No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S7700 and S9700 V200R010C00

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Enabling the SSH Server Function

Enabling the SSH Server Function

Context

A device serving as an SSH server must generate a key pair of the same type as the client's key for data encryption and server authentication on the client. The device also supports configuration of rich SSH server attributes for flexible control on SSH login.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    stelnet server enable

    The SSH server function is enabled on the device.

    By default, the SSH server function is disabled on a device.

  3. (Optional) Run:

    ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    A key exchange algorithm list is configured for the SSH server.

    By default, an SSH client supports all key exchange algorithms.

    NOTE:

    Do not add dh_group14_sha1 or dh_group1_sha1 to the list because they provide the lowest security among the supported key exchange algorithms.

  4. (Optional) Run:

    ssh server cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes256_cbc | aes256_ctr | des_cbc } *

    An encryption algorithm list is configured for the SSH server.

    By default, an SSH server supports five encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.

    NOTE:

    Do not add des_cbc or 3des_cbc to the list because they provide the lowest security among the supported encryption algorithms.

  5. (Optional) Run:

    ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

    An HMAC algorithm list is configured for the SSH server.

    By default, an SSH server supports all HMC algorithms.

    NOTE:

    Do not add md5, sha1, md5_96, sha1_96, or sha2_256_96 to the HMAC algorithm list because they provide the lowest security among the supported HMAC algorithms.

  6. (Optional) Run:

    ssh server dh-exchange min-len min-len

    The minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client is configured.

    The Diffie-hellman-group-exchange key of 1024 bytes poses security risks. If the SSH client supports the Diffie-hellman-group-exchange key of more than 1024 bytes, run the ssh server dh-exchange min-len command to set the minimum key length to 2048 bytes to improve security.

  7. (Optional) Run:

    rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create

    A local RSA, DSA, or ECC key pair is generated.

    NOTE:

    Run either of the commands based on the key pair type you desire. A longer key pair indicates higher security. You are recommended to use the maximum key pair length.

  8. (Optional) Run:

    ssh server port port-number

    The port number of the SSH server is specified.

    By default, the port number of the SSH server is 22.

    Configuring a port number for an SSH server can prevent attackers from accessing the SSH server using the default port, improving SSH server security.

  9. (Optional) Run:

    ssh server rekey-interval hours

    The interval for updating key pairs is set.

    The default interval is 0, indicating that the key pairs are never updated.

    An SSH server automatically updates key pairs at the configured intervals, which ensures security.

    This command takes effect only for SSH1.X. However, SSH1.X ensures poor security and is not recommended.

  10. (Optional) Run:

    ssh server timeout seconds

    The timeout period is set for SSH authentication.

    The default timeout period is 60 seconds.

    If a user fails to log in within the timeout period for SSH authentication, the device disconnects the current connection to ensure system security.

  11. (Optional) Run:

    ssh server authentication-retries times

    The maximum number of SSH authentication retries is set.

    The default maximum number of SSH authentication retries is 3.

    You can set the maximum number of SSH authentication retries to prevent unauthorized access.

  12. (Optional) Run:

    ssh server compatible-ssh1x enable

    Compatibility with earlier SSH versions is enabled.

    By default, compatibility with earlier SSH versions is disabled on an unconfigured device. When a device is upgraded to a later version, the configuration of the compatibility function is the same as that specified in the configuration file.
    NOTE:

    If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk.

  13. (Optional) Run:

    ssh server-source -i loopback interface-number

    The source interface is specified for the SSH server.

    By default, the source interface of an SSH server is not specified.

    Configuring a source interface for an SSH server prevents exposure of the device's management IP address, which ensures device security.

    NOTE:

    Before specifying a loopback interface as the source interface for an SSH server, ensure that the loopback interface has been created and the route between the client and the loopback interface is reachable. Otherwise, the configuration cannot be correctly executed.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141895

Views: 62408

Downloads: 221

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next