary mode is used to transfer programs including the system software (with the file name extension of .cc, .bin, or .pat), images, voices, videos, compressed packages, and database files.
- Verify the configuration.
# Run the dir command on the switch to check whether the system software is downloaded to the switch.
<HUAWEI> dir Directory of flash:/ Idx Attr Size(Byte) Date Time FileName 0 -rw- 14 Mar 13 2012 14:13:38 back_time_a 1 drw- - Mar 11 2012 00:58:54 logfile 2 -rw- 4 Nov 17 2011 09:33:58 snmpnotilog.txt 3 -rw- 11,238 Mar 12 2012 21:15:56 private-data.txt 4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip 5 -rw- 14 Mar 13 2012 14:13:38 back_time_b 6 -rw- 106,616,955 Mar 13 2012 14:24:24 devicesoft.cc 7 drw- - Oct 31 2011 10:20:28 sysdrv 8 drw- - Feb 21 2012 17:16:36 compatible 9 drw- - Feb 09 2012 14:20:10 selftest 10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg 11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip 12 -rw- 588 Nov 04 2011 13:54:04 servercert.der 13 -rw- 320 Nov 04 2011 13:54:26 serverkey.der 14 drw- - Nov 04 2011 13:58:36 security ... 509,256 KB total (52,752 KB free)
# Check whether the file vrpcfg.zip is stored in the working directory on the FTP server.
Example for Accessing Files on Other Devices Using SFTP
Overview
SFTP is an SSH-based secure file transfer protocol, which uses secure connections for data transmission. After a switch is configured as an SFTP client, the remote SFTP server can authenticate the client and encrypt data in bidirectional mode to ensure secure file transfer and directory management.
SFTP is applicable to accessing files on other devices when high network security is required, and is used for uploading and downloading logs.
Configuration Notes
- Before accessing files on the SSH server using SFTP, ensure that routes are reachable between the switch and SSH server.
- SFTP V1 is an insecure protocol. Using SFTP V2 or FTPS is recommended.
- This example applies to all versions of all S series switches.
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an example.
Networking Requirements
As shown in Figure 3-22, the routes between the SSH server and clients client001 and client002 are reachable. A Huawei switch is used as the SSH server in this example.
The clients client001 and client002 are required to connect to the SSH server in password and DSA authentication modes respectively to ensure secure access to files on the SSH server.
Configuration Roadmap
The configuration roadmap is as follows:
- Generate a local key pair on the SSH server and enable the SFTP server function to implement secure data exchange between the server and client.
- Configure the clients client001 and client002 on the SSH server to log in to the SSH server in password and DSA authentication modes, respectively.
- Generate a local key pair on client002 and configure the generated DSA public key on the SSH server, which implements authentication for the client when a user logs in to the server from the client.
- On the SSH server, enable client001 and client002 to log in to the SSH server using SFTP and access the files.
Procedure
- On the SSH server, generate a local key pair and enable the SFTP server function.
<HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] dsa local-key-pair create //Generate a local DSA key pair. Info: The key name will be: SSH Server_Host_DSA. Info: The key modulus can be any one of the following : 1024, 2048. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=2048]: //Press Enter. The default key length (2048 bits) is used. Info: Generating keys........ Info: Succeeded in creating the DSA host keys. [SSH Server] sftp server enable //Enable the SFTP server function. In V200R020 and later versions, you must run the ssh server-source command to set the source interface of the server to the interface using the IP address 10.1.1.1 so that the client can connect to the server through 10.1.1.1. [SSH_Server] ssh server-source -i Vlanif 10 //Configure the source interface of the server as the interface corresponding to 10.1.1.1. Assume that the interface is Vlanif 10. Info: Succeeded in starting the SFTP server.
- Create SSH users on the SSH server.
# Configure VTY user interfaces on the SSH server.
[SSH Server] user-interface vty 0 4 //Enter the user interface views of VTY 0 to VTY 4. [SSH Server-ui-vty0-4] authentication-mode aaa //Set the authentication mode of users in VTY 0 to VTY 4 to AAA. [SSH Server-ui-vty0-4] protocol inbound ssh //Configure the user interface views of VTY 0 to VTY 4 to support SSH. [SSH Server-ui-vty0-4] user privilege level 3 //Set the user level to 3. [SSH Server-ui-vty0-4] quit
# Create an SSH user named client001 and configure the password authentication mode for the user.
[SSH Server] ssh user client001 //Create an SSH user. [SSH Server] ssh user client001 authentication-type password //Set the authentication mode to password authentication. [SSH Server] ssh user client001 service-type sftp //Set the user service type to SFTP. [SSH Server] ssh user client001 sftp-directory flash: //Set the SFTP service authorized directory to flash:. [SSH Server] aaa [SSH Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789 //Set the login password to Helloworld@6789. [SSH Server-aaa] local-user client001 service-type ssh //Set the user service type to SSH. [SSH Server-aaa] local-user client001 privilege level 3 //Set the user level to 3. [SSH Server-aaa] quit
# Create an SSH user named client002 and configure the DSA authentication mode for the user.
[SSH Server] ssh user client002 //Create an SSH user. [SSH Server] ssh user client002 authentication-type dsa //Set the authentication mode to DSA authentication. [SSH Server] ssh user client002 service-type sftp //Set the user service type to SFTP. [SSH Server] ssh user client002 sftp-directory flash: //Set the SFTP service authorized directory to flash:.
- Generate a local key pair on client002 and configure the generated DSA public key on the SSH server.
# Generate a local key pair on client002.
<HUAWEI> system-view [HUAWEI] sysname client002 [client002] dsa local-key-pair create //Generate a local DSA key pair. Info: The key name will be: SSH Server_Host_DSA. Info: The key modulus can be any one of the following : 1024, 2048. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=2048]: //Press Enter. The default key length (2048 bits) is used. Info: Generating keys........ Info: Succeeded in creating the DSA host keys.
# Check the DSA public key generated on client002.
[client002] display dsa local-key-pair public ===================================================== Time of Key pair created:2014-08-27 06:35:16+08:00 Key name : client002_Host_DSA Key modulus : 2048 Key type : DSA encryption Key Key fingerprint: b7:68:86:90:d8:19:f3:e6:4a:f2:e9:fd:e4:24:ef:a5 ===================================================== Key code: 30820322 02820100 DEDEBA5C 8244DCB8 E696917C EFEBC0B3 E6FB60BE 8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4 1AD47BF1 EACD435D 39AFA8FA CB6A7819 305EE147 E428912E 60452B37 CA17D611 C2EE4C46 B4BC7726 54C26856 A99ECFA5 D800367B 31A90522 F139496F 4182DBFD AAB59973 9AB02185 856A881F 9197368B 92DBF684 9D1C746B A27E12F9 8A28E4B6 D0587D65 5979A750 5413E91E FC961C3F 79209625 CFA8D7D4 69FA35A3 9E37B614 047D535D CD63AF30 58B3A25B 79C714B6 326B7DB6 067EBF15 3CC1A720 B0E1A7E3 9C13FEB3 BA26E6B0 52DC5BFF EE7C5C52 148FE6C2 40738FBB 8F05D416 B2B5DD72 E3629BB5 9244BF9F A29C4FCD 4EA0EE50 1FC6695D 03D68D51 9324E493 0214 C6C484E1 F0076B8A FCAD302B 98B50A3A 542ABEBB 02820100 3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD 96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42 21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6 5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4 2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7 4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7 9A56E32E C15A0659 3D17C407 29F587C7 74959017 62B08070 24564B2E E79C6E1D 86793548 76CC662A 1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278 26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976 4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62 A915EE63 F660C092 360C5D2D 796AF230 DB7461F7 C15B6DBA 65C9EFAB 247DB13D 4942E2FF 02820100 D7C6399A 86F7B38C 85168EF8 692BD9B4 01AA7BCD 98559075 98039259 0C54818C 650A95C7 0A5250EB 12124E5B C4123350 C190CC8B 4FFFD418 7E8F113F 6C36AB4B A56D2D1D 2C874C75 8400DAFE 4BABF957 4EDC8E7C DF5934DB 3AD717E5 50B1096B C0B46DE5 3FB508FA CB76FF1C 42CF7082 7DDEEB47 5C5C4F64 B1C8815C 496AC1E0 04C10EDD FE849B76 6DA15B48 0C9CF0B1 10BDDC08 41A65C28 8E21ADC6 48A93DF6 14552C1F 76A401AE E06E482D 6582052E 5B11A678 A467B38A B77C1C55 D367E253 FFA44841 FC38A462 B9AC24E6 DAD01628 F09ED629 58F666C1 1DEF7BD0 634C3D13 D75F2614 8CB49AFC 498A5195 F443CA4D C02FF228 A90D7593 AE46C5D0 4B224FEE Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQ IZrA9BrUe/HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZUwmhW qZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB+RlzaLktv2hJ0cdGuifhL5 iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQW srXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0w K5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07 dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYg XG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/t5pW4y7BWgZZPRfE Byn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrky eCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDA kjYMXS15avIw23Rh98Fbbbplye+rJH2xPUlC4v8AAAEAVkz2m0fokxPL5DekN8U4 2SkvxBhh7W+pMLesuDOBY9PIqfwcZqY23Oi7/eJGojmX0wYTOWi8t09Qn/LmeFNt AEaxHc4nLmvjxDuyjoTSA/AAYJDYJ6HWZoScy3mzDCUtEMGuaL/6SRUuH5wf9hMf LZzmb6ETrf8S5RZWVyZv3TKm3/FEAH7PNQYe8BYYG3SCfvgtqYQzRTZrDL6wLbCo otdHydlhfz9CtIYH3gfhnjXoq/X6HLQAFTexhBuoJ7nCtjC9c1HhJFicadQK2iY/ AOOu8jCp0l6vOUH4cniOONh6Mts9UiJNYnvZsjVJFzdkRsNpvcMBhK4/NneGPPMN +A== ---- END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file : ssh-dss AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQIZrA9BrUe/HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZU wmhWqZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB+RlzaLktv2hJ0cdGuifhL5iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQWsrXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0wK5i1 CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYgXG76sUhm 5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/t5pW4y7BWgZZPRfEByn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrkyeCbUzeUYmpPq Ux4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDAkjYMXS15avIw23Rh98Fbbbplye+rJH2xPUlC4v8AAAEAVkz2m0fokxPL5DekN8U42SkvxBhh7W+pMLes uDOBY9PIqfwcZqY23Oi7/eJGojmX0wYTOWi8t09Qn/LmeFNtAEaxHc4nLmvjxDuyjoTSA/AAYJDYJ6HWZoScy3mzDCUtEMGuaL/6SRUuH5wf9hMfLZzmb6ETrf8S5RZWVyZv 3TKm3/FEAH7PNQYe8BYYG3SCfvgtqYQzRTZrDL6wLbCootdHydlhfz9CtIYH3gfhnjXoq/X6HLQAFTexhBuoJ7nCtjC9c1HhJFicadQK2iY/AOOu8jCp0l6vOUH4cniOONh6 Mts9UiJNYnvZsjVJFzdkRsNpvcMBhK4/NneGPPMN+A== dsa-key# Configure the generated DSA public key on the SSH server. The bold part in the display command output indicates the generated DSA public key. Copy the key to the SSH server.
[SSH Server] dsa peer-public-key dsakey001 encoding-type der [SSH Server-dsa-public-key] public-key-code begin [SSH Server-dsa-key-code]30820322 [SSH Server-dsa-key-code]02820100 [SSH Server-dsa-key-code]DEDEBA5C 8244DCB8 E696917C EFEBC0B3 E6FB60BE [SSH Server-dsa-key-code]8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4 1AD47BF1 [SSH Server-dsa-key-code]EACD435D 39AFA8FA CB6A7819 305EE147 E428912E [SSH Server-dsa-key-code]60452B37 CA17D611 C2EE4C46 B4BC7726 54C26856 [SSH Server-dsa-key-code]A99ECFA5 D800367B 31A90522 F139496F 4182DBFD [SSH Server-dsa-key-code]AAB59973 9AB02185 856A881F 9197368B 92DBF684 [SSH Server-dsa-key-code]9D1C746B A27E12F9 8A28E4B6 D0587D65 5979A750 [SSH Server-dsa-key-code]5413E91E FC961C3F 79209625 CFA8D7D4 69FA35A3 [SSH Server-dsa-key-code]9E37B614 047D535D CD63AF30 58B3A25B 79C714B6 [SSH Server-dsa-key-code]326B7DB6 067EBF15 3CC1A720 B0E1A7E3 9C13FEB3 [SSH Server-dsa-key-code]BA26E6B0 52DC5BFF EE7C5C52 148FE6C2 40738FBB [SSH Server-dsa-key-code]8F05D416 B2B5DD72 E3629BB5 9244BF9F A29C4FCD [SSH Server-dsa-key-code]4EA0EE50 1FC6695D 03D68D51 9324E493 [SSH Server-dsa-key-code]0214 [SSH Server-dsa-key-code]C6C484E1 F0076B8A FCAD302B 98B50A3A 542ABEBB [SSH Server-dsa-key-code]02820100 [SSH Server-dsa-key-code]3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD [SSH Server-dsa-key-code]96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42 [SSH Server-dsa-key-code]21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6 [SSH Server-dsa-key-code]5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4 [SSH Server-dsa-key-code]2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7 [SSH Server-dsa-key-code]4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7 [SSH Server-dsa-key-code]9A56E32E C15A0659 3D17C407 29F587C7 74959017 [SSH Server-dsa-key-code]62B08070 24564B2E E79C6E1D 86793548 76CC662A [SSH Server-dsa-key-code]1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278 [SSH Server-dsa-key-code]26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976 [SSH Server-dsa-key-code]4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62 [SSH Server-dsa-key-code]A915EE63 F660C092 360C5D2D 796AF230 DB7461F7 [SSH Server-dsa-key-code]C15B6DBA 65C9EFAB 247DB13D 4942E2FF [SSH Server-dsa-key-code]02820100 [SSH Server-dsa-key-code]D7C6399A 86F7B38C 85168EF8 692BD9B4 01AA7BCD [SSH Server-dsa-key-code]98559075 98039259 0C54818C 650A95C7 0A5250EB [SSH Server-dsa-key-code]12124E5B C4123350 C190CC8B 4FFFD418 7E8F113F [SSH Server-dsa-key-code]6C36AB4B A56D2D1D 2C874C75 8400DAFE 4BABF957 [SSH Server-dsa-key-code]4EDC8E7C DF5934DB 3AD717E5 50B1096B C0B46DE5 [SSH Server-dsa-key-code]3FB508FA CB76FF1C 42CF7082 7DDEEB47 5C5C4F64 [SSH Server-dsa-key-code]B1C8815C 496AC1E0 04C10EDD FE849B76 6DA15B48 [SSH Server-dsa-key-code]0C9CF0B1 10BDDC08 41A65C28 8E21ADC6 48A93DF6 [SSH Server-dsa-key-code]14552C1F 76A401AE E06E482D 6582052E 5B11A678 [SSH Server-dsa-key-code]A467B38A B77C1C55 D367E253 FFA44841 FC38A462 [SSH Server-dsa-key-code]B9AC24E6 DAD01628 F09ED629 58F666C1 1DEF7BD0 [SSH Server-dsa-key-code]634C3D13 D75F2614 8CB49AFC 498A5195 F443CA4D [SSH Server-dsa-key-code]C02FF228 A90D7593 AE46C5D0 4B224FEE [SSH Server-dsa-key-code] public-key-code end [SSH Server-dsa-public-key] peer-public-key end
# On the SSH server, bind the DSA public key to client002.
[SSH Server] ssh user client002 assign dsa-key dsakey001
- Connect SFTP clients to the SSH server.
# Enable the first authentication function on the SSH clients upon the first login.
<HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client first-time enable //Enable the first authentication function on client001.
[client002] ssh client first-time enable //Enable the first authentication function on client002.# Log in to the SSH server from client001 in password authentication mode.
[client001] sftp 10.1.1.1 Please input the username:client001 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... password:SSH_SERVER_CODE Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey authentication; Ctrl_C for Cancel], Please select [R, D, Enter or Ctrl_C]:D Enter password: sftp-client>
# Log in to the SSH server from client002 in DSA authentication mode.
[client002] sftp 10.1.1.1 Please input the username:client002 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... password:SSH_SERVER_CODE Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey authentication; Ctrl_C for Cancel], Please select [R, D, Enter or Ctrl_C]:D sftp-client>
- Verify the configuration.
Run the display ssh server status command on the SSH server to check whether the SFTP service is enabled. Run the display ssh user-information command to check information about SSH users on the server.
# Check the status of the SSH server.
[SSH Server] display ssh server status SSH version :1.99 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH authentication retries :3 times SFTP server :Enable Stelnet server :Disable Scp server :Disable SSH server source :0.0.0.0 ACL4 number :0 ACL6 number :0# Check information about SSH users.
[SSH Server] display ssh user-information User 1: User Name : client001 Authentication-type : password User-public-key-name : - User-public-key-type : - Sftp-directory : flash: Service-type : sftp Authorization-cmd : No User 2: User Name : client002 Authentication-type : dsa User-public-key-name : dsakey001 User-public-key-type : dsa Sftp-directory : flash: Service-type : sftp Authorization-cmd : No
Configuration Files
SSH server configuration file
# sysname SSH Server # dsa peer-public-key dsakey001 encoding-type der public-key-code begin 30820322 02820100 DEDEBA5C 8244DCB8 E696917C EFEBC0B3 E6FB60BE 8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4 1AD47BF1 EACD435D 39AFA8FA CB6A7819 305EE147 E428912E 60452B37 CA17D611 C2EE4C46 B4BC7726 54C26856 A99ECFA5 D800367B 31A90522 F139496F 4182DBFD AAB59973 9AB02185 856A881F 9197368B 92DBF684 9D1C746B A27E12F9 8A28E4B6 D0587D65 5979A750 5413E91E FC961C3F 79209625 CFA8D7D4 69FA35A3 9E37B614 047D535D CD63AF30 58B3A25B 79C714B6 326B7DB6 067EBF15 3CC1A720 B0E1A7E3 9C13FEB3 BA26E6B0 52DC5BFF EE7C5C52 148FE6C2 40738FBB 8F05D416 B2B5DD72 E3629BB5 9244BF9F A29C4FCD 4EA0EE50 1FC6695D 03D68D51 9324E493 0214 C6C484E1 F0076B8A FCAD302B 98B50A3A 542ABEBB 02820100 3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD 96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42 21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6 5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4 2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7 4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7 9A56E32E C15A0659 3D17C407 29F587C7 74959017 62B08070 24564B2E E79C6E1D 86793548 76CC662A 1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278 26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976 4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62 A915EE63 F660C092 360C5D2D 796AF230 DB7461F7 C15B6DBA 65C9EFAB 247DB13D 4942E2FF 02820100 D7C6399A 86F7B38C 85168EF8 692BD9B4 01AA7BCD 98559075 98039259 0C54818C 650A95C7 0A5250EB 12124E5B C4123350 C190CC8B 4FFFD418 7E8F113F 6C36AB4B A56D2D1D 2C874C75 8400DAFE 4BABF957 4EDC8E7C DF5934DB 3AD717E5 50B1096B C0B46DE5 3FB508FA CB76FF1C 42CF7082 7DDEEB47 5C5C4F64 B1C8815C 496AC1E0 04C10EDD FE849B76 6DA15B48 0C9CF0B1 10BDDC08 41A65C28 8E21ADC6 48A93DF6 14552C1F 76A401AE E06E482D 6582052E 5B11A678 A467B38A B77C1C55 D367E253 FFA44841 FC38A462 B9AC24E6 DAD01628 F09ED629 58F666C1 1DEF7BD0 634C3D13 D75F2614 8CB49AFC 498A5195 F443CA4D C02FF228 A90D7593 AE46C5D0 4B224FEE public-key-code end peer-public-key end # aaa local-user client001 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-\}Fqpe$E<#H$J<6@KTSL/J'\}I-%^%# local-user client001 privilege level 3 local-user client001 service-type ssh # sftp server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type sftp ssh user client001 sftp-directory flash: ssh user client002 ssh user client002 authentication-type dsa ssh user client002 assign dsa-key dsakey001 ssh user client002 service-type sftp ssh user client002 sftp-directory flash: # user-interface vty 0 4 authentication-mode aaa user privilege level 3 # returnclient001 configuration file
# sysname client001 # ssh client first-time enable # return
client002 configuration file
# sysname client002 # ssh client first-time enable # return