No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

CloudEngine 8800, 7800, 6800, and 5800 V200R002C50

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
User Login Configuration Commands

User Login Configuration Commands

configuration exclusive

Function

The configuration exclusive command locks the current system configuration. When the system configuration is locked, the user who locks it can query and modify the configuration while other users can only query the configuration.

The undo configuration exclusive command unlocks the system configuration.

By default, the system configuration is unlocked.

Format

configuration exclusive

undo configuration exclusive

Parameters

None

Views

All views

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device allows simultaneous access and configuration by multiple users, which may cause configuration conflicts and service exceptions. To prevent service exceptions, run this command to lock and modify the configuration while allowing other users to only query the configuration.

To unlock the configuration, do either of the following:
  • Run the undo configuration exclusive command.
  • Do not modify the configuration in the configured maximum lock interval. The system then automatically unlocks the configuration. To configure the maximum lock interval, run configuration exclusive timeout.

Precautions

  • After you run the configuration exclusive command, other users cannot modify the system configuration, so confirm your action before running this command.
  • Before you run the configuration exclusive command, run the configuration exclusive timeout command to configure the maximum lock interval so that the system can automatically unlock the configuration after this interval.
  • Only one user can lock the configuration at a time. After the user logs out, the configuration is unlocked automatically.

Example

# Lock the current system configuration.
<HUAWEI> configuration exclusive
# Unlock the system configuration.
<HUAWEI> undo configuration exclusive

client ssl-policy (HTTP view)

Function

The client ssl-policy command configures an SSL policy for an HTTP client.

The undo client ssl-policy command deletes the SSL policy on an HTTP client.

By default, no SSL policy is configured on an HTTP client.

Format

client ssl-policy policy-name

undo client ssl-policy

Parameters

Parameter Description Value
policy-name Specifies the name of an SSL policy.

The name of an SSL policy must already exist.

Views

HTTP view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Legacy HTTP does not have any security mechanism. It transmits data in simple text and does not verify the identities of communicating parties. Therefore, data transmitted over HTTP may be tampered with. In applications that require high security, such as e-commerce and online banking, HTTP is inapplicable. To enhance security, run the client ssl-policy command to configure an SSL policy for an HTTP client.

Configuration Impact

HTTP security is enhanced with the SSL security mechanisms, such as data encryption, identity verification, and message integrity check.

Prerequisites

  1. An SSL policy has been created and the SSL policy view is displayed using the ssl policy command in the system view.

  2. A digital certificate or certificate chain has been loaded using the certificate load command in the SSL policy view.

Precautions

An HTTP client can only have one SSL policy configured. If the client ssl-policy command is run more than once, the latest configuration overrides the previous one.

Example

# Configure an SSL policy named policy1 for an HTTP client.

<HUAWEI> system-view
[~HUAWEI] ssl policy policy1
[*HUAWEI-ssl-policy-policy1] certificate load pem-cert a_servercertchain2_pem_dsa.pem key-pair dsa key-file a_serverkeychain2_pem_dsa.pem auth-code cipher 123456
[*HUAWEI-ssl-policy-policy1] commit
[~HUAWEI-ssl-policy-policy1] quit
[~HUAWEI] http
[*HUAWEI-http] client ssl-policy policy1

client ssl-verify peer (HTTP view)

Function

The client ssl-verify peer command configures an HTTP client to perform SSL verification on HTTP servers.

The undo client ssl-verify command disables an HTTP client from performing SSL verification on HTTP servers.

By default, an HTTP client does not perform SSL verification on HTTP servers.

Format

client ssl-verify peer

undo client ssl-verify

Parameters

None

Views

HTTP view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To configure an HTTP client to perform SSL verification on HTTP servers, run the client ssl-verify peer command. After the HTTP client is granted an SSL digital certificate by a server, the client can verify the validity of the server. This prevents the client from accessing invalid servers, enhancing security.

Precautions

This command takes effect only if the client ssl-policy command has also been run to configure an SSL policy for the client.

Example

# Configure an HTTP client to perform SSL verification on HTTP servers.

<HUAWEI> system-view
[~HUAWEI] http
[*HUAWEI-http] client ssl-verify peer

configuration exclusive timeout

Function

The configuration exclusive timeout command sets the timeout period before the system automatically unlocks the configuration set.

The undo configuration exclusive timeout command restores the default timeout period.

By default, the timeout period is 30 seconds.

Format

configuration exclusive timeout timeout-value

undo configuration exclusive timeout

Parameters

Parameter Description Value
timeout-value Specifies the timeout period before the system automatically unlocks the configuration set. The value is an integer ranging from 1 to 7200, in seconds. By default, the timeout period is 30 seconds.

Views

System view

Default Level

3: Management level

Usage Guidelines

Running the configuration exclusive timeout command can set an allowable maximum period when no commands are delivered by the user that locks the configuration set. After the timeout period expires, the configuration set is automatically unlocked and other users can normally run commands.

You can run the configuration exclusive timeout command in one of the following scenarios:
  • When a user without configuration access runs this command, the system prompts an error message.
  • If the configuration set is locked by another user, this command becomes invalid, and the system prompts an error message when the command is run.
  • If the configuration set is locked by the current user, the current user can run this command.
NOTE:
When running the configuration exclusive timeout command, note that:
  • If the timeout period is too short, the configuration set is unlocked after a short period during which no command is run by the user that locks the configuration set.
  • If the timeout period is too long, the configuration set remains locked and other users cannot obtain configuration access for a long period during which no command is run by the user that locks the configuration set.
  • After this command is run, all users (except the user that runs this command) cannot configure commands because the configuration set is locked.

Example

# Set the timeout period before the system automatically unlocks the configuration set to 120 seconds.
<HUAWEI> system-view
[~HUAWEI] configuration exclusive timeout 120

display configuration exclusive user

Function

The display configuration exclusive user command displays information about the user that locks the configuration set.

Format

display configuration exclusive user

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display configuration exclusive user command to query the user that obtains configuration access.

Example

# Display the user that locks the configuration set.
<HUAWEI> display configuration exclusive user
User Index: 34
User Session Name: VTY 0
User Name: root
IP Address: 10.135.38.234
Locked Time: 2013-03-06 21:09:36
Last Configuration Time: 2013-03-06 21:09:36
The configuration right was locked and timeout duration is: 30 second(s)
Table 3-17  Description of the display configuration exclusive user command output
Item Description

User Index

Index of a user

User Session Name

Session name of a user, ranging from VTY0 to VTY20

User Name

User name of logging

IP Address

IP address of a user, valid for VTY users only

Locked Time

Time when the configuration set is locked

Last Configuration Time

Time when the user runs the last command

The configuration right was locked and timeout duration is

Time when the configuration right is locked

display dsa key-pair

Function

The display dsa key-pair command displays information about the DSA key pair with a label.

Format

display dsa key-pair [ brief | label label-name ]

Parameters

Parameter Description Value
brief Displays brief information about all DSA key pairs with labels. -
label label-name Displays information about the DSA key pair with a specific label. Label name of the key pair.

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display dsa key-pair command to check information about the DSA key pair with a label. The information varies when you specify different parameters in the command.

  • If brief is specified, you can view brief information about all DSA key pairs with labels.

  • If label label-name is specified, you can view information about the DSA key pair with a specific label.

  • When neither label nor brief is specified, you can view information about all DSA key pairs with labels.

Example

# Display information about all DSA key pairs with labels.

<HUAWEI> display dsa key-pair
=====================================                                           
Label name: abc                                                                 
Modulus: 2048                                                                   
Time of Key pair created: 2014-01-13 07:41:46                                   
=====================================                                           
Key :                                                                           
30820325                                                                        
  02820101                                                                      
    00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60                                
    BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B                                
    F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891                                
    2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268                                
    56A99ECF A5D80036 7B31A905 22F13949 6F4182DB                                
    FDAAB599 739AB021 85856A88 1F919736 8B92DBF6                                
    849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7                                
    505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35                                
    A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714                                
    B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE                                
    B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F                                
    BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F                                
    CD4EA0EE 501FC669 5D03D68D 519324E4 93                                      
  0215                                                                          
    00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE                                
    BB                                                                          
  02820100                                                                      
    3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD                                
    96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42                                
    21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6                                
    5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4                                
    2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7                                
    4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7                                
    9A56E32E C15A0659 3D17C407 29F587C7 74959017                                
    62B08070 24564B2E E79C6E1D 86793548 76CC662A                                
    1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278                                
    26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976                                
    4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62                                
    A915EE63 F660C092 360C5D2D 796AF230 DB7461F7                                
    C15B6DBA 65C9EFAB 247DB13D 4942E2FF                                         
  02820101                                                                      
    00D34DAC 0A625592 F93D3107 E4CBD1BD 731B1EFD                                
    A537588A 206E7B76 8826EE11 EBE93BA2 D2EF9211                                
    32912326 3F274FAF 5953DFB3 19EF77DD 4AE1D3BB                                
    90A2E56B AE20C8A5 37B5F1F8 0EE4609B D8AEB111                                
    5AF138DF F044FEC8 E05DF127 875B228E 3347B0CE                                
    A60B607C A4F16C2B 52D7A330 13F9FD2F EE24C90E                                
    DC387478 3180115D A60BD22E 12E35B1B 1BFD1523                                
    04C1013E CD2D3EAF D235E191 7DDADB79 824481FA                                
    A312B43F 9B5DB808 63BC6A91 4A184E82 AC46262C                                
    01D9D6A7 33331DF4 BF7DD29C 324437C3 670176D6                                
    EBDE8C83 4A0D8BD6 666637C3 C4CE68FB C184CA27                                
    520506BC BC6F523C 2D00F21E 1D73AB4D 5759D577                                
    E5C90287 ABC97B64 91C3BB8D E24116C6 FD                                      
=====================================     
Table 3-18  Description of the display dsa key-pair command output
Item Description
Label name Label name. To specify the label name, run the dsa key-pair label command.
Modulus Modulus of the key pair. To specify the modulus of the key pair, run the dsa key-pair label command.
Time of Key pair created Time when the key pair is generated.
Key Code of the key pair.
Related Topics

display dsa local-key-pair public

Function

The display dsa local-key-pair public command displays the public key in the local DSA key pair of the device.

Format

display dsa local-key-pair public

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

This command displays the public key in the local DSA key pair. You can copy the public key in the command output to the DSA public key of the SSH server to ensure that the public keys on the client and server are consistent and that the client can be authenticated by the server.

Example

# Display the public key in the client DSA key pair.

<HUAWEI> display dsa local-key-pair public
========================================================
Time of key pair created : 2017-08-02 16:45:00
Key name                 : HUAWEI_Host_DSA
Key modulus              : 2048
Key type                 : DSA encryption key
========================================================
Key code:
30820324
  02820101
    00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60
    BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B
    F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891
    2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268
    56A99ECF A5D80036 7B31A905 22F13949 6F4182DB
    FDAAB599 739AB021 85856A88 1F919736 8B92DBF6
    849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7
    505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35
    A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714
    B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE
    B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F
    BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F
    CD4EA0EE 501FC669 5D03D68D 519324E4 93
  0215
    00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE
    BB
  02820100
    3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD
    96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42
    21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6
    5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4
    2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7
    4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7
    9A56E32E C15A0659 3D17C407 29F587C7 74959017
    62B08070 24564B2E E79C6E1D 86793548 76CC662A
    1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278
    26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976
    4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62
    A915EE63 F660C092 360C5D2D 796AF230 DB7461F7
    C15B6DBA 65C9EFAB 247DB13D 4942E2FF
  02820100
    067A64DE A6D47E2D 6D21BD8D C5C630D8 3FE16268
    CAA42061 7D1A73E6 F6397EAF 1B0B88E9 035AFDE8
    5F4387FA 364CD8E1 BD473BC4 7BE75D0A 8EA6A92E
    5B763B53 B97019C0 EDA050B0 A832EC2C 62DB5718
    265093E9 DF2C1F75 B8549280 89E496B4 1B2D1A83
    07C04723 6ECE953F B51F4A31 8B9E9EED 5293E8AA
    44C4E6F1 F6A36949 02350580 4BA4DA38 C8BFADD0
    CBBDD72F 2E6681B1 FA7D7853 E1A3D191 6CA323C3
    A6FF726F F1777D76 BB7C630A 5A4892A1 C78694CF
    C17C07AD 6F640640 A65F22F4 AD2A4FE6 6C6232B1
    FF354D22 8E77C44A E112196F 7FC60365 2B5C6793
    4C132057 C69E2656 0E180446 AA7AE6AA 6D4FA2D8
    18E431D6 ECA1502C 074D0C01 290B5FE2

Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQ
IZrA9BrUe/HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZUwmhW
qZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB+RlzaLktv2hJ0cdGuifhL5
iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQW
srXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0w
K5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07
dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYg
XG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/t5pW4y7BWgZZPRfE
Byn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrky
eCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDA
kjYMXS15avIw23Rh98Fbbbplye+rJH2xPUlC4v8AAAEABnpk3qbUfi1tIb2NxcYw
2D/hYmjKpCBhfRpz5vY5fq8bC4jpA1r96F9Dh/o2TNjhvUc7xHvnXQqOpqkuW3Y7
U7lwGcDtoFCwqDLsLGLbVxgmUJPp3ywfdbhUkoCJ5Ja0Gy0agwfARyNuzpU/tR9K
MYuenu1Sk+iqRMTm8fajaUkCNQWAS6TaOMi/rdDLvdcvLmaBsfp9eFPho9GRbKMj
w6b/cm/xd312u3xjClpIkqHHhpTPwXwHrW9kBkCmXyL0rSpP5mxiMrH/NU0ijnfE
SuESGW9/xgNlK1xnk0wTIFfGniZWDhgERqp65qptT6LYGOQx1uyhUCwHTQwBKQtf
4g==
---- END SSH2 PUBLIC KEY ----

Public key code for pasting into OpenSSH authorized_keys file:
ssh-dss AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQIZrA9BrUe/HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZU
wmhWqZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB+RlzaLktv2hJ0cdGuifhL5iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQWsrXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0wK5i1
CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYgXG76sUhm
5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/t5pW4y7BWgZZPRfEByn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrkyeCbUzeUYmpPq
Ux4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDAkjYMXS15avIw23Rh98Fbbbplye+rJH2xPUlC4v8AAAEABnpk3qbUfi1tIb2NxcYw2D/hYmjKpCBhfRpz
5vY5fq8bC4jpA1r96F9Dh/o2TNjhvUc7xHvnXQqOpqkuW3Y7U7lwGcDtoFCwqDLsLGLbVxgmUJPp3ywfdbhUkoCJ5Ja0Gy0agwfARyNuzpU/tR9KMYuenu1Sk+iqRMTm8faj
aUkCNQWAS6TaOMi/rdDLvdcvLmaBsfp9eFPho9GRbKMjw6b/cm/xd312u3xjClpIkqHHhpTPwXwHrW9kBkCmXyL0rSpP5mxiMrH/NU0ijnfESuESGW9/xgNlK1xnk0wTIFfG
niZWDhgERqp65qptT6LYGOQx1uyhUCwHTQwBKQtf4g== dsa-key
Table 3-19  Description of the display dsa local-key-pair public command output

Item

Description

Time of key pair created

Time when the public key is created.

Key name

Name of the public key.

Key modulus

Length of the key.

Key type

Type of the public key.

Key code

Content of the key.

Host public key for PEM format code

PEM code of the public key.

Public key code for pasting into OpenSSH authorized_keys file

Public key format in the OpenSSH file.

display dsa peer-public-key

Function

The display dsa peer-public-key command displays the DSA public key that has been configured.

Format

display dsa peer-public-key [ brief | name key-name ]

Parameters

Parameter Description Value
brief Displays the brief information. -
name key-name Displays the DSA public key with the specified name. The key-name must already exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command displays the DSA public key for you to check whether the local and peer public keys are consistent.

Precautions

You must complete the DSA public key configuration before running this command.

Example

# Display the DSA public key with the specified name.

<HUAWEI> display dsa peer-public-key name dsakey001
=====================================
    Key name      : dsakey001
    Encoding type : DER
=====================================
Key code:
30820324
  02820101
    00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60 BE8B9E36 D3E4EB9C D6EB7FD2
    10219AC0 F41AD47B F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891 2E60452B
    37CA17D6 11C2EE4C 46B4BC77 2654C268 56A99ECF A5D80036 7B31A905 22F13949
    6F4182DB FDAAB599 739AB021 85856A88 1F919736 8B92DBF6 849D1C74 6BA27E12
    F98A28E4 B6D0587D 655979A7 505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35
    A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714 B6326B7D B6067EBF 153CC1A7
    20B0E1A7 E39C13FE B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F BB8F05D4
    16B2B5DD 72E3629B B59244BF 9FA29C4F CD4EA0EE 501FC669 5D03D68D 519324E4
    93
  0215
    00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE BB
  02820100
    3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD 96AE9215 7A29C723 72FE8A02
    EBED3B76 BE810B42 21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6 5BD424BD
    70677EFF 1ACF9B3C CE02CD40 46560DA4 2036205C 6EFAB148 66E6A106 0DF6258B
    EE31CFE7 4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7 9A56E32E C15A0659
    3D17C407 29F587C7 74959017 62B08070 24564B2E E79C6E1D 86793548 76CC662A
    1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278 26D4CDE5 189A93EA 531E0FF8
    2199EF35 DF038976 4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62 A915EE63
    F660C092 360C5D2D 796AF230 DB7461F7 C15B6DBA 65C9EFAB 247DB13D 4942E2FF
  02820100
    6D7C4F77 4E3AC516 90D530FE CDC3A3AF BAC2BCBE 8F511D9D 78CA6E48 D5E4F8F0
    9B5C7BBD 49235D79 962893F2 15B55280 F81C7DC1 1DE52FD2 5497ABA1 D7B353A0
    2FB1605E 1CD5DB23 15CA4501 F0775337 E87A1BD7 D91B52C5 DCAEEC72 BABE9022
    D96175B5 A0F0D536 B52D434E 77AEC2AC 690BC2AA CACBE255 C66F5FE5 F8DD55CB
    B2125637 C2F86940 9C014F99 2AB92D09 A632635B E2B2876F E6B8F40B EC1E20F3
    EE85F2FC 7B5DE110 EBCFB823 C483AE53 15C76E62 928E5CD8 9AB59158 212044E3
    6A482039 D9A81187 3653D9A7 9C239E22 7DCAD3F6 BEB8D2F5 032219DC D4C638E5
    B1A59128 74A70340 630057CD D53EE61F A111E3B4 F918B361 11035AC5 2A06EA0C
Table 3-20  Description of the display dsa peer-public-key command output

Item

Description

Key name

Type of the public key.

Encoding type

Type of the public key encoding format.

Key code

Code of the public key.

display ecc key-pair

Function

The display ecc key-pair command displays information about the ECC key pair with a label.

Format

display ecc key-pair [ brief | label label-name ]

Parameters

Parameter Description Value
brief Displays brief information about all ECC key pairs with labels. -
label label-name Displays information about the ECC key pair with a specific label. Label name of the key pair.

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display ecc key-pair command to check information about the ECC key pair with a label. The information varies when you specify different parameters in the command.

  • If brief is specified, you can view brief information about all ECC key pairs with labels.

  • If label label-name is specified, you can view information about the ECC key pair with a specific label.

  • When neither label nor brief is specified, you can view information about all ECC key pairs with labels.

Example

# Display information about all ECC key pairs with labels.

<HUAWEI> display ecc key-pair
=====================================                                           
Label name: abc123                                                              
Modulus: 521                                                                    
Time of Key pair created: 2014-01-13 08:01:02                                   
=====================================                                           
Key :                                                                           
    0400B83D B5796B8F 28060F9E 6AA444C6 17F904D5 DE1D25D1 DF86CC94              
    5B30D58B A8BEA1D6 405D7928 AADCF587 ECCCFEE0 AE4235FE 3F78485C              
    BA72121D 5C76B902 34C0BC00 6815A445 F3EE1F36 9E7F9646 8E0EDA8D              
    51EF14B3 164C4742 970A158D 0807FBE6 FC9D9277 31CFF900 75600A8C              
    BA99BE37 366FFFFB 883C73EA 0970553C F2032738 3D                             
=====================================                                
Table 3-21  Description of the display ecc key-pair command output
Item Description
Label name Label name. To specify the label name, run the ecc key-pair label command.
Modulus Modulus of the key pair. To specify the modulus of the key pair, run the ecc key-pair label command.
Time of Key pair created Time when the key pair is generated.
Key Code of the key pair.
Related Topics

display ecc local-key-pair public

Function

The display ecc local-key-pair public command displays information about the public key in the local ECC key pair.

Format

display ecc local-key-pair public

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display ecc local-key-pair public command to check information about the public key in the local ECC key pair on a client and then copy the public key to the server. The public key enables a server to authenticate users and ensures the login of authorized users.

Example

# Display information about the public key in the local ECC key pair on a client.

<HUAWEI> display ecc local-key-pair public
========================================================                        
Time of key pair created : 2013-12-30 11:11:20                                  
Key name                 : HUAWEI_Host_ECC                                
Key modulus              : 521                                                  
Key type                 : ECC encryption key                                   
========================================================                        
Key code:                                                                       
    04012998 DFDD74C4 3F58DF73 C9CED003 8BB308ED                                
    8353FD26 BAF2F836 5EFDCC2A D26E185F 6F6E2E19                                
    683FF161 9141A7C2 3EEA52E3 9801E245 D33079A2                                
    B12DAF27 1DF59401 E5068456 C54FE0E0 5DD99CEB                                
    98C527DB B3CE0707 7863DC59 34EE830C 8AACBDB3                                
    5EA697C4 9A660DD8 1049A330 7DC7ED5A 905184AC                                
    0F6D6022 07731458 4DC1CE84 D8                                               
                                                                                
Host public key for PEM format code:                                            
---- BEGIN SSH2 PUBLIC KEY ----                                                 
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAACFBAEpmN/ddMQ/WN9zyc7QA4uzCO2D                
U/0muvL4Nl79zCrSbhhfb24uGWg/8WGRQafCPupS45gB4kXTMHmisS2vJx31lAHl                
BoRWxU/g4F3ZnOuYxSfbs84HB3hj3Fk07oMMiqy9s16ml8SaZg3YEEmjMH3H7VqQ                
UYSsD21gIgdzFFhNwc6E2A==                                                        
---- END SSH2 PUBLIC KEY ----           
Table 3-22  Description of the display ecc local-key-pair public command output

Item

Description

Time of key pair created

Time when the public key in the local ECC key pair is generated, in the format of YYYY-MM-DD HH:MM:SS.

Key name

Name of the public key in the local ECC key pair.

Key modulus

Length of the public key in the local ECC key pair.

Key type

Type of the public key in the local ECC key pair.

Key code

Code of the public key in the local ECC key pair configured using the ecc local-key-pair command.

Host public key for PEM format code

PEM code of the public key in the local ECC key pair.

Related Topics

display ecc peer-public-key

Function

The display ecc peer-public-key command displays information about the ECC public key configured on the remote end.

Format

display ecc peer-public-key [ brief | name key-name ]

Parameters

Parameter Description Value
brief Displays brief information about the ECC public key configured on the remote end. -
name key-name Displays the ECC public key with the specified name. The key-name must already exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run this command to check detailed information about the ECC public key and whether the local and peer public keys are the same.

Precautions

You must complete the ECC public key configuration before running this command.

Example

# Display brief information about all the ECC public keys.

<HUAWEI> display ecc peer-public-key brief
------------------------------------------                                      
      Bits Name                                                                 
------------------------------------------                                      
       521 sat                                                                  
------------------------------------------   

# Display detailed information about the ECC public key named sat.

<HUAWEI> display ecc peer-public-key name sat
=====================================
    Key name: sat
=====================================
Key code:
    040020D4 5436AC31 BB1501EE 54CB84B6 AD9D5DB5 1B65EA59 9B5409A9 045D12A5
    9133AF2C A7E9E80E 344E95DA D166E270 77B67702 72F9B94F FB78E487 1C2928C9
    5437CE00 93AD2608 0D940547 8D6B84AB DDD30FE1 75B2C790 884B4F91 5DEE668F
    08EE50CE 1CAE6D54 1A1DC28C 1936C451 ECBB7AB0 B7F2F09B 8F699940 CF81C7C7
    906A40F4 7D
Table 3-23  Description of the display ecc peer-public-key command output

Item

Description

Bits

Length of the ECC public key configured on the remote end.

Name

Name of the ECC public key configured on the remote end.

Key name

Name of the ECC public key configured on the remote end.

Key code

Code of the ECC public key configured on the remote end.

Related Topics

display rsa key-pair

Function

The display rsa key-pair command displays information about the RSA key pair with a label.

Format

display rsa key-pair [ brief | label label-name ]

Parameters

Parameter Description Value
brief Displays brief information about all RSA key pairs with labels. -
label label-name Displays information about the RSA key pair with a specific label. Label name of the key pair.

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run the display rsa key-pair command to check information about the RSA key pair with a label. The information varies when you specify different parameters in the command.

  • If brief is specified, you can view brief information about all RSA key pairs with labels.

  • If label label-name is specified, you can view information about the RSA key pair with a specific label.

  • When neither label nor brief is specified, you can view information about all RSA key pairs with labels.

Example

# Display information about all RSA key pairs with labels.

<HUAWEI> display rsa key-pair
=====================================                                           
Label name               : a01                                                  
Modulus                  : 2048                                                 
Time of key pair created : 2013-12-31 01:47:14                                  
=====================================                                           
Key :                                                                           
    3082010A 02820101 00E788C5 7BE23271 71E4ACFE 2AC67BD1 5B6F2B1B 98B9B530     
    8C3A5635 2CA667E9 685537FB 7CFC6F7E B6834F92 3EB55305 AC37A137 A797318B     
    164873EE 9E156132 9CE6B060 E737C8EC C6B7B4B8 D79885EB B3710E69 D6420B5A     
    554573B6 B381E159 162601B7 2CA4DFD0 16899329 79EC1DE4 A23B0232 496E3373     
    3408DC0F D4C84A71 7FC821B8 21AD254B 928C1003 FF549929 889FAFA1 AE8AC22E     
    F5BDAD25 ECA8D7C0 EE711AC7 CAB34583 325D1D58 4DBCDE86 BF3DA0C0 BA9D872E     
    6F745D72 0FD66EE0 56F35FB4 5F347405 3E7BDCAF 2F0EFE7E 990AD206 D9DA400E     
    2C380055 8462D6E0 B93B0C73 EB394D01 D83A6B6F 37B64FAF F7DFBAA4 F7073AE1     
    CC1B0C5E 8F735904 19020301 0001                                             
=====================================    
Table 3-24  Description of the display rsa key-pair command output
Item Description
Label name Label name. To specify the label name, run the rsa key-pair label command.
Modulus Modulus of the RSA key pair. To specify the modulus of the RSA key pair, run the rsa key-pair label command.
Time of key pair created Time when the key pair is generated.
Key Code of the key pair.
Related Topics

display rsa local-key-pair public

Function

The display rsa local-key-pair public command displays the public key in the local key pair.

Format

display rsa local-key-pair public

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run this command on the client and configure the client public key in the command output to the SSH server, which ensures that the SSH client validity check by the SSH server is successful and enables the secure data exchange between the SSH server and client.

Example

# Display the public key in the local key pair.

<HUAWEI> display rsa local-key-pair public
======================Host key==========================                        
Time of key pair created : 2013-12-30 08:55:13                                  
Key name                 : HUAWEI_Host                                    
Key type                 : RSA encryption key                                   
========================================================                        
Key code:                                                                       
                                                                                
3082010A                                                                        
  02820101                                                                      
    00C4D569 631EC1E2 833E315D 5DED65F3 498F2ED0                                
    9B04F901 DEC806AA 0941AC43 3BB7422B B1D6E754                                
    26B36B48 9F40A1CE AAF31314 5B729DFB 931BDBD8                                
    81EBF078 54D8570D B4BFDCF8 90091546 76CDED0A                                
    5FAAA330 9F4D6186 DE41AFBE A2FA67D7 EB3FC5E9                                
    FD80859D 4E7B1C12 21198FFA 231B8048 A6E6F0D3                                
    205557D6 B0580D81 ADFD2B6D 3256FBAE 9E81ABA6                                
    0E8FA794 5DB0AA13 FB4ACA36 E3D75918 C40E68C6                                
    9F6CA0C8 7FAD471C AF7F0BD5 4469C4A7 CF8BC85B                                
    EA735E02 5FAC972C 7BCD818C 3C8E3EAB DB830026                                
    D6CDBA62 F00C8928 4A04A67C A597207E 23D91EF3                                
    183E2466 F8D06754 CEE5EB2B 937E8516 AA1485D7                                
    79B7CB6B 5AB299AB FFB1E1BF A0353DD3 97                                      
  0203                                                                          
    010001                                                                      
                                                                                
Host public key for PEM format code:                                            
---- BEGIN SSH2 PUBLIC KEY ----                                                 
AAAAB3NzaC1yc2EAAAADAQABAAABAQDE1WljHsHigz4xXV3tZfNJjy7QmwT5Ad7I                
BqoJQaxDO7dCK7HW51Qms2tIn0ChzqrzExRbcp37kxvb2IHr8HhU2FcNtL/c+JAJ                
FUZ2ze0KX6qjMJ9NYYbeQa++ovpn1+s/xen9gIWdTnscEiEZj/ojG4BIpubw0yBV                
V9awWA2Brf0rbTJW+66egaumDo+nlF2wqhP7Sso249dZGMQOaMafbKDIf61HHK9/                
C9VEacSnz4vIW+pzXgJfrJcse82BjDyOPqvbgwAm1s26YvAMiShKBKZ8pZcgfiPZ                
HvMYPiRm+NBnVM7l6yuTfoUWqhSF13m3y2taspmr/7Hhv6A1PdOX                            
---- END SSH2 PUBLIC KEY ----                                                   
                                                                                
Public key code for pasting into OpenSSH authorized_keys file:                  
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDE1WljHsHigz4xXV3tZfNJjy7QmwT5Ad7IBqoJQaxD
O7dCK7HW51Qms2tIn0ChzqrzExRbcp37kxvb2IHr8HhU2FcNtL/c+JAJFUZ2ze0KX6qjMJ9NYYbeQa++
ovpn1+s/xen9gIWdTnscEiEZj/ojG4BIpubw0yBVV9awWA2Brf0rbTJW+66egaumDo+nlF2wqhP7Sso2
49dZGMQOaMafbKDIf61HHK9/C9VEacSnz4vIW+pzXgJfrJcse82BjDyOPqvbgwAm1s26YvAMiShKBKZ8
pZcgfiPZHvMYPiRm+NBnVM7l6yuTfoUWqhSF13m3y2taspmr/7Hhv6A1PdOX rsa-key            
                                                                                
Host public key for SSH1 format code:                                           
2048 65537 248479449894298928294307779358726016363453127732399382240868603696328
38092602580810460413033525882290576141938684323785867753090434139378610895900966
99069400366338221105253327868286329658226300153628555662751480887246101263431835
00691736600459588199818030880967385624775381317439545767556794593852794045844003
34335076114347973757304101202989966991960922618440645983410857662297120846209864
22771028604935279415615054836817431585686417436260033974542999889336079286514057
18228159988733198430380627228312138479579994102250624429597554309014943522876720
35453712256315056983907073654304186669580624268424033646475701244823            
                                                                                
======================Server key========================                        
Time of key pair created : 2013-12-30 08:55:14                                  
Key name                 : HUAWEI_Server                                  
Key type                 : RSA encryption key                                   
========================================================                        
Key code:                                                                       
                                                                                
3081B9                                                                          
  0281B1                                                                        
    00EA73D0 8787CAC7 01F5B1C3 BB526E42 18B4E740                                
    C26250C8 E6453106 A22CC86D 9D702D5A A7192FFA                                
    19ECBEAF C7AD3C56 89900E35 30D11766 4683E827                                
    960AB080 6D1D5403 BB9553FC 57046006 D2A12AEA                                
    086D0066 C7D81278 CC2720A9 7FF3F006 85EB945F                                
    8306A451 D2795842 8FDAC528 0EAE9D23 8E7D0B28                                
    BE4AA3BF 16F8282A 4C087B9E 87FBDF5D 7F2EB809                                
    BC0F278C E5A1D14E C664FD67 C6C48430 ED371D0E                                
    CD97BE6A 0BF06704 53817E6E 1690CEE3 45                                      
  0203                                                                          
    010001                                              
Table 3-25  Description of the display rsa local-key-pair public command output

Item

Description

Time of key pair created

Time and date when the public key is created.

Key name

The value can be the host or server public key. The server public key is saved only when the key type is RSA.

Key type

Type of the public key.

Key code

Code of the public key.

display rsa peer-public-key

Function

The display rsa peer-public-key command displays the peer public key saved on the local host. If no parameter is specified, the command displays detailed information about all peer public keys.

Format

display rsa peer-public-key [ brief | name key-name ]

Parameters

Parameter Description Value
brief Displays the brief information about all peer public keys. -
name key-name Specifies the key name. The key-name must already exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run this command to check detailed information about the RSA public key and whether the local and peer public keys are the same.

Precautions

Before running the display rsa peer-public-key command, run the rsa peer-public-key command to generate the peer public key.

Example

# Display the brief information about all RSA public keys.

<HUAWEI> display rsa peer-public-key brief
------------------------------------------
        Bits   Name
------------------------------------------
        1024   rsakey001
------------------------------------------
Table 3-26  Description of the display rsa peer-public-key brief command output

Item

Description

Bits

Bits in the public key.

Name

Name of the public key.

# Display the detailed information about the RSA public key named rsakey001.

<HUAWEI> display rsa peer-public-key name rsakey001
=====================================
    Key name      : rsakey001
    Encoding type : DER
=====================================
Key code:
308188
  028180
    739A291A BDA704F5 D93DC8FD F84C4274 631991C1 64B0DF17 8C55FA83 3591C7D4
    7D5381D0 9CE82913 D7EDF9C0 8511D83C A4ED2B30 B809808E B0D1F52D 045DE408
    61B74A0E 135523CC D74CAC61 F8E58C45 2B2F3F2D A0DCC48E 3306367F E187BDD9
    44018B3B 69F3CBB0 A573202C 16BB2FC1 ACF3EC8F 828D55A3 6F1CDDC4 BB45504F
  0203
    010001
Table 3-27  Description of the display rsa peer-public-key name command output

Item

Description

Key name

Name of the public key.

Encoding type

Coding type of the public key

Key code

Code of the public key.

Related Topics

display ssh server

Function

The display ssh server command displays the SSH server information.

Format

display ssh server { status | session }

Parameters

Parameter Description Value
status Displays the global configuration on the SSH server. -
session Displays the current session connection information on the SSH server. -

Views

All views

Default Level

3: Management level

Usage Guidelines

After configuring the SSH attributes, you can run this command to view the configuration or session connection information on the SSH server to verify that the SSH connection has been established.

Example

# Display the global configuration on the SSH server.

<HUAWEI> display ssh server status
SSH Version                                : 2.0
SSH authentication timeout (Seconds)       : 60
SSH authentication retries (Times)         : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility              : Disable
SSH server keepalive                       : Enable
SFTP IPv4 server                           : Enable
SFTP IPv6 server                           : Enable
STELNET IPv4 server                        : Enable
STELNET IPv6 server                        : Enable
SNETCONF IPv4 server                       : Disable
SNETCONF IPv6 server                       : Disable
SNETCONF IPv4 server port(830)             : Disable
SNETCONF IPv6 server port(830)             : Disable
SCP IPv4 server                            : Enable
SCP IPv6 server                            : Enable
SSH server DES                             : Enable
SSH IPv4 server port                       : 22
SSH IPv6 server port                       : 22
SSH server source address                  : 0.0.0.0
SSH ipv6 server source address             : 0::0
SSH ipv6 server source vpnName             :
ACL name                                   : --
ACL number                                 : --
ACL6 name                                  : --
ACL6 number                                : --
SSH server ip-block                        : Enable
Table 3-28  Description of the display ssh server status command output

Item

Description

SSH Version

Protocol version used for the SSH session connection.

SSH authentication timeout (Seconds)

Timeout interval of SSH server authentication, in seconds.

Run the ssh server timeout command to set this item.

SSH authentication retries (Times)

Number of times for retrying the SSH session connection.

Run the ssh server authentication-retries command to set this item.

SSH server key generating interval (Hours)

Interval for generating an SSH server password, in hours.

Run the ssh server rekey-interval command to set this item.

SSH version 1.x compatibility

SSH 1.x version compatibility, and the value can be Enable or Disable.

Run the ssh server compatible-ssh1x enable command to set this item.

SSH server keepalive

Keepalive state of the SSH server. The value can be Enable or Disable.

Run the ssh server keepalive disable command to set this item.

SFTP IPv4 server/SFTP IPv6 server

Status of the SFTP server. The value can be Enable or Disable.

Run the sftp server enable command to set this item.

STELNET IPv4 server/STELNET IPv6 server

Status of the STelnet server. The value can be Enable or Disable.

Run the stelnet server enable command to set this item.

SNETCONF IPv4 server/SNETCONF IPv6 server

Status of the SNETCONF server. The value can be Enable or Disable.

Run the snetconf server enable command to set this item.

SNETCONF IPv4 server port(830)/SNETCONF IPv6 server port(830)

Port of the SNETCONF server.

Run the protocol inbound ssh port 830 command to set this item.

SCP IPv4 server/SCP IPv6 server

Status of the SCP server. The value can be Enable or Disable.

Run the scp server enable command to set this item.

SSH server DES

DES algorithm of the SSH server.

Run the ssh server cipher command to set this item.

SSH IPv4 server port/SSH IPv6 server port

Port of the SSH server.

Run the ssh server port command to set this item.

ACL name

Name of the ACL rule bound to the SSH server.

Run the ssh server acl acl-name command to set this item.

ACL number

Number of the ACL rule bound to the SSH server.

Run the ssh server acl acl-number command to set this item.

ACL6 name

Name of the ACL6 rule bound to the SSH server.

Run the ssh ipv6 server acl acl-number command to set this item.

ACL6 number

Number of the ACL6 rule bound to the SSH server.

Run the ssh ipv6 server acl acl-number command to set this item.

SSH server source address/SSH ipv6 server source address

Source IP address of the SSH server.

Run the ssh server-source -i interface-type interface-number command to set this item.

SSH ipv6 server source vpnName

VPN name of the SSH IPv6 server.

SSH server ip-block

Status of the SSH server from locking client IP addresses. It can be any one of the following:
  • Enable: SSH server is enabled to lock client IP addresses.
  • Disable: SSH server is disabled to lock client IP addresses.

# Display the current session connection information on the SSH server.

<HUAWEI> display ssh server session
--------------------------------------------------------------------------------
Session                       : 1                                               
Connect type                  : VTY 20                                          
Version                       : 2.0                                             
State                         : Started                                         
Username                      : client001                                       
Retry                         : 1                                               
Client to Server cipher       : aes256-cbc                                      
Server to Client cipher       : aes256-cbc                                      
Client to Server HMAC         : hmac-sha2-256                                   
Server to Client HMAC         : hmac-sha2-256                                   
Client to Server compression  : none                                            
Server to Client compression  : none                                            
Key exchange algorithm        : diffie-hellman-group1-sha1                      
Public key                    : RSA 
Service type                  : stelnet                                         
Authentication type           : password                                        
Connection port number        : 22                                              
Idle time                     : 00:00:14                                        
--------------------------------------------------------------------------------
Table 3-29  Description of the display ssh server session command output

Item

Description

Session

SSH session ID.

Connect type

Connection used by the SSH session. The options are as follows:
  • VTY: connection used by the STelnet user
  • NCA: connection used by the SNetconf user
  • SFTP: connection used by the SFTP user

Version

Protocol version used for the SSH session connection.

State

Status of the SSH session connection.

Username

User name for SSH session connection.

Run the ssh user command to set this item.

Retry

Number of times for retrying the SSH session connection.

Run the ssh server authentication-retries command to set this item.

Client to Server cipher

Encryption algorithm name from the client to the server.

Server to Client cipher

Encryption algorithm name from the server to the client.

Client to Server HMAC

HMAC algorithm name from the client to the server.

Server to Client HMAC

HMAC algorithm name from the server to the client.

Client to Server compression

Name of the compression algorithm from the client to the server.

Server to Client compression

Name of the compression algorithm from the server to the client.

Key exchange algorithm

Exchange algorithm name.

Public key

Public key algorithm used for server authentication, which can be RSA, DSA, or ECC.

NOTE:

You are advised to use a securer ECC authentication algorithm for higher security.

Service type

Service type for an SSH user. The options are as follows:
  • sftp
  • stelnet
  • snetconf

Run the ssh user service-type command to set this item.

Authentication type

Authentication mode for an SSH user. The options are as follows:
  • password
  • rsa
  • dsa
  • ecc
  • password-rsa (password and RSA)
  • password-dsa (password and DSA)
  • password-ecc (password and ECC)
  • all (password, DSA, ECC, or RSA)

Run the ssh user authentication-type command to set this item.

Connection port number

Port number of the SSH server.

Run the ssh server port command to set this item.

Idle time

Idle time of the SSH session.

display ssh server-info

Function

The display ssh server-info command displays the binding between the SSH server and RSA, DSA, or ECC public key when the current device works as the SSH client.

Format

display ssh server-info

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

When the SSH client needs to authenticate the server, the server public key saved in the local host is used to authenticate the connected SSH server. If the authentication fails, you can run the display ssh server-info command to verify that the server public key is correct.

Example

# Display all bindings between the SSH server and public keys on the SSH client.

<HUAWEI> display ssh server-info
-----------------------------------------------------------------------------------------------------------------                   
Server Name(IP)                                 Server public key name          Server public key type State                        
-----------------------------------------------------------------------------------------------------------------                   
192.168.1.120                                   192.168.1.120                   RSA                    CONFIGURE                    
192.168.1.110                                   192.168.1.110                   RSA                    CONFIGURE                    
----------------------------------------------------------------------------------------------------------------- 
Table 3-30  Description of the display ssh server-info command output

Item

Description

Server Name(IP)

Host name of the SSH server.

Server Public Key Type

Type of the public key on the SSH server.

Server public key name

Name of the public key on the SSH server.

State

Indicates the server key state:
  • CONFIGURE: Indicates that the server public key is saved in database.
  • DYNAMIC: Indicates that the server public key is not saved in database.

display ssh user-information

Function

The display ssh user-information command displays the configuration of all SSH users.

Format

display ssh user-information [ username ]

Parameters

Parameter Description Value
username Displays the SSH user name.

The SSH must already exist.

Views

All views

Default Level

3: Management level

Usage Guidelines

This command displays the SSH user name, bound RSA, DSA, or ECC public key name, and service type.

Example

# Display the configuration of all SSH users.

<HUAWEI> display ssh user-information
--------------------------------------------------------------------------------
User Name             : client001                                               
Authentication type   : password                                                
User public key name  : --                                                      
User public key type  : --                                                      
Sftp directory        : flash:                                                  
Service type          : sftp                                                    
                                                                                
User Name             : client002                                               
Authentication type   : rsa                                                     
User public key name  : --                                                      
User public key type  : --                                                      
Sftp directory        : flash:                                                  
Service type          : sftp  
--------------------------------------------------------------------------------
Total 2, 2 printed 
Table 3-31  Description of the display ssh user-information command output

Item

Description

User Name

SSH user name.

Run the ssh user command to set this item.

Authentication type

Authentication mode for an SSH user. The options are as follows:
  • password
  • rsa
  • dsa
  • ecc
  • password-rsa (password and RSA)
  • password-dsa (password and DSA)
  • password-ecc (password and ECC)
  • all (password, DSA, ECC, or RSA)

Run the ssh user authentication-type command to set this item.

User public key name

Peer RSA, DSA, or ECC public key assigned to an SSH user.

Run the rsa peer-public-key, dsa peer-public-key, or ecc peer-public-key command to set this item.

User public key type

Type of the public key allocated to the SSH user:
  • RSA: indicates that the type is RSA.
  • DSA: indicates that the type is DSA.
  • ECC: indicates that the type is ECC.
  • --: indicates that no public key type is specified.

Sftp directory

SFTP service directory of an SSH user.

Run the ssh user sftp-directory command to set this item.

Service type

Service type for an SSH user. The options are as follows:
  • sftp: indicates that the service type is SFTP.
  • stelnet: indicates that the service type is STelnet.
  • snetconf: indicates that the service type is SNetConf.
  • --: indicates that no service type is specified.

Run the ssh user service-type command to set this item.

display telnet server

Function

The display telnet server status command displays the configuration of the current Telnet server.

Format

display telnet server

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

When you fail to log in to a server using Telnet, run the display telnet server command to check the configuration of the Telnet server. The command output can help you find the cause of the login failure.

Example

# Display the basic configuration of the Telnet server.

<HUAWEI> display telnet server
Telnet server                     : Enable
Telnet server port                : 23
Telnet IPv6 server                : Disable
Telnet IPv6 server port           : 23
Telnet server source address      : 0.0.0.0
TELNET ipv6 server source address : 0::0
TELNET ipv6 server source vpnName :
ACL name                          : --
ACL number                        : --
ACL6 name                         : --
ACL6 number                       : --
Table 3-32  Description of the display telnet server command output

Item

Description

Telnet server

Status of the Telnet server. The value can be Enable or Disable.

Run the telnet server disable command to set this item.

Telnet server port

Telnet server port number.

Run the telnet server port command to set this item.

Telnet IPv6 server

Status of the Telnet IPv6 server. The value can be Enable or Disable.

Run the telnet ipv6 server disable command to set this item.

Telnet IPv6 server port

Port number of the Telnet IPv6 server.

Run the telnet server port command to set this item.

Telnet server source address

Source IP address of the Telnet server.

Run the telnet server-source command to set this item.

TELNET ipv6 server source address

Source IP address of the Telnet IPv6 server.

TELNET ipv6 server source vpnName

Source VPN instance name of the Telnet IPv6 server.

ACL name

Name of the ACL rule bound to Telnet server.

Run the telnet server acl acl-name command to set this item.

ACL number

Number of the ACL rule bound to Telnet server.

Run the telnet server acl acl-number command to set this item.

ACL6 name

Name of the ACL6 rule bound to Telnet server.

Run the telnet ipv6 server acl acl-name command to set this item.

ACL6 number

Number of the ACL6 rule bound to Telnet server.

Run the telnet ipv6 server acl acl-number command to set this item.

display telnet server status

Function

The display telnet server status command displays the connection of the Telnet server.

Format

display telnet server status

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run this command to check the source IP address of the Telnet server and the source address carried in a connection request.

If the Telnet connection does not exist, no information is displayed after you run this command.

Example

# Display the status of the Telnet server.
<HUAWEI> display telnet server status
Session 1:                
Source ip address : 192.168.1.3            
VTY Index         : 0               
Session 2:                           
Source ip address : 192.168.1.4             
VTY Index         : 1                    
Session 3:                           
Source ip address : 192.168.1.5           
VTY Index         : 2                         
Session 4:                               
Source ip address : 192.168.1.6        
VTY Index         : 3                      
Current number of sessions : 4
Table 3-33  Description of the display telnet server status command output

Item

Description

Session

Index of current connections.

Source ip address

Source IP address in the Telnet connection.

VTY Index

Relative number of the user interface.

Current number of sessions

Number of current connections.

display telnet client

Function

The display telnet client command displays the number of current telnet connections.

Format

display telnet client

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

An administrator can use the display telnet client command to check how many users have logged in to a server through Telnet.

Example

# Display the number of current connections.

<HUAWEI> display telnet client
---------------------------------------
Current user count  : 2
Source IPv4 address : 10.1.1.2    
---------------------------------------
Table 3-34  Description of the display telnet client command output

Item

Description

Current user count

Number of current connected users.

Source IPv4 address

The IPv4 address of Source.

dsa key-pair label

Function

The dsa key-pair label command generates a DSA key pair with a label.

The undo dsa key-pair label command deletes a DSA key pair with a label.

By default, no DSA key pair with a label is generated.

Format

dsa key-pair label label-name [ modulus modulus-bits ]

dsa key-pair label load private private-key public public-key

undo dsa key-pair label label-name

Parameters

Parameter Description Value
label-name

Specifies the label name of a DSA key pair.

The value is a string of 1 to 35 case-insensitive characters. The string can contain only letters, digits, and underscores (_).

modulus modulus-bits

Specifies the modulus of the DSA key pair.

The value is 2048, in bits. The default value is 2048.

A larger modulus indicates higher security. However, it takes a long time to generate and use such a key pair.

load private private-key

Specifies the private key in the key pair.

The private-key must already exist.

public public-key

Specifies the public key in the key pair.

The public-key must already exist.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run this command to generate a DSA key pair for user authentication. The DSA key pair improves authentication security. You can run the dsa key-pair label command to generate multiple DSA key pairs, and the key pairs are identified by different labels.

Precautions

You can run the dsa key-pair label command to generate multiple DSA key pairs with labels. The maximum number of DSA key pairs is specified by the dsa key-pair maximum command. By default, the device can generate a maximum of 20 DSA key pairs with labels.

Example

# Generate the DSA key pair with the label name ssh_host.

<HUAWEI> system-view
[~HUAWEI] dsa key-pair label ssh_host

dsa key-pair maximum

Function

The dsa key-pair maximum command configures the maximum number of DSA key pairs with labels that can be generated.

The undo dsa key-pair maximum command restores the maximum number of DSA key pairs with labels to the default value.

By default, the device can generate a maximum of 20 DSA key pairs with labels.

Format

dsa key-pair maximum max-keys

undo dsa key-pair maximum

Parameters

Parameter Description Value
max-keys Specifies the maximum number of DSA key pairs with labels. The value is an integer that ranges from 1 to 20.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Saving DSA key pairs consumes system memory and file resources. Therefore, you can adjust the maximum number of DSA key pairs as required to ensure that they do not occupy too many system resources.

Configuration Impact

The device fails to generate DSA key pairs with labels when the number of DSA key pairs reaches the upper limit specified by this command.

Example

# Set the maximum number of DSA key pairs with labels to 15.

<HUAWEI> system-view
[~HUAWEI] dsa key-pair maximum 15
Related Topics

dsa local-key-pair create

Function

The dsa local-key-pair create command generates a local DSA key pair.

By default, a local DSA key pair is not configured.

Format

dsa local-key-pair create

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Compared with RSA, Digital Signature Algorithm (DSA) has a wider application range in the SSH protocol. According to the encryption principle of the asymmetric encryption system, the public and private keys are generated to implement secure key exchange. This ensures the secure session process.

The prerequisite for a user to successfully log in to the SSH server using DSA authentication is to generate a local DSA key pair. A local DSA key pair can be generated in the following two methods:
  • Configuration: You can run the dsa local-key-pair create command to generate a local DSA key pair.

  • Automatic generation: If an SSH client logs in to a device and the SSH server has no DSA key pair, the system automatically generates a DSA key pair.

Key pairs generated in the two methods are the same in terms of function, security, query, and deletion. It is recommended that you run the dsa local-key-pair create command to generate a local DSA key pair.

When you run this command, the system prompts you to confirm whether to change the original key if the DSA key exists. The key in the new key pair is named device name_Host_DSA, for example, HUAWEI_Host_DSA.

After you enter the command, the device prompts you to enter the number of bits in the host key. The length of a host key pair is 2048.

After a successful login, run the save command to save configurations. The generated key pair then is saved on the device and is not lost after the device restarts.

Precautions

This command is not saved in a configuration file and can take effect immediately after being executed. After the device restarts, you do not need to run the command again.

Example

# Generate a local DSA key pair on the device.

<HUAWEI> system-view
[~HUAWEI] dsa local-key-pair create
Info: The key name will be: HUAWEI_Host_DSA
Info: The key modulus can be any one of the following : 2048.   
Info: Key pair generation will take a short while.            
Info: Generating keys...          
Info: Succeeded in creating the DSA host keys.

dsa local-key-pair destroy

Function

The dsa local-key-pair destroy command deletes local DSA host key pairs.

Format

dsa local-key-pair destroy

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

DSA applies to SSH verification. According to the encryption principle of the asymmetric encryption system, the public and private keys are generated to implement secure key exchange. This ensures the secure session process. You can run the dsa local-key-pair create command to generate local DSA keys. When local DSA keys are unnecessary, you can run the dsa local-key-pair destroy command to delete these keys.

Prerequisite

The local DSA keys that can be deleted exist.

Precautions

After you run this command, it takes effect and is not saved in a configuration file.

Example

# Delete local DSA keys.

<HUAWEI> system-view
[~HUAWEI] dsa local-key-pair destroy
Info: The name of the key which will be destroyed is HUAWEI_Host_DSA.                                                       
Warning: These keys will be destroyed. Continue? Please select [Y/N]:y                                                             
Info: Succeeded in destroying the DSA host keys. 

dsa local-key-pair load

Function

The dsa local-key-pair load command loads the local DSA and server key pairs from a specified file.

By default, the local DSA and server key pairs are not configured.

Format

dsa local-key-pair load hostkey file-name

Parameters

Parameter Description Value
hostkey Loads the local DSA key pair. -
file-name Specifies the name of the file from which key pairs are loaded. The name of the file must already exist.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When a user is upgraded from a low level to a high level and wants to use DSA key configuration of the low level, run the dsa local-key-pair load command to load the local DSA and server key pairs from a specified file.

Prerequisites

The file that contains the DSA key pair already exists.

Example

# Load the local DSA key pair.

<HUAWEI> system-view
[~HUAWEI] dsa local-key-pair load hostkey flash:/hostkey_dsa

dsa peer-public-key

Function

The dsa peer-public-key command configures an encoding format for a DSA public key and displays the DSA public key view.

The undo dsa peer-public-key command deletes a DSA public key.

By default, no encoding format is configured for a DSA public key.

Format

dsa peer-public-key key-name encoding-type { der | openssh | pem }

undo dsa peer-public-key key-name

Parameters

Parameter Description Value
key-name Specifies the public key name. The value is a string of 1 to 30 case-sensitive characters without space.
NOTE:

When double quotation marks are used around the string, spaces are allowed in the string.

encoding-type Specifies an encoding format for a DSA public key. -
der

Specifies the Distinguished Encoding Rules (DER) format for a DSA public key.

DER encodes data in hexadecimal format.

-
openssh

Specifies the OpenSSH format for a DSA public key.

OpenSSH encodes data in base-64 format.

OpenSSH is an encoding format based on PEM.

-
pem

Specifies the Privacy Enhanced Mail (PEM) format for a DSA public key.

PEM encodes data in base-64 format.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When you use a DSA public key for authentication, you must specify the public key of the corresponding client for an SSH user on the server. When the client logs in to the server, the server uses the specified public key to authenticate the client. You can also save the public key generated on the server to the client. Then the client can be successfully authenticated by the server when it logs in to the server for the first time.

Huawei data communications devices support the DER, OpenSSH and PEM formats for DSA keys. If you use a DSA key in non-DER/OpenSSH/PEM format, use a third-party tool to convert the key into a key in DER, OpenSSH or PEM format.

Because a third-party tool is not released with Huawei system software, DSA usability is unsatisfactory. In addition to DER and PEM, DSA keys need to support the OpenSSH format to improve DSA usability.

Third-party software, such as SecureCRT, PuTTY, OpenSSH, and OpenSSL, can be used to generate DSA keys in different formats. The details are as follows:
  • The SecureCRT and PuTTY generate DSA keys in PEM format.
  • The OpenSSH generates DSA keys in OpenSSH format.
  • The OpenSSL generates DSA keys in DER format.

OpenSSL is an open source software. You can download related documents at http://www.openssl.org/.

After you configure an encoding format for a DSA public key, Huawei data communications device automatically generates a DSA public key in the configured encoding format and enters the DSA public key view. Then you can run the public-key-code begin command and manually copy the DSA public key generated on the peer device to the local device.

Follow-up Procedure

After you copy the DSA public key generated on the peer device to the local device, perform the following operations to exit the DSA public key view:
  1. Run the public-key-code end command to return to the DSA public key view.
  2. Run the peer-public-key end command to exit the DSA public key view and return to the system view.

Precautions

If a DSA public key has assigned to an SSH client, release the binding relationship between the public key and the SSH client. If you do not release the binding relationship between them, the undo dsa peer-public-key command will fail to delete the DSA public key.

If an DSA public key has been assigned to an SSH user, run the undo ssh user user-name assign dsa-key command to delete the mapping between the DSA public key and the SSH user. If you do not delete the mapping, the undo dsa peer-public-key command cannot delete the DSA public key.

Example

# Configure an encoding format for a DSA public key and enter the DSA public key view.

<HUAWEI> system-view
[~HUAWEI] dsa peer-public-key 23 encoding-type der
[*HUAWEI-dsa-public-key]

ecc key-pair label

Function

The ecc key-pair label command generates an ECC key pair with a label.

The undo ecc key-pair label command deletes an ECC key pair with a label.

By default, no ECC key pair with a label is generated.

Format

ecc key-pair label label-name [ modulus modulus-bits ]

undo ecc key-pair label label-name

Parameters

Parameter Description Value
label-name

Specifies the label name of an ECC key pair.

The value is a string of 1 to 35 case-insensitive characters. It can contain digits, letters, and underscores (_) only.

modulus modulus-bits

Specifies the modulus of the ECC key pair.

The value can be 256, 384, or 521, in bits. The default value is 521.

A larger modulus indicates higher security. However, it takes a long time to generate and use such a key pair.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run this command to generate an ECC key pair for user authentication. The ECC key pair improves authentication security. You can run the ecc key-pair label command to generate multiple ECC key pairs, and the key pairs are identified by different labels.

Precautions

You can run the ecc key-pair label command to generate multiple ECC key pairs with labels. The maximum number of ECC key pairs is specified by the ecc key-pair maximum command. By default, the device can generate a maximum of 20 ECC key pairs with labels.

Example

# Generate an ECC key pair with a label named ecc_key_pair.

<HUAWEI> system-view
[~HUAWEI] ecc key-pair label ecc_key_pair

ecc key-pair maximum

Function

The ecc key-pair maximum command configures the maximum number of ECC key pairs with labels that can be generated.

The undo ecc key-pair maximum command restores the maximum number of ECC key pairs with labels to the default value.

By default, the device can generate a maximum of 20 ECC key pairs with labels.

Format

ecc key-pair maximum max-keys

undo ecc key-pair maximum

Parameters

Parameter Description Value
max-keys Specifies the maximum number of ECC key pairs with labels. The value is an integer that ranges from 1 to 20.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Saving ECC key pairs consumes system memory and file resources. Therefore, you can adjust the maximum number of ECC key pairs as required to ensure that they do not occupy too many system resources.

Configuration Impact

The device fails to generate ECC key pairs with labels when the number of ECC key pairs reaches the upper limit specified by this command.

Example

# Set the maximum number of ECC key pairs with labels to 15.

<HUAWEI> system-view
[~HUAWEI] ecc key-pair maximum 15
Related Topics

ecc local-key-pair

Function

The ecc local-key-pair create command generates a local ECC key pair.

The ecc local-key-pair destroy command deletes the local ECC key.

By default, no local ECC key pair exists in the system.

Format

ecc local-key-pair create

ecc local-key-pair destroy

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A local key pair is a prerequisite to a successful SSH login. Compared with the RSA algorithm used by the rsa local-key-pair create command, the ECC algorithm shortens the key length, accelerates the encryption, and improves the security. The length of the server key pair can be 256 bits, 384 bits, and 521 bits. By default, the length of the key pair is 521 bits.

If you no longer need the local ECC key pairs, run the ecc local-key-pair destroy command to delete them.

The prerequisite for a user to successfully log in to the SSH server using ECC authentication is to generate a local ECC key pair. A local ECC key pair can be generated in the following two methods:
  • Configuration: You can run the ecc local-key-pair create command to generate a local ECC key pair.

  • Automatic generation: If an SSH client logs in to a device and the SSH server has no ECC key pair, the system automatically generates an ECC key pair.

Key pairs generated in the two methods are the same in terms of function, security, query, and deletion. It is recommended that you run the ecc local-key-pair create command to generate a local ECC key pair.

After a successful login, run the save command to save configurations. The generated key pair then is saved on the device and is not lost after the device restarts.

Precautions

  • The generated ECC host key pair is named in the format of switch name_Host_ECC, such as HUAWEI_Host_ECC.

  • The ecc local-key-pair create and ecc local-key-pair destroy commands are not saved in the configuration file. They only need to be run once and take effect even after the switch restarts.

  • Do not delete the ECC key file from the switch.

Example

# Generate a local ECC key pair.

<HUAWEI> system-view
[~HUAWEI] ecc local-key-pair create
Info: The key name will be: HUAWEI_Host_ECC
Info: The key modulus can be any one of the following: 256, 384, 521.
Info: Key pair generation will take a short while.
Please input the modulus [default=521]:

# Delete the local ECC key pair.

<HUAWEI> system-view
[~HUAWEI] ecc local-key-pair destroy
Info: The name of the key which will be destroyed is HUAWEI_Host_ECC.     
Warning: These keys will be destroyed. Continue? Please select [Y/N]: Y          
Info: Succeeded in destroying the ECC host keys.

ecc peer-public-key

Function

The ecc peer-public-key command generates an ECC public key and enters the ECC public key view.

The undo ecc peer-public-key command deletes the ECC public key.

By default, no ECC public key is generated.

Format

ecc peer-public-key key-name [ encoding-type der ]

undo ecc peer-public-key key-name

Parameters

Parameter Description Value
key-name Specifies the ECC public key name. The value is a string of 1 to 30 case-sensitive characters without spaces.
NOTE:

When quotation marks are used around the string, spaces are allowed in the string.

encoding-type der

Sets the encoding format of the ECC public key to Distinguished Encoding Rules (DER).

In the DER format, data is encoded in hexadecimal format.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When you use an ECC public key for authentication, specify the public key on the server for the client of SSH users. When the client logs in to the server, the server uses the specified public key to authenticate the client.

After you enter the ECC public key view, run the public-key-code begin command, and copy the ECC public key to the server.

NOTE:
A maximum of 20 ECC public keys can be configured.

Follow-up Procedure

After you copy the ECC public key generated on the client to the server, perform the following operations to exit the ECC public key view:
  1. Run the public-key-code end command to return to the ECC public key view.
  2. Run the peer-public-key end command to exit the ECC public key view and return to the system view.

Precautions

The public key on the client is randomly generated by the client software.

If an ECC public key has been assigned to an SSH user, run the undo ssh user user-name assign ecc-key command to delete the mapping between the ECC public key and the SSH user. If you do not delete the mapping, the undo ecc peer-public-key command cannot delete the ECC public key.

Example

# Create an ECC public key and enter the ECC public key view.

<HUAWEI> system-view
[~HUAWEI] ecc peer-public-key ecckey001
[*HUAWEI-ecc-public-key]

ftp server login-failed threshold-alarm

Function

The ftp server login-failed threshold-alarmcommand configures alarm generation and clearance thresholds for FTP server login failures within a specified period.

The undo ftp server login-failed threshold-alarm command restores the default alarm generation and clearance thresholds.

By default, an alarm is generated if the number of login failures reaches 30 within 5 minutes and is cleared if the number of login failures falls below 20 within the same period.

Format

ftp server login-failed threshold-alarm upper-limit report-times lower-limit resume-times period period-time

undo ftp server login-failed threshold-alarm [ upper-limit report-times lower-limit resume-times period period-time ]

Parameters

Parameter Description Value
upper-limit report-times Specifies the number of times authentication failure alarms are reported. If the value is 0, no authentication failure alarm is reported. The default value is 30. The value is an integer ranging from 0 to 100.
lower-limit resume-times Specifies the number of times authentication failure clear alarms are reported. The default value is 20.

The value is an integer ranging from 0 to 45.

period period-time Specifies the period in which failure alarms are counted. The default value is 5, in minutes.

The value is an integer ranging from 1 to 120.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If an FTP management user frequently fails to log in within a short period, the device generates a management security alarm and reports it to administrators for their intervention. To configure alarm reporting and clearance thresholds within a specified period, run the ftp server login-failed threshold-alarm command.

Example

# Configure 40 as the alarm reporting threshold and 25 as the alarm clearance threshold within 10 minutes.
<HUAWEI> system-view
[*HUAWEI] ftp server login-failed threshold-alarm upper-limit 40 lower-limit 25 period 10

http

Function

The http command displays the HTTP view.

The undo http command deletes the HTTP view and all configurations in this view.

By default, the HTTP view is not displayed.

Format

http

undo http

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

HTTP is an application-layer protocol that transports hypertext from WWW servers to local browsers. HTTP uses the client/server model in which requests and replies are exchanged.

Before configuring HTTP, run the http command to enter the HTTP view.

Example

# Display the HTTP view.

<HUAWEI> system-view
[~HUAWEI] http

lock

Function

The lock command locks the current user interface to prevent unauthorized users from operating the interface.

By default, the system does not automatically lock the current user interface.

Format

lock

Parameters

None

Views

User view

Default Level

0: Visit level

Usage Guidelines

Usage Scenario

Lock the current user interface using this command to prevent other users from operating the interface. The user interfaces consist of console ports, and Virtual Type Terminals (VTYs).

After using the lock command, you are prompted to input the password twice. If you input the correct password for twice, the user interface is locked.

Precautions

  • The passwords must meet the specified requirements.

    • When password complexity check is supported, the requirements are as follows:

      • The password is a string of 8 to 128 case-sensitive characters.

      • The password must contain at least two of the following characters: upper-case character, lower-case character, digit, and special character.

        Special characters except the question mark (?) and space.

    • If you run the undo local-user policy security-enhance command in the AAA view to disable the local account security policy and then run the lock command, the password does not need to meet the complexity requirement. In this case, the requirements are as follows:

      • The password is a string of 1 to 128 case-sensitive characters.

        The character string does not include the special character question mark (?) and space.

  • Password entered in interactive mode is not displayed on the screen.

  • When you run the lock command to lock the user interface and set a locking password, you can press CTRL_C to cancel the operation.

  • To unlock the user interface, press Enter, and then input the correct password as prompted by the system.

Example

# Lock the current user interface after logging in through the console port.

<HUAWEI> lock
Enter Password:
Confirm Password:
Info: The terminal is locked.

# To log in to the system after the system is locked, you must press Enter. The following information is displayed:

Enter Password:

# Enter the correct password and return to the user view.

<HUAWEI>

peer-public-key end

Function

The peer-public-key end command returns to the system view from the public key view and saves the configured public keys.

Format

peer-public-key end

Parameters

None

Views

Public key view

Default Level

3: Management level

Usage Guidelines

You must save the public key generated on the remote host to the local host, which ensures that the validity check on the remote end is successful. After editing a public key in the public key view, you can run this command to return to the system view.

Example

# Return to the system view from the public key view.

<HUAWEI> system-view
[~HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[*HUAWEI-dsa-public-key] public-key-code begin
[*HUAWEI-dsa-public-key-dsa-key-code] 308188
[*HUAWEI-dsa-public-key-dsa-key-code] 028180
[*HUAWEI-dsa-public-key-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*HUAWEI-dsa-public-key-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*HUAWEI-dsa-public-key-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*HUAWEI-dsa-public-key-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[*HUAWEI-dsa-public-key-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[*HUAWEI-dsa-public-key-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*HUAWEI-dsa-public-key-dsa-key-code] 171896FB 1FFC38CD
[*HUAWEI-dsa-public-key-dsa-key-code] 0203
[*HUAWEI-dsa-public-key-dsa-key-code] 010001
[*HUAWEI-dsa-public-key-dsa-key-code] public-key-code end
[*HUAWEI-dsa-public-key] peer-public-key end
[*HUAWEI]

public-key-code begin

Function

The public-key-code begin command displays the public key editing view.

Format

public-key-code begin

Parameters

None

Views

Public key view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You must save the public key generated on the remote host to the local host, which ensures that the validity check on the remote end is successful. Run the public-key-code begin command to display the public key editing view, and enter the key data. The key characters can contain spaces. You can press Enter to enter data in another line.

Prerequisite

A key name has been specified by running the rsa peer-public-key, dsa peer-public-key, or ecc peer-public-key command.

For security purposes, it is not recommended that you use RSA as the public key.

Precautions

  • The content of a key does not support Chinese characters.

  • The public key must be a hexadecimal character string in the public key encoding format, and generated by the client or server that supports SSH.
  • The public keys displayed by running the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command can be used as the key data to enter.
  • You can successfully edit the public key in a public key pair by entering the public key in the server key pair or client key pair. In SSH application, only the public key in the client key pair can be entered as key data. If you enter the public key in the server key pair, authentication fails during SSH login.

Example

# Display the public key editing view and enter the key data.

<HUAWEI> system-view
[~HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[*HUAWEI-dsa-public-key] public-key-code begin
[*HUAWEI-dsa-public-key-dsa-key-code] 308188
[*HUAWEI-dsa-public-key-dsa-key-code] 028180
[*HUAWEI-dsa-public-key-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*HUAWEI-dsa-public-key-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*HUAWEI-dsa-public-key-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*HUAWEI-dsa-public-key-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[*HUAWEI-dsa-public-key-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[*HUAWEI-dsa-public-key-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*HUAWEI-dsa-public-key-dsa-key-code] 171896FB 1FFC38CD
[*HUAWEI-dsa-public-key-dsa-key-code] 0203
[*HUAWEI-dsa-public-key-dsa-key-code] 010001
[*HUAWEI-dsa-public-key-dsa-key-code] public-key-code end
[*HUAWEI-dsa-public-key] peer-public-key end
[*HUAWEI]

public-key-code end

Function

The public-key-code end command returns to the public key view from the public key editing view and saves the configured public keys.

Format

public-key-code end

Parameters

None

Views

Public key editing view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After this command is run, the process of editing the public key ends. Before saving the public key, the system will check the validity of the key.
  • If there are illegal characters in the public key character string configured by the user, the system will display a relevant error prompt. The public key previously configured by the user is discarded. As a result, the configuration fails.
  • If the public key configured is valid, it is saved in the public key chain table of the client.

Precautions

  • Generally, in the public key view, only the public-key-code end command can be used to exit. Thus, in this instance the quit command cannot be used.
  • If the legal key coding is not input, the key cannot be generated after the public-key-code end command is used. The system prompts that generating the incorrect key fails.
  • If the key is deleted in another window, the system prompts that the key does not exist and returns to the system view directly after you run the public-key-code end command.

Example

# Exit from the RSA public key editing view and saves the RSA key configuration.

<HUAWEI> system-view
[~HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[*HUAWEI-dsa-public-key] public-key-code begin
[*HUAWEI-dsa-public-key-dsa-key-code] 308188
[*HUAWEI-dsa-public-key-dsa-key-code] 028180
[*HUAWEI-dsa-public-key-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[*HUAWEI-dsa-public-key-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[*HUAWEI-dsa-public-key-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[*HUAWEI-dsa-public-key-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[*HUAWEI-dsa-public-key-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[*HUAWEI-dsa-public-key-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[*HUAWEI-dsa-public-key-dsa-key-code] 171896FB 1FFC38CD
[*HUAWEI-dsa-public-key-dsa-key-code] 0203
[*HUAWEI-dsa-public-key-dsa-key-code] 010001
[*HUAWEI-dsa-public-key-dsa-key-code] public-key-code end
[*HUAWEI-dsa-public-key] peer-public-key end
[*HUAWEI]

rsa key-pair label

Function

The rsa key-pair label command generates an RSA key pair with a label.

The undo rsa key-pair label command deletes an RSA key pair with a label.

By default, no RSA key pair with a label is generated.

Format

rsa key-pair label label-name [ modulus modulus-bits ]

rsa key-pair label load private private-key public public-key

undo rsa key-pair label label-name

Parameters

Parameter Description Value
label-name

Specifies the label name of an RSA key pair.

The value is a string of 1 to 35 case-insensitive characters. It can contain letters, digits, or underscores (_) only.

modulus modulus-bits

Specifies the modulus of the RSA key pair.

The value is 2048, in bits. The default value is 2048.

load private private-key

Specifies the private key in the key pair.

The private-key must already exist.

public public-key

Specifies the public key in the key pair.

The public-key must already exist.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The RSA key-pair is an algorithm for authenticating users in the SSH and ensures security of user authentication. You can run the rsa key-pair label command to generate multiple RSA key pairs, and the key pairs are identified by different labels.

Precautions

You can run the rsa key-pair label command to generate multiple RSA key pairs with labels. The maximum number of RSA key pairs is specified by the rsa key-pair maximum command. By default, the device can generate a maximum of 20 RSA key pairs with labels.
NOTE:

To ensure high security, do not use the RSA key pair whose length is less than 2048 digits.

Example

# Generate an RSA key pair with a label named as ssh_host.

<HUAWEI> system-view
[~HUAWEI] rsa key-pair label ssh_host

rsa key-pair maximum

Function

The rsa key-pair maximum command configures the maximum number of RSA key pairs with labels that can be generated.

The undo rsa key-pair maximum command restores the maximum number of RSA key pairs with labels to the default value.

By default, the device can generate a maximum of 20 RSA key pairs with labels.

Format

rsa key-pair maximum max-keys

undo rsa key-pair maximum

Parameters

Parameter Description Value
max-keys Specifies the maximum number of RSA key pairs with labels. The value is an integer that ranges from 1 to 20.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Saving RSA key pairs consumes system memory and file resources. Therefore, you can adjust the maximum number of RSA key pairs as required to ensure that they do not occupy too many system resources.

Configuration Impact

The device fails to generate RSA key pairs with labels when the number of RSA key pairs reaches the upper limit specified by this command.

Example

# Set the maximum number of RSA key pairs with labels to 15.

<HUAWEI> system-view
[~HUAWEI] rsa key-pair maximum 15
Related Topics

rsa local-key-pair create

Function

The rsa local-key-pair create command generates a local RSA key pair.

By default, a local RSA key pair is not configured.

Format

rsa local-key-pair create

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To implement secure data exchange between the server and client, run this command to generate a local key pair.

The prerequisite for a user to successfully log in to the SSH server using RSA authentication is to generate a local RSA key pair. A local RSA key pair can be generated in the following two methods:
  • Configuration: You can run the rsa local-key-pair create command to generate a local RSA key pair.

  • Automatic generation: If an SSH client logs in to a device and the SSH server has no RSA key pair, the system automatically generates an RSA key pair.

Key pairs generated in the two methods are the same in terms of function, security, query, and deletion. It is recommended that you run the rsa local-key-pair create command to generate a local RSA key pair.

After a successful login, run the save command to save configurations. The generated key pair then is saved on the device and is not lost after the device restarts.

Precautions

If the RSA key pair exists, the system prompts you to confirm whether to replace the original key pair. The keys in the new key pair are named device name_server and device name_host, for example, HUAWEI_host and HUAWEI_server.

After inputting this command, you are prompted to enter the digit of the host key. The length of the server key pair and the host key pair is 2048 digits. If there has been a key pair, you should confirm whether to change it.

NOTE:

The RSA key pair whose length is less than 2048 digits is insecure and therefore not recommended to use.

This command is not saved in a configuration file.

Example

# Generate a local RSA key pair.

<HUAWEI> system-view
[~HUAWEI] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (2048 ~ 2048).
NOTE: Key pair generation will take a short while.

rsa local-key-pair destroy

Function

The rsa local-key-pair destroy command deletes all local RSA host and server key pairs.

Format

rsa local-key-pair destroy

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To delete the local key pair, run rsa local-key-pair destroy command. If the host key pair and the service key pair of an SSH server are deleted, run the rsa local-key-pair create command to create the host key pair and service key pair for the SSH server.

After you run this command, verify that all local RSA keys are deleted. This command is not saved in a configuration file.

Prerequisite

The local RSA keys that can be deleted exist.

Example

# Delete all RSA server keys.

<HUAWEI> system-view
[~HUAWEI] rsa local-key-pair destroy
% The name for the keys which will be destroyed is HUAWEI_Host.                   
% Confirm to destroy these keys? Please select [Y/N]: y

rsa local-key-pair load

Function

The rsa local-key-pair load command loads the local RSA and server key pairs from a specified file.

By default, the local RSA and server key pairs are not configured.

Format

rsa local-key-pair load { hostkey | serverkey } file-name

Parameters

Parameter Description Value
hostkey Loads the local RSA key pair. -
serverkey Loads the server key pair. -
file-name Specifies the name of the file from which key pairs are loaded. The name of the file must already exist.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When a user is upgraded from a low level to a high level and wants to use RSA key configuration of the low level, run the rsa local-key-pair load command to load the local RSA and server key pairs from a specified file.

Prerequisites

The file that contains the RSA key pair already exists.

Example

# Load the local RSA key pair.

<HUAWEI> system-view
[~HUAWEI] rsa local-key-pair load hostkey flash:/rsahostkey.dat

rsa peer-public-key

Function

The rsa peer-public-key command configures an encoding format for RSA public key and enters the RSA public key view.

The undo rsa peer-public-key command deletes a public key.

By default, no public key is configured.

Format

rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

undo rsa peer-public-key key-name

Parameters

Parameter Description Value
key-name Specifies the public key name. The value is a string of 1 to 30 case-insensitive characters without spaces.
NOTE:

When double quotation marks are used around the string, spaces are allowed in the string.

encoding-type Specifies an encoding format for RSA public key, the default is DER. -
der

Specifies the DER format for an RSA public key.

DER encodes data in hexadecimal format.

-
openssh

Specifies the OpenSSH format for an RSA public key.

OpenSSH encodes data in base-64 format.

OpenSSH is an encoding format based on PEM.

-
pem

Specifies the PEM format for an RSA public key.

PEM encodes data in base-64 format.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Run this command to display the public key view, and save the public key on the remote host to the local host. This ensures that the remote device validity is checked in connection.

After you configure an encoding format for an RSA public key, Huawei data communications device automatically generates an RSA public key in the configured encoding format and enters the RSA public key view. Then you can run the public-key-code begin command and manually copy the RSA public key generated on the peer device to the local device.

NOTE:

A maximum of 20 RSA public keys can be configured. To ensure high security, do not use the RSA key pair whose length is less than 2048 digits.

Prerequisite

The public key in hexadecimal notation on the remote host has been obtained and recorded.

Follow-up Procedure

After you copy the RSA public key generated on the peer device to the local device, perform the following operations to exit the RSA public key view:
  1. Run the public-key-code end command to return to the RSA public key view.
  2. Run the peer-public-key end command to exit the RSA public key view and return to the system view.

Precautions

If an RSA public key has been assigned to an SSH user, run the undo ssh user user-name assign rsa-key command to delete the mapping between the RSA public key and the SSH user. If you do not delete the mapping, the undo rsa peer-public-key command cannot delete the RSA public key.

Example

# Display the public key view.
<HUAWEI> system-view
[~HUAWEI] rsa peer-public-key rsakey001
[*HUAWEI-rsa-public-key]

run

Function

The run command executes a user view command in the system view.

By default, a user view command cannot be executed in the system view.

Format

run command-line

Parameters

Parameter Description Value
command-line

Specifies a command to be executed.

-

Views

System view

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

To run commands, which can be run only in the user view, in the system view, you must return to the user view. After completing this configuration task, you can run the run command to run such commands in the system view without returning to the user view.

Precautions

  • The command specified in the run command must be able to be run in the user view.
  • When you run the run command, the association help function is unavailable.
  • When you check the command history on the device using the display history-command command, only the commands that you enter are recorded. The command format is run command-line.
  • When you check log information using the CLI/5/CMDRECORD command, only the commands that are actually executed are recorded in logs. The command format is run command-line.

Example

# View .cfg files in the system view.

<HUAWEI> system-view
[~HUAWEI] run dir *.cfg
Directory of flash:/
  Idx  Attr     Size(Byte)  Date        Time       FileName
    0  -rw-         11,970  Mar 14 2012 19:11:22   31.cfg
    1  -rw-         12,033  Apr 22 2012 17:10:30   31_new.cfg
509,256 KB total (118,784 KB free)

ssh authentication-type default password

Function

The ssh authentication-type default password command configures password authentication as the default authentication mode for users who request to log in to a device using SSH.

The undo ssh authentication-type default password command cancels the configuration.

By default, the default SSH authentication mode is not configured.

Format

ssh authentication-type default password

undo ssh authentication-type default password

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When there are multiple SSH users in the system, the default password authentication mode is used to simplify the configuration.

When users request to log in to a device using SSH, if no SSH user is created using the ssh user, ssh user authentication-type, and ssh user service-type commands, successful user login depends on whether the ssh authentication-type default password command is run.
  • If the ssh authentication-type default password command is run, users log in through AAA authentication.
  • If the ssh authentication-type default password command is not run, users cannot log in.

If an SSH user has been created using the ssh user, ssh user authentication-type, and ssh user service-type commands, authentication of the SSH user depends on whether the ssh user authentication-type command is run. If the ssh user authentication-type command is run, the user is authenticated using the authentication mode specified in this command. If the ssh user authentication-type command is not run, the user cannot log in to the device.

Precautions

No default authentication mode is set for SSH users. When configuring an SSH user, you must configure an authentication mode.

You can run the ssh user user-name authentication-type password command to configure the password authentication mode for an SSH user. If the ssh user and ssh authentication-type default password commands are configured simultaneously, the ssh user command takes effect.

This command takes effect for both IPv4 and IPv6 users.

Example

# Configure the password authentication mode for an SSH user.

<HUAWEI> system-view
[~HUAWEI] ssh authentication-type default password

ssh authorization-type default

Function

The ssh authorization-type default command sets the authorization method for an SSH connection to AAA or Root.

The undo ssh authorization-type default command restores the authorization method.

By default, the authorization method for an SSH connection is AAA.

Format

ssh authorization-type default { aaa | root }

undo ssh authorization-type default

Parameters

Parameter Description Value
aaa

Sets the authorization method for an SSH session as AAA.

-
root

Sets the authorization method for an SSH session as Root.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

If the authorization type for an SSH connection is AAA, the privilege level of SSH user is that configured in the AAA view.

If the authorization type for an SSH connection is root, the privilege level of SSH user is different from that configured in the AAA view. In this situation, the privilege level is the maximum value, 15 or 3.

Example

# Set the authorization method for SSH session as AAA.

<HUAWEI> system-view
[~HUAWEI] ssh authorization-type default aaa

ssh client assign

Function

The ssh client assign command specifies the host public key of the SSH server to connect on the SSH client.

The undo ssh client assign command cancels the specified host public key of the SSH server to connect on the SSH client.

By default, the host public key of the server to connect is not specified on the client.

Format

ssh client server-ip-address assign { rsa-key | dsa-key | ecc-key } key-name

undo ssh client server-ip-address assign { rsa-key | dsa-key | ecc-key }

Parameters

Parameter Description Value
server-ip-address Specifies the host name or IP address of the SSH server. The SSH must already exist.
rsa-key Specifies the RSA public key. -
dsa-key Specifies the DSA public key. -
ecc-key Specifies the ECC public key. -
key-name Specifies the SSH server public key name that has been configured on the SSH client. The SSH server public key name must already exist.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the SSH client connects to the SSH server for the first time and the first authentication is not enabled on the SSH client using the ssh client first-time enable command, the SSH client rejects the access from unauthorized SSH servers. You need to specify the host public key of the SSH server and the mapping between the key and SSH server on the SSH client. After that, the client will determine whether the server is reliable using the correct public key based on the mapping.

For security purposes, it is not recommended that you use RSA as the public key.

Precautions

The RSA, DSA, or ECC public key to be assigned to the SSH server must have been configured on the SSH client using the rsa peer-public-key, dsa peer-public-key, or ecc peer-public-key command. If the key has not been configured, the verification for the RSA, DSA, or ECC public key of the SSH server on the SSH client fails.

Example

# Assign the DSA public key to the SSH server.
<HUAWEI> system-view
[~HUAWEI] ssh client 10.164.39.120 assign dsa-key sshdsakey01
# Delete the DSA public key of the SSH server.
<HUAWEI> system-view
[~HUAWEI] undo ssh client 10.164.39.120 assign dsa-key

ssh client cipher

Function

The ssh client cipher command configures an encryption algorithm list for an SSH client.

The undo ssh client cipher command restores the default encryption algorithm list of an SSH client.

By default, an SSH client supports encryption algorithms including 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, AES192_CTR, AES128_GCM, AES256_GCM, AES256_CTR, Arcfour128, and Arcfour256.

Format

ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr | arcfour128 | arcfour256 | aes192_cbc | aes192_ctr | aes128_gcm | aes256_gcm } *

undo ssh client cipher

Parameters

Parameter Description Value
des_cbc Specifies the CBC DES encryption algorithm. -
3des_cbc Specifies the CBC 3DES encryption algorithm. -
aes128_cbc Specifies the CBC AES128 encryption algorithm. -
aes256_cbc Specifies the CBC AES256 encryption algorithm. -
aes128_ctr Specifies the CTR AES128 encryption algorithm. -
aes256_ctr Specifies the CTR AES256 encryption algorithm. -
arcfour128 Specifies the Arcfour128 encryption algorithm. -
arcfour256 Specifies the Arcfour256 encryption algorithm. -
aes192_cbc Specifies the AES192 encryption algorithm in CBC mode. -
aes192_ctr Specifies the AES192 encryption algorithm in CTR mode. -
aes128_gcm Specifies the AES128 encryption algorithm in GCM mode. -
aes256_gcm Specifies the AES256 encryption algorithm in GCM mode. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An SSH server and a client need to negotiate an encryption algorithm for the packets exchanged between them. You can run the ssh client cipher command to configure an encryption algorithm list for the SSH client. After the list is configured, the server matches the encryption algorithm list of a client against the local list after receiving a packet from the client and selects the first encryption algorithm that matches the local list. If no encryption algorithms in the list of the client match the local list, the negotiation fails.

Precautions

des_cbc, 3des_cbc, aes128_cbc, aes192_cbc, aes256_cbc, arcfour128 and arcfour256 are of weak security. Therefore, do not add them to the encryption algorithm list. Using aes128_ctr, aes192_ctr, aes128_gcm, aes256_gcm, or aes256_ctr is recommended, because such an algorithm has a higher security.

This command takes effect for both ipv4 and ipv6 SSH servers.

Example

# Configure CTR encryption algorithms for an SSH client.

<HUAWEI> system-view
[~HUAWEI] ssh client cipher aes128_ctr aes256_ctr
Related Topics

ssh client first-time enable

Function

The ssh client first-time enable command enables the first authentication on the SSH client.

The undo ssh client first-time enable command disables the first authentication on the SSH client.

By default, first authentication is disabled on the SSH client.

Format

ssh client first-time enable

undo ssh client first-time enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When the SSH client accesses the SSH server for the first time and the public key of the SSH server is not configured on the SSH client, you can enable the first authentication for the SSH client to access the SSH server and save the public key on the SSH client. When the SSH client accesses the SSH server next time, the saved public key is used to authenticate the SSH server.

Precautions

You can run the ssh client assign command to pre-assign a public key to the SSH server. In this manner, you can log in to the SSH server successfully at the first time.

This command takes effect for both ipv4 and ipv6 SSH clients.

Example

# Enable the first authentication on the SSH client.

<HUAWEI> system-view
[~HUAWEI] ssh client first-time enable
Related Topics

ssh client hmac

Function

The ssh client hmac command configures an HMAC authentication algorithm list for an SSH client.

The undo ssh client hmac command restores the default HMAC authentication algorithm list of an SSH client.

By default, an SSH client supports HMAC authentication algorithms including MD5, MD5_96, SHA1, SHA1_96, SHA2_256,SHA2_512, and SHA2_256_96.

Format

ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 } *

undo ssh client hmac

Parameters

Parameter Description Value
md5 Specifies the MD5 HMAC authentication algorithm. -
md5_96 Specifies the MD5_96 HMAC authentication algorithm. -
sha1 Specifies the SHA1 HMAC authentication algorithm. -
sha1_96 Specifies the SHA1_96 HMAC authentication algorithm. -
sha2_256 Specifies the SHA2_256 HMAC authentication algorithm. -
sha2_256_96 Specifies the SHA2_256_96 HMAC authentication algorithm. -
sha2_512 Specifies the SHA2_512 HMAC authentication algorithm. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An SSH server and a client need to negotiate an HMAC authentication algorithm for the packets exchanged between them. You can run the ssh client hmac command to configure an HMAC authentication algorithm list for the SSH client. After the list is configured, the server matches the list of a client against the local list after receiving a packet from the client and selects the first HMAC authentication algorithm that matches the local list. If no HMAC authentication algorithms in the list of the client match the local list, the negotiation fails.

Precautions

sha2_256_96, sha1, sha1_96, md5, and md5_96 provide weak security. Therefore, they are not recommended in the HMAC authentication algorithm list.

This command takes effect for both ipv4 and ipv6 SSH clients.

Example

# Configure the SHA2_256 HMAC authentication algorithm for an SSH client.

<HUAWEI> system-view
[~HUAWEI] ssh client hmac sha2_256
Related Topics

ssh client keepalive-interval

Function

The ssh client keepalive-interval command sets the interval for sending keepalive packets on the SSH client.

The undo ssh client keepalive-interval command restores the default interval for sending keepalive packets on the SSH client.

The default interval for sending keepalive packets on the SSH client is 0.

Format

ssh client keepalive-interval seconds

undo ssh client keepalive-interval

Parameters

Parameter Description Value
seconds Specifies the interval for sending keepalive packets. The value is an integer ranging from 0 to 3600, in seconds. The value 0 indicates that keepalive packets are not sent.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the SSH client does not receive any data packet from the SSH server within a period, the client sends keepalive packets to the server. If the client does not receive any keepalive response packet from the server, the client disconnects from the server.

Precautions

If the interval is restored to 0, the client does not send any keepalive packet to the server.

This command takes effect for both ipv4 and ipv6 SSH clients.

Example

# Set the interval for sending keepalive packets on the SSH client to 30 seconds.

<HUAWEI> system-view
[~HUAWEI] ssh client keepalive-interval 30

ssh client keepalive-maxcount

Function

The ssh client keepalive-maxcount command sets the maximum number of keepalive packets sent by the SSH client.

The undo ssh client keepalive-maxcount command restores the default maximum number of keepalive packets sent by the SSH client.

The default maximum number of keepalive packets is 3, indicating that the client sends three keepalive packets to the server before disconnecting from the server.

Format

ssh client keepalive-maxcount count

undo ssh client keepalive-maxcount

Parameters

Parameter Description Value
count Specifies the maximum number of keepalive packets. The value is an integer that ranges from 1 to 30.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the SSH client does not receive any data packet from the server within a period, the client sends the maximum number of keepalive packets to the server. If the client does not receive any keepalive response packet from the server, the client disconnects from the server.

Precautions

The interval for sending keepalive packets on the client must be greater than the interval that is set using the ssh client keepalive-interval command. If the client does not send any keepalive packet (the interval is 0), the maximum number of keepalive packets does not take effect.

This command takes effect for both ipv4 and ipv6 SSH clients.

Example

# Set the maximum number of keepalive packets on the SSH client to 5.

<HUAWEI> system-view
[~HUAWEI] ssh client keepalive-maxcount 5

ssh client key-exchange

Function

The ssh client key-exchange command configures a key exchange algorithm list on an SSH client.

The undo ssh client key-exchange command restores the default configuration.

By default, an SSH client supports dh_group14_sha1, dh_group_exchange_sha1, dh_group_exchange_sha256, ecdh_sha2_nistp256, ecdh_sha2_nistp384, ecdh_sha2_nistp521, sm2_kep key exchange algorithms.

Format

ssh client key-exchange { dh_group14_sha1 | dh_group1_sha1 | dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 | ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } *

undo ssh client key-exchange

Parameters

Parameter Description Value
dh_group14_sha1 Specifies that the Diffie-hellman-group14-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH client. -
dh_group1_sha1 Specifies that the Diffie-hellman-group1-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH client. -
dh_group_exchange_sha1 Specifies that the Diffie-hellman-group-exchange-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH client. -
dh_group_exchange_sha256 Specifies that the Diffie-hellman-group-exchange-sha256 algorithm is contained in the key exchange algorithm list configured on the SSH client. -
ecdh_sha2_nistp256 Specifies that the Elliptic curve Diffie-hellman-sha2-nistp256 algorithm is contained in the key exchange algorithm list configured on the SSH client. -
ecdh_sha2_nistp384 Specifies that the Elliptic curve Diffie-hellman-sha2-nistp384 algorithm is contained in the key exchange algorithm list configured on the SSH client. -
ecdh_sha2_nistp521 Specifies that the Elliptic curve Diffie-hellman-sha2-nistp521 algorithm is contained in the key exchange algorithm list configured on the SSH client. -
sm2_kep Specifies that the SuperMemo 2 Key Exchange Protocol algorithm is contained in the key exchange algorithm list configured on the SSH client. -

Views

System view

Default Level

3: Management level

Usage Guidelines

The client and server negotiate the key exchange algorithm used for packet transmission. You can run the ssh client key-exchange command to configure a key exchange algorithm list on the SSH client. The SSH server compares the configured key exchange algorithm list with the counterpart sent by the client and then selects the first matched key exchange algorithm for packet transmission. If the key exchange algorithm list sent by the client does not match any algorithm in the key exchange algorithm list configured on the server, the negotiation fails.

NOTE:

For security purposes, do not use insecure key exchange algorithms such as dh_group1_sha1.

Example

# Configure key exchange algorithm dh_group_exchange_sha256 on the SSH client.

<HUAWEI> system-view
[~HUAWEI] ssh client key-exchange dh_group_exchange_sha256

ssh server acl

Function

The ssh server acl command configures the ACL that the SSH server uses to control the access permission of the SSH client.

The undo ssh server acl command cancels the configured ACL of the SSH server.

By default, no ACL is configured for SSH server.

Format

ssh [ ipv6 ] server acl { acl-number | acl-name }

undo ssh [ ipv6 ] server acl

Parameters

Parameter Description Value
acl-number Specifies the ACL number. The value is an integer that ranges from 2000 to 3999.
acl-name Specifies the ACL name. The value is a string of 1 to 32 case-sensitive characters except spaces. The value must start with a letter (case-sensitive).

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Configure the ACL for the following servers for access control:
  • STelnet server: controls which clients can log in to this server through STelnet.
  • SFTP server: controls which clients can log in to this server through SFTP.
  • SNetconf server: controls which clients can log in to this server through SNetconf.

Prerequisites

Before running this command, run the acl (system view) in the system view and run the rule (ACL view) command to configure an ACL.

Precautions

A basic ACL is configured to restrict source addresses and an advanced ACL is configured to restrict source and destination addresses.

The command ssh server acl { acl-number | acl-name } only takes effect for ipv4 client.

Example

# Configure the ACL numbered 2000 on the SSH server.

<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.10.10.10 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] ssh server acl 2000
# Configure the ACL named huawei on the SSH server.
<HUAWEI> system-view
[~HUAWEI] acl name huawei
[*HUAWEI-acl4-advance-huawei] rule permit tcp
[*HUAWEI-acl4-advance-huawei] quit
[*HUAWEI] ssh server acl huawei

ssh server assign

Function

The ssh server assign command assigns the generated RSA host key, DSA host key, or ECC host key to the SSH server.

The undo ssh server assign command cancels the configuration.

By default, the device does not assign a key to the SSH server.

Format

ssh server assign { rsa-host-key | dsa-host-key | ecc-host-key } label-name

undo ssh server assign { rsa-server-key | rsa-host-key | dsa-host-key | ecc-host-key }

Parameters

Parameter Description Value
rsa-server-key Specifies an RSA server key. -
rsa-host-key Sets the key type to RSA host key. -
dsa-host-key Sets the key type to DSA host key. -
ecc-host-key Sets the key type to ECC host key. -
label-name Specifies the label name of the RSA host key, RSA server key, DSA host key, or ECC host key.

The label name must already exist.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run this command to reference the generated RSA, DSA, or ECC key pair with a label to ensure security of the SSH server.
NOTE:
For security purposes, it is not recommended that you use RSA as the public key.

Table 3-35 describes the usage scenarios for different authentication modes.

Table 3-35  Usage scenarios for authentication modes

Authentication Mode

Usage Scenario

RSA

It is a public key encryption architecture and an asymmetric encryption algorithm. Based on the problem of factoring large numbers, RSA is mainly used to transmit the keys of the symmetric encryption algorithm, which can improve encryption efficiency and simplify key management. The server checks whether the SSH user, public key, and digital user signature are valid. If all of them are valid, the user is permitted to access the server. If any of them is invalid, the authentication fails and the user is denied to access the server.

DSA

It is the same as RSA authentication in implementation. The server checks whether the SSH user, public key, and digital user signature are valid. If all of them are valid, the user is permitted to access the server. If any of them is invalid, the authentication fails and the user is denied to access the server.

Compared with RSA authentication, DSA authentication uses the digital signature algorithm for encryption and has a wider application scope.
  • Many SSH tools only support DSA authentication for servers and clients.
  • Based on the latest RFC recommendation for SSH, DSA authentication takes precedence over RSA authentication.

ECC

Like RSA authentication, the server first checks the validity of the SSH user and whether the public key and the numeric signature are valid. If all of them are consistent with those configured on the server, user authentication succeeds. If any of the three cannot pass authentication, the user access is denied. Compared with the RSA algorithm, the ECC authentication has the following advantages:
  • Provides the same security with shorter key length.
  • Features a shorter computing process and higher processing speed.
  • Requires less storage space.
  • Requires lower bandwidth.

Prerequisites

RSA, DSA, or ECC key pair with a label has been generated using the rsa key-pair label, dsa key-pair label, or ecc key-pair label command before you run this command.

Configuration Impact

The RSA, DSA, or ECC key pair with a label assigned to the SSH server has a higher priority than the key pair generated using the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create command. If this command is not configured, the SSH server uses the key pair generated using the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create command for encryption.

Precautions

  • After you delete the RSA, DSA, or ECC key pair with a label, the key pair assigned to the SSH server is deleted simultaneously.

  • This command takes effect for both ipv4 and ipv6 SSH server.

Example

# Assign the EC host key named ecckey to the SSH server.

<HUAWEI> system-view
[~HUAWEI] ecc key-pair label ecckey
[*HUAWEI] ssh server assign ecc-host-key ecckey

ssh server authentication-retries

Function

The ssh server authentication-retries command sets the maximum number of authentication retries for an SSH connection.

The undo ssh server authentication-retries command restores the default maximum number of authentication retries for an SSH connection.

The default maximum number of authentication retries for an SSH connection is 3.

Format

ssh server authentication-retries times

undo ssh server authentication-retries

Parameters

Parameter Description Value
times Specifies the maximum number of authentication retries for an SSH connection. The value is an integer that ranges from 1 to 5.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run this command to configure the maximum number of authentication retries for an SSH connection, which prevents server overload due to malicious access. When the number of authentication retries exceeds the maximum number, the device instructs the remote host to tear down the connection.

Precautions

The configured number of retries takes effect upon the next login.

The total number of RSA, DSA, ECC, and password authentication retries on the SSH client cannot exceed the maximum number that is set using this command.

This command takes effect for both IPv4 and IPv6 connections.

Example

# Set the maximum number of times for retrying login authentication to 4.

<HUAWEI> system-view
[~HUAWEI] ssh server authentication-retries 4
Related Topics

ssh server compatible-ssh1x enable

Function

The ssh server compatible-ssh1x enable command enables the earlier version-compatible function on the SSH server.

The undo ssh server compatible-ssh1x enable command disables the earlier version-compatible function on the SSH server.

By default, the earlier version-compatible function is disabled on the SSH server.

Format

ssh server compatible-ssh1x enable

undo ssh server compatible-ssh1x enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Scenario

The earlier version-compatible function of the SSH server is applicable to the protocol version negotiation between the client and server. The client negotiates the protocol version, by comparing its own protocol version with the received packet. After a TCP connection is set up between the client and the server, the SSH client starts to negotiate with the server on the protocol version by running which they can work normally.

By comparing the protocol versions, the server determines whether to work with the client.

  • That is earlier than 1.3 or later than 2.0, version negotiation fails and the server terminates the TCP connection with the client.
  • If the client runs a protocol version that is between 1.3 and 1.99, the SSH1.5 server module is established when the "compatibility configuration option" of SSH is SSH1.x-compatible. The system then proceeds with the SSH1.x process. The server terminates the TCP connection with the client when the "compatibility configuration option" of SSH is SSH1.x-incompatible.
  • That is 1.99 or 2.0, the SSH2.0 server module is established. The system then proceeds with the SSH2.0 process.

Precaution

All the connections from SSH 1.x client gets dropped, if the compatibility with SSH 1.3 and 1.5 is disabled.

If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk.

Example

# Enable the compatibility with SSH 1.x version.

<HUAWEI> system-view
[~HUAWEI] ssh server compatible-ssh1x enable
Warning: SSHv1 is not a secure protocol, it is recommended to use SSHv2.

ssh server cipher

Function

The ssh server cipher command configures an encryption algorithm list for an SSH server.

The undo ssh server cipher command restores the default encryption algorithm list of an SSH server.

The default situation is as follows:
  • If a device starts without any configuration file, the encryption algorithms supported by the SSH server are AES256_CTR and AES128_CTR.

  • If a device starts with a loaded configuration file (for example, a configuration file is loaded to the device using ZTP for initial configuration), and no encryption algorithm list is configured for the SSH server in the configuration file using the ssh server cipher command, the encryption algorithms supported by the SSH server are 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, AES192_CTR, AES128_GCM, AES256_GCM, AES256_CTR, Arcfour128, and Arcfour256.

Format

ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr | arcfour128 | arcfour256 | aes192_cbc | aes192_ctr | aes128_gcm | aes256_gcm | blowfish_cbc } *

undo ssh server cipher

Parameters

Parameter Description Value
des_cbc Specifies the CBC DES encryption algorithm. -
3des_cbc Specifies the CBC 3DES encryption algorithm. -
aes128_cbc Specifies the CBC AES128 encryption algorithm. -
aes256_cbc Specifies the CBC AES256 encryption algorithm. -
aes128_ctr Specifies the CTR AES128 encryption algorithm. -
aes256_ctr Specifies the CTR AES256 encryption algorithm. -
arcfour128 Specifies the Arcfour128 encryption algorithm. -
arcfour256 Specifies the Arcfour256 encryption algorithm. -
aes192_cbc Specifies the CBC AES192 encryption algorithm. -
aes192_ctr Specifies the CTR AES192 encryption algorithm. -
aes128_gcm Specifies the GCM AES128 encryption algorithm. -
aes256_gcm Specifies the GCM AES256 encryption algorithm. -
blowfish_cbc Specifies the CBC Blowfish encryption algorithm. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An SSH server and a client need to negotiate an encryption algorithm for the packets exchanged between them. You can run the ssh server cipher command to configure an encryption algorithm list for the SSH server. After the list is configured, the server matches the encryption algorithm list of a client against the local list after receiving a packet from the client and selects the first encryption algorithm that matches the local list. If no encryption algorithms in the list of the client match the local list, the negotiation fails.

Precautions

des_cbc, 3des_cbc, aes128_cbc, aes192_cbc, aes256_cbc, arcfour128 and arcfour256 are of weak security. Therefore, do not add them to the encryption algorithm list. Using aes128_ctr, aes192_ctr, aes128_gcm, aes256_gcm, or aes256_ctr is recommended, because such an algorithm has a higher security.

This command takes effect for both ipv4 and ipv6 SSH server.

Example

# Configure CTR encryption algorithms for an SSH server.

<HUAWEI> system-view
[~HUAWEI] ssh server cipher aes256_ctr aes128_ctr
Related Topics

ssh server dh-exchange min-len

Function

The ssh server dh-exchange min-len command configures the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.

The undo ssh server dh-exchange min-len command restores the default minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.

By default, the minimum key length supported is 1024 bits.

Format

ssh server dh-exchange min-len min-len

undo ssh server dh-exchange min-len

Parameters

Parameter Description Value
min-len Specifies the minimum Diffie-hellman-group-exchange key length supported on the SSH server. The value can be either 1024 or 2048, in bits.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the SSH client supports the Diffie-hellman-group-exchange key of more than 1024 bits, run the ssh server dh-exchange min-len command to set the minimum key length to 2048 bits to improve security.

Precautions

Security risks exist if the minimum Diffie-hellman-group-exchange key length is less than 2048 bits. You are advised to set the minimum key length to 2048 bits.

Example

# Set the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client to 2048 bits.

<HUAWEI> system-view
[~HUAWEI] ssh server dh-exchange min-len 2048

ssh server hmac

Function

The ssh server hmac command configures an HMAC authentication algorithm list for an SSH server.

The undo ssh server hmac command restores the default HMAC authentication algorithm list of an SSH server.

The default situation is as follows:
  • If a device starts without any configuration file, the default HMAC authentication algorithms that can be configured for the SSH server are SHA2_256_96, SHA2_256, and SHA1_96.

  • If a device starts with a loaded configuration file (for example, a configuration file is loaded to the device using ZTP for initial configuration), and no HMAC authentication algorithm list is configured for the SSH server in the configuration file using the ssh server hmac command, the HMAC authentication algorithms supported by the SSH server are MD5, MD5_96, SHA1, SHA1_96, SHA2_256, SHA2_512, and SHA2_256_96.

Format

ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 } *

undo ssh server hmac

Parameters

Parameter Description Value
md5 Specifies the MD5 HMAC authentication algorithm. -
md5_96 Specifies the MD5_96 HMAC authentication algorithm. -
sha1 Specifies the SHA1 HMAC authentication algorithm. -
sha1_96 Specifies the SHA1_96 HMAC authentication algorithm. -
sha2_256 Specifies the SHA2_256 HMAC authentication algorithm. -
sha2_256_96 Specifies the SHA2_256_96 HMAC authentication algorithm. -
sha2_512 Specifies the SHA2_512 HMAC authentication algorithm. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An SSH server and a client need to negotiate an HMAC authentication algorithm for the packets exchanged between them. You can run the ssh server hmac command to configure an HMAC authentication algorithm list for the SSH server. After the list is configured, the server matches the list of a client against the local list after receiving a packet from the client and selects the first HMAC authentication algorithm that matches the local list. If no HMAC authentication algorithms in the list of the client match the local list, the negotiation fails.

Precautions

sha2_256_96, sha1, sha1_96, md5, and md5_96 provide weak security. Therefore, they are not recommended in the HMAC authentication algorithm list.

This command takes effect for both ipv4 and ipv6 SSH servers.

Example

# Configure the SHA2_256 HMAC authentication algorithm for an SSH server.

<HUAWEI> system-view
[~HUAWEI] ssh server hmac sha2_256
Related Topics

ssh server keepalive disable

Function

The ssh server keepalive disable command disables the keepalive function on the SSH server.

The undo ssh server keepalive disable command enables the keepalive function on the SSH server.

By default, the keepalive function is enabled on the SSH server.

Format

ssh server keepalive disable

undo ssh server keepalive disable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

If the keepalive function is disabled on the SSH server, the server will disconnect from the SSH client when there is no data exchange, which causes server resource waste due to reconnections. After the keepalive function is enabled on the SSH server, the server responds when receiving keepalive packets from the SSH client. If the function is disabled, the SSH server discards the received keepalive packets. When the SSH client does not receive any keepalive response packet, the client disconnects from the server.

Example

# Enable the keepalive function on the SSH server.

<HUAWEI> system-view
[~HUAWEI] undo ssh server keepalive disable

ssh server key-exchange

Function

The ssh server key-exchange command configures a key exchange algorithm list on an SSH server.

The undo ssh server key-exchange command restores the default configuration.

The default situation is as follows:
  • If a device starts without any configuration file, the key exchange algorithms supported by the SSH server are dh_group_exchange_sha1, dh_group_exchange_sha256, ecdh_sha2_nistp256, ecdh_sha2_nistp384, ecdh_sha2_nistp521, and sm2_kep.

  • If a device starts with a loaded configuration file (for example, a configuration file is loaded to the device using ZTP for initial configuration), and no key exchange algorithm list is configured on the SSH server using the ssh server key-exchange command, the SSH server supports all key exchange algorithms.

Format

ssh server key-exchange { dh_group14_sha1 | dh_group1_sha1 | dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 | ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } *

undo ssh server key-exchange

Parameters

Parameter Description Value
dh_group14_sha1 Specifies that the Diffie-hellman-group14-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. -
dh_group1_sha1 Specifies that the Diffie-hellman-group1-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. -
dh_group_exchange_sha1 Specifies that the Diffie-hellman-group-exchange-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. -
dh_group_exchange_sha256 Specifies that the Diffie-hellman-group-exchange-sha256 algorithm is contained in the key exchange algorithm list configured on the SSH server. -
ecdh_sha2_nistp256 Specifies that the Elliptic curve Diffie-hellman-sha2-nistp256 algorithm is contained in the key exchange algorithm list configured on the SSH server. -
ecdh_sha2_nistp384 Specifies that the Elliptic curve Diffie-hellman-sha2-nistp384 algorithm is contained in the key exchange algorithm list configured on the SSH server. -
ecdh_sha2_nistp521 Specifies that the Elliptic curve Diffie-hellman-sha2-nistp521 algorithm is contained in the key exchange algorithm list configured on the SSH server. -
sm2_kep Specifies that the SuperMemo 2 Key Exchange Protocol algorithm is contained in the key exchange algorithm list configured on the SSH server. -

Views

System view

Default Level

3: Management level

Usage Guidelines

An SSH server and a client need to negotiate a key exchange algorithm for the packets exchanged between them. You can run the ssh server key-exchange command to configure a key exchange algorithm list for the SSH server. After the list is configured, the server matches the key exchange algorithm list of a client against the local list after receiving a packet from the client and selects the first key exchange algorithm that matches the local list. If no key exchange algorithms in the list of the client match the local list, the negotiation fails.

NOTE:

For security purposes, do not use insecure key exchange algorithms such as dh_group1_sha1.

Example

# Configure key exchange algorithm lists dh_group_exchange_sha1 and dh_group_exchange_sha256 on the SSH server.

<HUAWEI> system-view
[~HUAWEI] ssh server key-exchange dh_group_exchange_sha1 dh_group_exchange_sha256

ssh server login-failed threshold-alarm

Function

The ssh server login-failed threshold-alarm command configures alarm generation and clearance thresholds for SSH server login failures within a specified period.

The undo ssh server login-failed threshold-alarm command restores the default alarm generation and clearance thresholds.

By default, an alarm is generated if the number of login failures reaches 30 within 5 minutes and is cleared if the number of login failures falls below 20 within the same period.

Format

ssh server login-failed threshold-alarm upper-limit report-times lower-limit resume-times period period-time

undo ssh server login-failed threshold-alarm [ upper-limit report-times lower-limit resume-times period period-time ]

Parameters

Parameter Description Value
upper-limit report-times

Specifies an alarm generation threshold.

The value is an integer ranging from 0 to 100. The default value is 30. If the value is 0, no alarms are generated upon SSH server login failures.

lower-limit resume-times

Specifies an alarm clearance threshold.

The value is an integer ranging from 0 to report-times. It varies with report-times. The default value is 20, and the maximum value is 45. If resume-times is 0, it functions the same as the value is set to 1, which means that a clear alarm is generated if no login failures occur.

period period-time

Specifies a statistics collection period.

The value is an integer ranging from 1 to 120, in minutes. The default value is 5. If report-times is 0, the period-time value specified does not take effect.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To manage frequent SSH server login failures within a specified period, run the ssh server login-failed threshold-alarm command to configure alarm generation and clearance thresholds for the login failures. This configuration enables the device to generate alarms for administrators to promptly handle associated events. The alarm SSH_1.3.6.1.4.1.2011.5.25.207.2.8 hwSSHLoginFailed is generated when the number of login failures reaches report-times within period-time, and the fault clearance alarm SSH_1.3.6.1.4.1.2011.5.25.207.2.10 hwSSHLoginFailedClear is generated when the number of login failures falls below resume-times within the same period.

Precautions

The alarm generation threshold specified using report-times must be greater than or equal to the alarm clearance threshold specified using resume-times.

Example

# Configure the device to generate an alarm when the number of SSH server login failures within 3 minutes reaches 20 and clear the alarm when the number of SSH server login failures within 3 minutes is less than 10.

<HUAWEI> system-view
[~HUAWEI] ssh server login-failed threshold-alarm upper-limit 20 lower-limit 10 period 3

ssh server port

Function

The ssh server port command changes the listening port number of the SSH server.

The undo ssh server port command restores the default listening port number of the SSH server.

The default listening port number of the SSH server is 22.

Format

ssh [ ipv4 | ipv6 ] server port port-number

undo ssh [ ipv4 | ipv6 ] server port

Parameters

Parameter Description Value
ipv4 Specifies the IPv4 server port. -
ipv6 Specifies the IPv6 server port. -
port-number Specifies the listening port number of the SSH server. The value is 22 or an integer ranging from 1025 to 65535.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Configure the listening port number of the SSH server to prevent from malicious access to the SSH service standard port and ensure security.

Run ssh server port command can enable both IPv4 and IPv6 SSH server. Run ssh ipv4 server port command to enable IPv4 SSH server. Run ssh ipv6 server port command to enable IPv6 SSH server.

Precautions

The SSH client can log in successfully with no port specified only when the server is listening on port 22. If the server is listening on another port, the port number must be specified upon login.

Before changing the current port number, disconnect all devices from the port. After the port number is changed, the server starts to listen on the new port.

Example

# Set the listening port number of the SSH server is 1025.

<HUAWEI> system-view
[~HUAWEI] ssh server port 1025
Warning: The operation will disconnect all online users. Continue? [Y/N]: y 

ssh server rekey-interval

Function

The ssh server rekey-interval command sets the interval for updating the SSH server key pair.

The undo ssh server rekey-interval command restores the default interval for updating the SSH server key pair.

The default interval for updating the SSH server key pair is 0, indicating that the key pair is never updated.

Format

ssh server rekey-interval hours

undo ssh server rekey-interval

Parameters

Parameter Description Value
hours Specifies the interval for updating the server key pair. The value is an integer that ranges from 0 to 24, in hours.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the server key pair is not updated for a long time, the key is easy to decrypt and the server is insecure. After the interval for updating the SSH server key pair is set using this command, the system will automatically update the key pair at intervals.

Precautions

If the client is connected to the server, the server public key on the client is not updated immediately. This key is updated only when the client is reconnected to the server.

Example

# Set the interval for updating the SSH server key pair to 2 hours.

<HUAWEI> system-view
[~HUAWEI] ssh server rekey-interval 2
Related Topics

ssh server timeout

Function

The ssh server timeout command sets the timeout interval for SSH connection authentication.

The undo ssh server timeout restores the default timeout interval for SSH connection authentication.

The default timeout interval for SSH connection authentication is 60 seconds.

Format

ssh server timeout seconds

undo ssh server timeout

Parameters

Parameter Description Value
seconds Specifies the timeout interval for SSH connection authentication. The value is an integer ranging from 1 to 120, in seconds.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If you have not logged in successfully at the timeout interval for SSH connection authentication, the current connection is terminated to ensure security. You can run the display ssh server command to query the current timeout interval.

Precautions

The setting for the timeout interval takes effect upon next login.

This command takes effect for both IPv4 and IPv6 connections.

Example

# Set the SSH connection authentication timeout interval to 90 seconds.

<HUAWEI> system-view
[~HUAWEI] ssh server timeout 90
Related Topics

ssh server-source

Function

The ssh server-source command specifies a source interface for an SSH server.

The undo ssh server-source command restores the default setting.

By default, the source interface of an SSH server is not specified.

Format

ssh server-source -i interface-type interface-number

undo ssh server-source

ssh ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ]

undo ssh ipv6 server-source

Parameters

Parameter Description Value
-i interface-type interface-number Specifies the source interface for the SSH server.

You can enter a question mark (?) and select a value from the displayed value range.

-a ipv6-address Specifies the source IPv6 address. The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X.
ipv6 Specifies the SSH IPv6 server. -
-vpn-instance vpn-instance-name Specifies the VPN. The value is a string of 1 to 31 case-sensitive characters except spaces. When double quotation marks are used to include the string, spaces are allowed in the string. The value _public_ is reserved and cannot be used as the VPN instance name.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, an SSH server receives connection requests from all interfaces so that the system is vulnerable to attacks. To enhance system security, you can specify the source interface of the SSH server. This sets a login condition and only authorized users can log in to the SSH server.

The command ssh server-source -i interface-type interface-numbertakes effect for ipv4 function.

Prerequisites

Before running this command to specify the source interface, ensure that the physical interface exists on the device or the logical interface has been created successfully; otherwise, this command cannot be run successfully.

Precautions

  • After the source interface is specified, the system only allows SSH users to log in to the SSH server through this source interface, and SSH users logging in through other interfaces are denied. Note that setting this parameter only affects SSH users who attempt to log in to the SSH server, and it does not affect SSH users who have logged in to the server.

  • After the source interface of an SSH server is specified using this command, ensure that SSH users can access the source interface at Layer 3. Otherwise, the SSH users will fail to log in to the SSH server.

  • The configuration takes effect upon the next login. The system will prompt you to determine whether to continue the operation.

  • If the specified source interface has been bound to a VPN instance, the SSH server is automatically bound to the same VPN instance.

  • If the specified source interface has been bound to a VPN instance, for example, vpn1, but a different VPN instance, for example, vpn2, is specified in the ssh ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ] command, vpn1 takes effect for IPv4 users, and vpn2 takes effect for IPv6 users.

  • After a bound VPN instance is deleted, the VPN configuration specified using the ssh server-source command will not be cleared but does not take effect. In this case, the SSH server uses a public IP address. If you configure the VPN instance with the same name again, the VPN function restores.

  • After a bound source interface is deleted, the interface configuration specified using the ssh server-source command will not be cleared but does not take effect. If you configure the source interface with the same name again, the interface configuration specified using the ssh server-source command is updated and the function restores.

Example

# Specify Loopback0 as the source interface of the SSH server.

<HUAWEI> system-view
[~HUAWEI] interface loopback 0
[*HUAWEI-LoopBack0] ip address 10.1.1.1 24
[*HUAWEI-LoopBack0] quit
[*HUAWEI] ssh server-source -i loopback 0

ssh user

Function

The ssh user command creates an SSH user.

The undo ssh user command deletes an SSH user.

By default, no ssh user is created.

Format

ssh user user-name

undo ssh user [ user-name ]

Parameters

Parameter Description Value
user-name Specifies the name of an SSH user. The name is a string of 1 to 253 case-insensitive characters without spaces.
NOTE:

When quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

3: Management level

Usage Guidelines

You can create a user using either of the following methods:

Example

# Create an SSH user named testuser.

<HUAWEI> system-view
[~HUAWEI] ssh user testuser

ssh user assign

Function

The ssh user assign command assigns an existing public key to a user.

The undo ssh user assign command deletes the mapping between the user and public key.

By default, no public key is assigned to a user.

Format

ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name

undo ssh user user-name assign { rsa-key | dsa-key | ecc-key }

Parameters

Parameter Description Value
user-name Specifies the SSH user name.

The SSH must already exist.

rsa-key Specifies the RSA public key. -
dsa-key Specifies the DSA public key. -
ecc-key Specifies the ECC public key. -
key-name Specifies the client public key name. The public key name must already exist.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When an SSH client needs to log in to the SSH server in RSA, DSA, or ECC mode, run this command to assign a public key to the client. If the client has been assigned keys, the latest assigned key takes effect.

For security purposes, it is not recommended that you use RSA as the public key.

Precautions

The newly configured public key takes effect upon next login.

If the user named user-name to whom a public key is assigned does not exist, the system automatically creates an SSH user named user-name and performs the configured authentication for the SSH user.

Example

# Assign key1 to a user named John.

<HUAWEI> system-view
[~HUAWEI] ssh user john assign rsa-key key1

ssh user authentication-type

Function

The ssh user authentication-type command configures the authentication mode for an SSH user.

The undo ssh user authentication-type command deletes the configured authentication mode.

By default, no authentication mode is configured for an SSH user.

Format

ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | ecc | password-ecc | all }

undo ssh user user-name authentication-type

Parameters

Parameter Description Value
user-name Specifies the SSH user name.

The SSH must already exist.

password Specifies the password authentication mode. -
rsa Specifies the RSA authentication mode.
NOTE:

To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits as the authentication type for the SSH user. You are advised to use a securer ECC authentication algorithm for higher security.

-
password-rsa Specifies the password and RSA authentication mode. -
dsa Specifies the DSA authentication mode. -
password-dsa Specifies the password and DSA authentication mode. -
ecc Specifies the ECC authentication mode. -
password-ecc Specifies the password and ECC authentication mode. -
all

Specifies the password, ECC, DSA, or RSA authentication mode.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When you configure the authentication mode for an SSH user, the system automatically creates an SSH user named user-name if the user-name user does not exist.

For security purposes, you are advised not to use the RSA authentication mode.

Table 3-36 describes the usage scenarios for different authentication modes.

Table 3-36  Usage scenarios for authentication modes

Authentication Mode

Usage Scenario

RSA

It is a public key encryption architecture and an asymmetric encryption algorithm. Based on the problem of factoring large numbers, RSA is mainly used to transmit the keys of the symmetric encryption algorithm, which can improve encryption efficiency and simplify key management. The server checks whether the SSH user, public key, and digital user signature are valid. If all of them are valid, the user is permitted to access the server. If any of them is invalid, the authentication fails and the user is denied to access the server.

DSA

It is the same as RSA authentication in implementation. The server checks whether the SSH user, public key, and digital user signature are valid. If all of them are valid, the user is permitted to access the server. If any of them is invalid, the authentication fails and the user is denied to access the server.

Compared with RSA authentication, DSA authentication uses the digital signature algorithm for encryption and has a wider application scope.
  • Many SSH tools only support DSA authentication for servers and clients.
  • Based on the latest RFC recommendation for SSH, DSA authentication takes precedence over RSA authentication.

ECC

Like RSA authentication, the server first checks the validity of the SSH user and whether the public key and the numeric signature are valid. If all of them are consistent with those configured on the server, user authentication succeeds. If any of the three cannot pass authentication, the user access is denied. Compared with the RSA algorithm, the ECC authentication has the following advantages:
  • Provides the same security with shorter key length.
  • Features a shorter computing process and higher processing speed.
  • Requires less storage space.
  • Requires lower bandwidth.

password

On the server, the AAA module assigns each authorized user a password for login. The server has the mapping between user names and passwords. When a user requests to access the server, the server authenticates the user name and password. If either of them fails to be authenticated, the access request of the user is denied.

The account information of users who are configured with the password authentication mode can be configured on devices or remote authentication servers (for example, RADIUS servers).

password-rsa, password-dsa, and password-ecc

The SSH server authenticates a client by checking both the public key and password. The client can be authenticated only when both the public key and password meet the requirement.

all

In this authentication mode, the SSH server authenticates a client by checking the public key or password. The client can be authenticated when either the public key or password meets the requirement.

Precautions

A new SSH user cannot log in to the SSH server unless being configured with an authentication mode. The newly configured authentication mode takes effect upon next login.

Example

# Configure the password authentication mode for an SSH user John.

<HUAWEI> system-view
[~HUAWEI] ssh user john authentication-type password
# Set the authentication type to ECC to the SSH user named ssh_user1@dom1.
<HUAWEI> system-view
[~HUAWEI] ssh user ssh_user1@dom1 authentication-type ecc

ssh user service-type

Function

The ssh user service-type command configures the service type for an SSH user.

The undo ssh user service-type command restores the default service type for an SSH user.

By default, no service type is configured for an SSH user.

Format

ssh user user-name service-type { { sftp | stelnet | snetconf } * | all }

undo ssh user user-name service-type

Parameters

Parameter Description Value
user-name Specifies the SSH user name.

The SSH must already exist.

sftp Specifies the SFTP service type. -
stelnet Specifies the STelnet service type. -
snetconf Specifies the SNetconf service type. -
all

Specifies the SFTP, STelnet, and SNetconf service types.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run this command to determine the service type for connecting to devices. If the user-name user does not exist, the system creates an SSH user named user-name and uses the configured service type for the SSH user.

Precautions

If the SFTP service type is configured for an SSH user, you need to set the authorized directory for the user. By default, the SFTP service authorized directory is flash: for the SSH user. You can run the ssh user sftp-directory command to set the authorized directory.

If you run the ssh user user-name service-type sftp stelnet snetconf command, the ssh user user-name service-type all command is saved in the configuration file.

Example

# Configure the all service type for an SSH user John.

<HUAWEI> system-view
[~HUAWEI] ssh user john service-type all

stelnet

Function

The stelnet command enables you to use the STelnet protocol to log in to another device from the current device.

Format

# IPv4 address

stelnet [ -a source-ip-address | -i interface-type interface-number ] [ -force-receive-pubkey ] host-ip [ port-number ] [ -vpn-instance vpn-instance-name | prefer_kex kex-type | prefer_ctos_cipher cipher-type | prefer_stoc_cipher cipher-type | prefer_ctos_hmac hmac-type | prefer_stoc_hmac hmac-type | prefer_ctos_compress compress-type | prefer_stoc_compress compress-type | -ki aliveinterval | -kc alivecountmax | identity-key { dsa | ecc | rsa } | user-identity-key { dsa | ecc | rsa } ] *

# IPv6 address

stelnet ipv6 [ -a source-ip-address ] [ -force-receive-pubkey ] host-ipv6 [ -vpn-instance vpn-instance-name ] [ -oi interface-type interface-number ] [ port-number ] [ prefer_kex kex-type | prefer_ctos_cipher cipher-type | prefer_stoc_cipher cipher-type | prefer_ctos_hmac hmac-type | prefer_stoc_hmac hmac-type | prefer_ctos_compress compress-type | prefer_stoc_compress compress-type | -ki aliveinterval | -kc alivecountmax | identity-key { dsa | ecc | rsa } | user-identity-key { dsa | ecc | rsa } ] *

Parameters

Parameter Description Value
-a source-ip-address Specifies the STelnet source IP address. -
-i interface-type interface-number

Specifies the STelnet source interface.

If the source interface is specified using -i interface-type interface-number, the -vpn-instance vpn-instance-name parameter is not supported.

-
-force-receive-pubkey Indicates that a server forcibly receives public key authentication. -
host-ip Specifies the IP address or host name of the remote IPv4 STelnet server. The IPv4 STelnet must already exist.
host-ipv6 Specifies the IPv6 address or host name of the remote IPv6 STelnet server. The IPv6 STelnet must already exist.
-oi interface-type interface-number Specifies the outbound interface on the local device. If the IPv6 address of the remote host is linked to a local address, the outbound interface must be specified.
port-number Specifies the port number that the SSH server is listening on. The value is an integer that ranges from 1 to 65535. The default value 22 is the standard port number.
prefer_kex kex-type

Specifies the preferred key exchange algorithm.

The key exchange algorithms include:
  • dh-exchange-group-sha256
  • dh_exchange_group
  • dh_group1
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • sm2_kep
  • DH_Group14_SHA1
The default key exchange algorithm is dh_group1.
NOTE:
When the public key for the authentication on the server is ECC, the preferred key exchange algorithm must be sm2_kep.
prefer_ctos_cipher cipher-type

Specifies the preferred encryption algorithm from the client to the server.

The encryption algorithms include:
  • 3des
  • aes128
  • aes256
  • arcfour128
  • arcfour256
  • des
  • aes128_ctr
  • aes256_ctr
  • aes192
  • aes128_gcm
  • aes256_gcm
  • aes192_ctr
The default encryption algorithm is aes256.

Encryption algorithms supported depend on the ssh client cipher command configured by the user.

prefer_stoc_cipher cipher-type

Specifies the preferred encryption algorithm from the server to the client.

The encryption algorithms include:
  • 3des
  • aes128
  • aes256
  • arcfour128
  • arcfour256
  • des
  • aes128_ctr
  • aes256_ctr
  • aes192
  • aes128_gcm
  • aes256_gcm
  • aes192_ctr
The default encryption algorithm is aes256.

Encryption algorithms supported depend on the ssh client cipher command configured by the user.

prefer_ctos_hmac hmac-type

Specifies the preferred HMAC algorithm from the client to the server.

The HMAC algorithms include:
  • md5
  • md5_96
  • sha1
  • sha1_96
  • sha2_256
  • sha2_256_96
  • sha2_512
The default HMAC algorithm is sha2_256.
prefer_stoc_hmac hmac-type

Specifies the preferred HMAC algorithm from the server to the client.

The HMAC algorithms include:
  • md5
  • md5_96
  • sha1
  • sha1_96
  • sha2_256
  • sha2_256_96
  • sha2_512
The default HMAC algorithm is sha2_256.
prefer_ctos_compress compress-type Specifies the preferred compression algorithm from the client to the server. The value of this parameter can only be set to zlib in the current version.
prefer_stoc_compress compress-type Specifies the preferred compression algorithm from the server to the client. The value of this parameter can only be set to zlib in the current version.
-vpn-instance vpn-instance-name Specifies the name of the VPN instance. The VPN must already exist.
-ki aliveinterval Specifies the interval for sending keepalive packets when no packet is received. The value is an integer that ranges from 1 to 3600, in seconds.
-kc alivecountmax Specifies the number of times for no reply of keepalive packets. The value is an integer that ranges from 1 to 30.The default value is 3.
identity-key

Specifies the public key algorithm for the authentication on the server.

The public key algorithm can be one of the following:
  • dsa
  • ecc
  • rsa
The default public key algorithm is rsa.
NOTE:

To enhance security, you are advised to use the dsa or ecc algorithm.

user-identity-key Indicates the public key for the user authentication.
The public key algorithm can be one of the following:
  • dsa
  • ecc
  • rsa
The default public key algorithm is rsa.
NOTE:
When the public key for the authentication on the server is ecc, the preferred key exchange algorithm must be sm2_kep.

Views

User view, System view

Default Level

0: Visit level

Usage Guidelines

Usage Scenario

Logins through Telnet bring security risks because Telnet does not provide any authentication mechanism and data is transmitted using TCP in plain text. Compared with Telnet, SSH guarantees secure file transfer on a traditional insecure network by authenticating clients and encrypting data in bidirectional mode. The SSH protocol supports STelnet. You can run this command to use STelnet to log in to another device from the current device.

STelnet is a secure Telnet service. SSH users can use the STelnet service in the same way as the Telnet service.

When a fault occurs in the connection between the client and server, the client needs to detect the fault in real time and proactively release the connection. You need to set the interval for sending keepalive packets and the maximum number of times on the client that logs in to the server through STelnet.

  • Interval for sending keepalive packets: If a client does not receive any packet within the specified interval, the client sends a keepalive packet to the server.
  • Maximum number of times the server has no response: If the number of times that the server does not respond exceeds the specified value, the client proactively releases the connection.
Precautions
  • Enable the STelnet service on the SSH server by stelnet server enable command, before connecting the SSH server by using the STelnet command.

  • The SSH client can log in to the SSH server with no port specified only when the server is listening on port 22. If the server is listening on another port, the port number must be specified upon login.

Example

# Set keepalive parameters when the client logs in to the server through STelnet.

<HUAWEI> stelnet 10.164.39.209 -ki 10 -kc 4
# Remotely connect to the STelnet server that uses an IPv6 address.
<HUAWEI> stelnet ipv6 fc00:2001:db8::1 prefer_ctos_cipher aes128

stelnet server enable

Function

The stelnet server enable command enables the STelnet service on the SSH server.

The undo stelnet server enable command disables the STelnet service on the SSH server.

By default, the STelnet service is disabled on the SSH server.

Format

stelnet [ ipv4 | ipv6 ] server enable

undo stelnet [ ipv4 | ipv6 ] server enable

Parameters

Parameter Description Value
ipv4 Specifies IPv4 server. -
ipv6 Specifies IPv6 server. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To connect a client to the SSH server through STelnet, you must enable the STelnet service on the SSH server.

Run the command stelnet server enable can enable both IPv4 and IPv6 STelnet server. Run stelnet ipv4 server enable command to enable IPv4 STelnet server. Run stelnet ipv6 server enable command to enable IPv6 STelnet server.

Precautions

After you disable the STelnet service on the SSH server, all clients that have logged in through STelnet are disconnected.

In V200R002C50, you can run the stelnet [ ipv4 | ipv6 ] server enable command to enable the STELNET function. If the current version is downgraded to V200R001C00 or an earlier version, this configuration will be lost, so you need to run the stelnet server enable command again.

Example

# Enable the STelnet service.

<HUAWEI> system-view
[~HUAWEI] stelnet server enable
Related Topics

telnet

Function

The telnet command enables you to use the Telnet protocol to log in to another device from the current device.

Format

# Log in to another device through Telnet based on IPv4.

telnet [ [ vpn-instance vpn-instance-name ] -a source-ip-address | -i interface-type interface-number ] host-ip [ port-number ]

# Log in to another device through Telnet based on IPv6.

telnet ipv6 [ vpn-instance vpn-instance-name ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ]

Parameters

Parameter Description Value
vpn-instance vpn-instance-name

Specifies the VPN instance name of the device to log in through Telnet.

If the VPN instance is specified using vpn-instance vpn-instance-name, the -i interface-type interface-number parameter is not supported.

The VPN must already exist.
-a source-ip-address

By specifying a source IP address, you can use this address to communicate with the server for high network security. If no source address is specified, the system will use the IP address of the local outbound interface to initiate a Telnet connection.

-
-i interface-type interface-number Specifies the source interface type and number on the local device. -
host-ip Specifies the IPv4 address or host name of the remote device. The host-ip must already exist.
host-ipv6 Specifies the IPv6 address or host name of the remote device. The host-ipv6 must already exist.
-oi interface-type interface-number Specifies the outbound interface on the local device. If the IPv6 address of the remote host is linked to a local address, the outbound interface must be specified.
port-number Specifies the number of the TCP port that is used by the remote device to provide the Telnet service. The value is an integer that ranges from 1 to 65535. The default value is 23.

Views

User view

Default Level

0: Visit level

Usage Guidelines

Usage Scenario

If one or more devices on the network need to be configured and managed, you do not need to connect each device to your terminal for local maintenance. If you have learned the IP address of the device, you can run this command to log in to the device from your terminal for remote device configuration. By doing this, you can use one terminal to maintain multiple devices on the network.

You can press Ctrl+K to terminate an active connection between the local and remote devices.

Prerequisites

The terminal communicates with the remote device using IP address and the Telnet server is enabled on the remote device.

Precautions

  • Before you run the telnet command to connect to the Telnet server, the Telnet client and server must be able to communicate through Layer 3 and the Telnet service must be enabled on the Telnet server.

  • Logins through Telnet bring security risks because Telnet does not provide any authentication mechanism and data is transmitted using TCP in plain text. The STelnet mode is recommended for the network that has the high security requirement.

Example

# Connect to a remote device through Telnet.

<HUAWEI> telnet 192.168.1.6
# Use the IPv6 address to connect to a remote device through Telnet.
<HUAWEI> telnet ipv6 fc00:0:0:11::158

telnet client source

Function

The telnet client source command specifies the source IP address and interface for a Telnet client.

The undo telnet client source command restores the default settings.

The default source IP address of the Telnet client is 0.0.0.0.

Format

telnet client source { -a source-ip-address | -i interface-type interface-number }

undo telnet client source

Parameters

Parameter Description Value
-a source-ip-address Specifies the IPv4 address of the local switch. -
-i interface-type interface-number Specifies the outbound interface of the local switch. -

Views

System view

Default Level

3: Management level

Usage Guidelines

If the source IP address and interface are not specified in the telnet command, use the default settings specified by telnet client source. If the source IP address and interface are specified in the telnet command, use the specified settings. Check the current Telnet connection on the server. The IP address displayed is the specified source IP address or the primary IP address of the specified interface.

After a bound source interface is deleted, the interface configuration specified using the ssh server-source command will not be cleared but does not take effect. If you configure the source interface with the same name again, the interface configuration specified using the ssh server-source command is updated and the function restores.

If the specified source interface has been bound to a VPN instance, the client is automatically bound to the same VPN instance.

Example

# Set the source IP address of the Telnet client to 10.1.1.1.

<HUAWEI> system-view
[~HUAWEI] telnet client source -a 10.1.1.1 
Related Topics

telnet server acl

Function

The telnet server acl command configures the ACL to control the access of clients to the Telnet server.

The undo telnet server acl command cancels the configuration of the ACL.

By default, no ACL is configured for Telnet server.

Format

telnet [ ipv6 ] server acl { acl-number | acl-name }

undo telnet [ ipv6 ] server acl

Parameters

Parameter Description Value
ipv6 Specifies a Telnet IPv6 server. -
acl-number Specifies the basic ACL number. The value is an integer that ranges from 2000 to 3999.
acl-name Specifies the ACL name. The value is a string of 1 to 32 case-sensitive characters except spaces. The value must start with a letter (case-sensitive).

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When a device functions as the Telnet server, you can configure the ACL on the device to control the login of the clients to the device.

Prerequisites

Before running this command, run the acl (system view) in the system view and run the rule (ACL view) command to configure an ACL.

Precautions

  • If no rule is configured, the incoming and outgoing calls are not restricted after the command telnet server acl is run.

  • A basic ACL is configured to restrict source addresses and an advanced ACL is configured to restrict source and destination addresses.

  • If the access control right for a network segment is permit or deny, the access control right for the other network segments is deny. For example, if an ACL allows access from clients on a network segment, clients on the other network segments cannot log in to the device. If an ACL rejects access from clients on a network segment, clients on all the network segments cannot log in to the device by default.

  • The command telnet server acl { acl-number | acl-name } takes effect for ipv4 function.

Example

# Configure the ACL numbered 2000 on the Telnet server.

<HUAWEI> system-view
[~HUAWEI] acl 2000
[*HUAWEI-acl4-basic-2000] rule permit source 10.1.1.1 0
[*HUAWEI-acl4-basic-2000] quit
[*HUAWEI] telnet server acl 2000
# Configure the ACL named huawei on the Telnet server.
<HUAWEI> system-view
[~HUAWEI] acl name huawei
[*HUAWEI-acl4-advance-huawei] rule permit tcp
[*HUAWEI-acl4-advance-huawei] quit
[*HUAWEI] telnet server acl huawei

telnet server login-failed threshold-alarm

Function

The telnet server login-failed threshold-alarm command configures alarm generation and clearance thresholds for Telnet server login failures within a specified period.

The undo telnet server login-failed threshold-alarm command restores the default alarm generation and clearance thresholds.

By default, an alarm is generated if the number of login failures reaches 30 within 5 minutes and is cleared if the number of login failures falls below 20 within the same period.

Format

telnet server login-failed threshold-alarm upper-limit report-times lower-limit resume-times period period-time

undo telnet server login-failed threshold-alarm [ upper-limit report-times lower-limit resume-times period period-time ]

Parameters

Parameter Description Value
upper-limit report-times

Specifies an alarm generation threshold.

The value is an integer ranging from 0 to 100. The default value is 30. If the value is 0, no alarms are generated upon Telnet server login failures.

lower-limit resume-times

Specifies an alarm clearance threshold.

The value is an integer ranging from 0 to report-times. It varies with report-times. The default value is 20, and the maximum value is 45. If resume-times is 0, it functions the same as the value is set to 1, which means that a clear alarm is generated if no login failures occur.

period period-time

Specifies a statistics collection period.

The value is an integer ranging from 1 to 120, in minutes. The default value is 5. If report-times is 0, the period-time value specified does not take effect.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To manage frequent Telnet server login failures within a specified period, run the telnet server login-failed threshold-alarm command to configure alarm generation and clearance thresholds for the login failures. This configuration enables the device to generate alarms for administrators to promptly handle associated events. The alarm TELNET_1.3.6.1.4.1.2011.5.25.207.2.7 hwTelnetLoginFailed is generated when the number of login failures reaches report-times within period-time, and the fault clearance alarm TELNET_1.3.6.1.4.1.2011.5.25.207.2.9 hwTelnetLoginFailedClear is generated when the number of login failures falls below resume-times within the same period.

Precautions

The alarm generation threshold specified using report-times must be greater than or equal to the alarm clearance threshold specified using resume-times.

Example

# Configure the device to generate an alarm when the number of Telnet server login failures within 3 minutes reaches 20 and clear the alarm when the number of Telnet server login failures within 3 minutes is less than 10.

<HUAWEI> system-view
[~HUAWEI] telnet server login-failed threshold-alarm upper-limit 20 lower-limit 10 period 3

telnet server-source

Function

The telnet server-source command specifies a source interface for a Telnet server.

The undo telnet server-source command restores the default setting.

By default, the source interface of a Telnet server is not specified.

Format

telnet server-source -i loopback interface-number

undo telnet server-source

telnet ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ]

undo telnet ipv6 server-source

Parameters

Parameter Description Value
-i loopback interface-number Specifies a loopback interface as the source interface of the Telnet server. The value is an integer that ranges from 0 to 1023.
-a ipv6-address Specifies the source IPv6 address. The value consists of 128 octets, which are classified into 8 groups. Each group contains 4 hexadecimal numbers in the format X:X:X:X:X:X:X:X.
ipv6 Specifies the Telnet IPv6 server. -
-vpn-instance vpn-instance-name Specifies the VPN. The value is a string of 1 to 31 case-sensitive characters except spaces. When double quotation marks are used to include the string, spaces are allowed in the string. The value _public_ is reserved and cannot be used as the VPN instance name.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, a Telnet server receives connection requests from all interfaces so that the system is vulnerable to attacks. To enhance system security, you can specify the source interface of the Telnet server. This sets a login condition and only authorized users can log in to the Telnet server.

The command telnet server-source -i loopback interface-number takes effect for ipv4 function.

Prerequisites

Before running the telnet server-source command, ensure that the loopback interface to be specified as the source interface has been created. If the loopback interface is not created, the telnet server-source command cannot be correctly executed.

VPN configuration must be successful, to configure the vpn instance using this command.

Precautions

  • After the source interface is specified, the system only allows Telnet users to log in to the Telnet server through this source interface, and Telnet users logging in through other interfaces are denied. Note that setting this parameter only affects Telnet users who attempt to log in to the Telnet server, and it does not affect Telnet users who have logged in to the server.

  • After the source interface of a Telnet server is specified using this command, ensure that Telnet users can access the source interface at Layer 3. Otherwise, the Telnet users will fail to log in to the Telnet server.

  • If the specified source interface has been bound to a VPN instance, the server is automatically bound to the same VPN instance.

  • After a bound VPN instance is deleted, the VPN configuration specified using the telnet server-source command will not be cleared but does not take effect. In this case, the Telnet server uses a public IP address. If you configure the VPN instance with the same name again, the VPN function restores.

  • After a bound source interface is deleted, the interface configuration specified using the ssh server-source command will not be cleared but does not take effect. If you configure the source interface with the same name again, the interface configuration specified using the ssh server-source command is updated and the function restores.

Example

# Specify Loopback0 as the source interface of the Telnet server.

<HUAWEI> system-view
[~HUAWEI] interface loopback 0
[*HUAWEI-LoopBack0] ip address 10.1.1.1 24
[*HUAWEI-LoopBack0] quit
[*HUAWEI] telnet server-source -i loopback 0

telnet server disable

Function

The telnet server disable command disables the Telnet server.

The undo telnet server disable command enables the Telnet server.

The default situation is as follows:
  • If a device starts without any configuration file, the Telnet server is disabled.

  • If a device starts with a loaded configuration file (for example, a configuration file is loaded to the device using ZTP for initial configuration) and the configuration file contains the telnet server disable command, the Telnet server is disabled; otherwise, the Telnet server is enabled.

Format

telnet [ ipv6 ] server disable

undo telnet [ ipv6 ] server disable

Parameters

Parameter Description Value
ipv6 Specifies a Telnet IPv6 server. -

Views

System view

Default Level

3: Management level

Usage Guidelines

You can run this command to enable and disable the Telnet server. A Telnet server can be connected only when it is enabled.

If the Telnet server is disabled using the telnet [ ipv6 ] server disable command, new Telnet connections are not allowed and existing Telnet connections are disconnected.

When a Telnet server stops, you can log in to the device only through the console port or SSH.

The Telnet protocol is insecure, and the STelnet V2 mode is recommended.

Example

# Enable a Telnet server.

<HUAWEI> system-view
[~HUAWEI] undo telnet server disable

# Disable a Telnet server.

<HUAWEI> system-view
[~HUAWEI] telnet server disable

# Enable an IPv6 Telnet server.

<HUAWEI> system-view
[~HUAWEI] undo telnet ipv6 server disable

telnet server port

Function

The telnet server port command configures the listening port number of a Telnet server.

The undo telnet server port command restores the default listening port of a Telnet server.

The default listening port of a Telnet server is 23.

Format

telnet [ ipv6 ] server port port-number

undo telnet [ ipv6 ] server port

Parameters

Parameter Description Value
ipv6 Specifies a Telnet IPv6 server. -
port-number Specifies the listening port number of a Telnet server. The value is an integer that is 23 or ranges from 1025 to 65535. The default value 23 is the standard Telnet server port number.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To protect the Telnet standard port against attacks and ensure network security, configure the listening port number of the Telnet server.

The command telnet server port port-number takes effect for ipv4 Telnet servers.

Precautions

A Telnet client can log in to the server with no port specified only when the server is listening on port 23. If the server is listening on another port, the port number must be specified upon login.

Before changing the current port number, disconnect all devices from the port. After the port number is changed, the server starts to listen on the new port.

Example

# Configure the listening port number to 1026.

<HUAWEI> system-view
[~HUAWEI] telnet server port 1026
# Restore the listening port number to the default value.
<HUAWEI> system-view
[~HUAWEI] undo telnet server port
Translation
Download
Updated: 2019-03-21

Document ID: EDOC1000166501

Views: 49733

Downloads: 336

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next