No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S7700 and S9700 V200R010C00

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Using STelnet to Log In to Another Device From the Local Device

(Optional) Using STelnet to Log In to Another Device From the Local Device

Context

A device can function as both an STelnet server and an STelnet client. As an STelnet client, the device can log in to other devices. When a terminal lacks the necessary software or no reachable route exists between the terminal and target device, you can log in to an intermediate device and then use STelnet to log in to the target device from the intermediate device. The intermediate device functions as an STelnet client.

As shown in Figure 5-6, a PC connects to a device through network 1 and the device connects to an STelnet server through network 2. The PC cannot directly communicate with the STelnet server. In this situation, you can configure the device as an STelnet client and log in to the STelnet server from the device.
Figure 5-6  Configuring a device as an STelnet client to log in to another device

Pre-configuration Tasks

Before configuring a device as an STelnet client to log in to another device, complete the following tasks:

  • Log in to the device from a terminal.
  • Configure a reachable route between the device and STelnet server.
  • Enable the STelnet server function on the STelnet server.
  • Obtain the SSH user name and password, server keys, and port number configured on the STelnet server.

Procedure

  1. Generate a local key pair for the SSH client.

    When the device functions as an STelnet client to access the SSH server, the device can save a maximum of 20 public keys, which means that the device can access a maximum of 20 SSH servers at the same time. Run the display ssh server-info command to check the number of saved client public keys on the device. When the number of saved public keys exceeds 20 and the client needs to access other SSH servers, run the undo ssh client servername assign { rsa-key | dsa-key | ecc-key } command to delete the saved public keys. Note that after a public key is deleted, accessing the corresponding SSH server will fail (established connections remain unaffected).

    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create

      A local RSA, DSA, or ECC key pair is generated. The generated key pair must be of the same type as that of the server.

      You can run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to view information about the public key in the generated RSA, DSA, or ECC key pair. Configure the public key on the SSH server. For details, see Configuring an SSH User.

    3. Run:

      quit

      Return to the user view.

  2. Configure the mode in which the device connects to the SSH server for the first time.

    When working as an SSH client to connect to an SSH server for the first time, the device cannot validate the SSH server because the public key of the SSH server has not been saved on the client. As a result, the connection fails. You can perform either of the following operations to rectify the connection failure:

    • Enable first-time authentication on the SSH client, which allows the device to successfully connect to an SSH server without validating the SSH server's public key. The device then automatically saves the public key of the server for subsequent server authentication.
      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        ssh client first-time enable

        First-time authentication is enabled on the SSH client.

        By default, first-time authentication is disabled on an SSH client.

    • Configure the SSH client to assign a public key to the SSH server. In this method, the public key generated on the server is directly saved on the client to ensure that the SSH server passes the validity check on the client's first login.
      1. Run:

        system-view

        The system view is displayed.

      2. Run:

        rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ], dsa peer-public-key key-name encoding-type { der | openssh | pem }, or ecc peer-public-key key-name encoding-type { der | openssh | pem }

        The RSA, DSA, or ECC public key view is displayed.

        Select a command to execute according to the type of the key on the server. For example, if a DSA key exists on the server, run the dsa peer-public-key key-name encoding-type { der | openssh | pem } command to enter the DSA public key view.

      3. Run:

        public-key-code begin

        The public key editing view is displayed.

      4. Enter the public key of the SSH server.

        The entered public key must be a hexadecimal string complying with the public key format. The string is randomly generated on the SSH server.

        After entering the public key editing view, you can enter the RSA, DSA, or ECC public key generated by the server on the client.

      5. Run:

        public-key-code end

        Exit the public key editing view.

      6. Run:

        peer-public-key end

        Exit the public key view.

      7. Run:

        ssh client servername assign { rsa-key | dsa-key | ecc-key } key-name

        The RSA, DSA, or ECC public key is bound to the SSH server.

        NOTE:

        If the SSH server's public key saved on the SSH client does not take effect, run the undo ssh client servername assign { rsa-key | dsa-key | ecc-key } command to unbind the RSA, DSA, or ECC public key from the SSH server and then run the command to assign a new RSA, DSA, or ECC public key to the SSH server.

  3. (Optional) Run:

    ssh client key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    A key exchange algorithm list is configured for the SSH client.

    By default, an SSH server supports all key exchange algorithms.

    NOTE:

    Do not add dh_group14_sha1 or dh_group1_sha1 to the list because they provide the lowest security among the supported key exchange algorithms.

  4. (Optional) Run:

    ssh client cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes256_cbc | aes256_ctr | des_cbc } *

    An encryption algorithm list is configured for the SSH client.

    By default, an SSH client supports five encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.

    NOTE:

    Do not add des_cbc or 3des_cbc to the list because they provide the lowest security among the supported encryption algorithms.

  5. (Optional) Run:

    ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

    An HMAC algorithm list is configured for the SSH client.

    By default, an SSH client supports all HMC algorithms.

    NOTE:

    Do not add md5, sha1, md5_96, sha1_96, or sha2_256_96 to the HMAC algorithm list because they provide the lowest security among the supported HMAC algorithms.

  6. Log in to another device.

    • IPv4 mode: run the stelnet [ -a source-address | -i interface-type interface-number ] host-ip [ port-number ] [ [ -vpn-instance vpn-instance-name ] | [ identity-key { dsa | rsa | ecc } ] | [ user-identity-key { rsa | dsa | ecc } ] | [ prefer_kex prefer_key-exchange ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] * command to log in to another device.
    • IPv6 mode: run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] [ [ identity-key { dsa | rsa | ecc } ] | [ user-identity-key { rsa | dsa | ecc } ] | [ prefer_kex prefer_key-exchange ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] * command to log in to another device.

    Run either of the preceding commands based on the network address type.

    When port 22 is specified as the protocol port number for the STelnet server, the STelnet client can log in with no port number specified. If another port number is specified as the protocol port number for the STelnet server, you must specify the port number used by the client to log in.

    When configuring an STelnet client to log in to an SSH server, you can specify the source IP address and VPN instance name, select a key exchange algorithm, an encryption algorithm, and an HMAC algorithm, and enable the keepalive function on the client.

Checking the Configuration

  • Run the display ssh server-info command on the SSH client to view all SSH servers and their public keys.
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000141895

Views: 51454

Downloads: 208

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next