No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Fat AP and Cloud AP V200R008C00 CLI-based Configuration Guide

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Device as the Client to Log In to Another Device

Configuring the Device as the Client to Log In to Another Device

Configuring the Device as the Telnet Client to Log In to Another Device

Pre-configuration Tasks

Before configure the device as the Telnet client to log in to another device, complete the following tasks:

  • Log in to the device from a terminal.
  • Configure a route between the device and Telnet server.
  • Enable the Telnet service on the Telnet server.
  • Obtain the Telnet user name, password, and port number configured on the Telnet server.
Configuration Process
NOTE:

The Telnet protocol poses a security risk, and therefore the STelnet V2 protocol is recommended.

Table 3-28 describes the tasks in the process of configuring the device as the Telnet client to log in to another device.

Table 3-28  Tasks in the process of configuring the device as the Telnet client to log in to another device
No. Task Description Remarks
1 (Optional) Configure the Telnet client source address

Configure the Telnet client source address. The source address can be set to a source IP address or source interface information, ensuring communication security.

-
2 Log in to another device through Telnet.

Use the Telnet command to log in to the device from a terminal.

Procedure

  1. (Optional) Configure the source address of the Telnet client.

    Table 3-29  Configure the source address of the Telnet client.
    Action Command Description
    Enter the system view. system-view -
    Configure the Telnet client source address. telnet client-source { -a source-ip-address | -i interface-type interface-number }

    The Telnet client source address on the server must be the same as the address configured running this command.

    Return to user view. quit -

  2. Log in to another device through Telnet.

    Table 3-30  Actions for logging in to another device through Telnet
    Action Command Description

    Use the IPv4 address to log in to the server through Telnet.

    telnet [ -a source-ip-address ] host-ip [ port-number ]

    -

Checking the Configuration
  • Run the display tcp status command to check all TCP connections.

Configuring the Device as the STelnet Client to Log In to Another Device

Pre-configuration Tasks

Before configure the device as the STelnet client to log in to another device, complete the following tasks:

  • Log in to the device from a terminal.
  • Configure a route between the device and STelnet server.
  • Enable the STelnet service on the STelnet server.
  • Obtain the SSH user information and port number configured on the STelnet server.
Configuration Process

Table 3-31 describes the tasks in the process of configuring the device as the STelnet client to log in to another device.

Table 3-31  Tasks in the process of configuring the device as the STelnet client to log in to another device
No. Task Description Remarks
1 Generating a local key pair

Generate a local key pair and configure the public key on the SSH server.

Perform this task only when the device logs in to the SSH server in RSA or ECC authentication mode.

Tasks 1 and 2 can be performed in any sequence.
2 Configuring the mode for connecting the device to the SSH server for the first time

You can enable the first authentication function of the SSH client or configure the SSH client to assign a public key to the SSH server.

3 Logging in to another device through STelnet. Use the STelnet client software to log in to the device from a terminal. -
Default Configuration
Table 3-32  Default values for configuring the device as the STelnet client to log in to another device
Parameter Default Setting
First authentication on the SSH client Disabled
Whether the SSH client assigns the RSA public key to the SSH server No

Procedure

  • Generating a local key pair

    NOTE:

    Perform this step only when the device logs in to the SSH server in RSA authentication mode or ECC authentication mode, not the password authentication mode.

    Table 3-33  Actions for generating a local key pair
    Action Command Description

    Enter the system view.

    system-view

    -

    Generate a local key pair.

    rsa local-key-pair create, ecc local-key-pair create

    Run the display rsa local-key-pair public, display ecc local-key-pair public command to view the public key in the local RSA or ECC key pair. Configure the public key on the SSH server.

    NOTE:

    There are security risks if the configured local key pair length is smaller than 1024 bits. You are advised to use the local key pair with the default length 2048 bits.

  • Configuring the mode for connecting the device to the SSH server for the first time

    If the public key of the SSH server has not been saved on the client, the system cannot check SSH server validity when the device that works as the client connects to the SSH server for the first time. The connection fails. Perform one of the following operations:

    • Enabling the first authentication mode on the SSH client: The system does not check the public key of the SSH server, which ensures that the first connection is successful. The system then assigns and saves the public key for subsequent authentication. For details, see Table 3-34. This configuration method is simple.
    • Configuring the SSH client to assign a public key to the SSH server. The public key generated on the server is saved on the client, which ensures that the SSH server validity check is successful for the first connection. For details, see Table 3-35. This configuration method is complex but has high security.

    Select either of the preceding configuration method as required.

    Table 3-34  Actions for enabling first authentication for the SSH client
    Action Command Description

    Enter the system view.

    system-view

    -

    Enable first authentication for the SSH client.

    ssh client first-time enable

    By default, first authentication is disabled on the SSH client.
    Table 3-35  Actions for configuring the SSH client to assign the RSA or ECC public key to the SSH server
    Action Command Description

    Enter the system view.

    system-view

    -

    Enter the RSA or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    or

    ecc peer-public-key key-name encoding-type { der | openssh | pem }

    Perform one of the operations based on the key type.

    Enter the public key editing view.

    public-key-code begin

    -

    Edit the public key.

    hex-data

    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the SSH server.
    • After entering the public key editing view, you must enter the RSA or ECC public key that is generated on the server to the client.

    Quit the public key editing view.

    public-key-code end

    • If no key public code hex-data is entered, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted, the system displays a message indicating that the key does not exist and returns to the system view directly when you run this command.

    Return to the system view.

    peer-public-key end

    -

    Bind the RSA or ECC public key to the SSH server.

    ssh client servername assign { rsa-key | ecc-key } keyname

    If the SSH server public key saved in the SSH client does not take effect, run the undo ssh client servername assign { rsa-key | ecc-key } command to cancel the binding between the SSH server and RSA or ECC public key, and run this command to assign a new RSA or ECC public key to the SSH server.

  • Logging in to another device through STelnet

    Table 3-36  Actions for logging in to another device through STelnet
    Action Command Description

    Enter the system view.

    system-view

    -

    (Optional) Set the encryption algorithm list for the SSH client.

    ssh client secure-algorithms cipher { 3des | aes128 | aes256_cbc | aes128_ctr | aes256_ctr } *

    By default, an SSH client supports two encryption algorithms: AES128_CTR and AES256_CTR.

    An SSH server and a client need to negotiate an encryption algorithm for the packets exchanged between them. You can run the ssh client secure-algorithms cipher command to configure an encryption algorithm list for an SSH client. After the list is configured, the client sends a packet carrying it to the server. Upon receipt of the packet, the server matches the list against the local list and selects the first encryption algorithm that matches the local list. If no encryption algorithms in the list of the client match the local list, the negotiation fails.

    NOTE:

    Do not add 3des to the list because they provide the lowest security among the supported encryption algorithms.

    (Optional) Set the HMAC algorithm list for the SSH client.

    ssh client secure-algorithms hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

    By default, an SSH client supports the SHA2_256 HMAC algorithm.

    An SSH server and a client need to negotiate an HMAC algorithm for the packets exchanged between them. You can run the ssh client secure-algorithms hmac command to configure an HMAC algorithm list for an SSH client. After the list is configured, the client sends a packet carrying it to the server. Upon receipt of the packet, the server matches the list against the local list and selects the first HMAC algorithm that matches the local list. If no HMAC algorithms in the list of the client match the local list, the negotiation fails.

    NOTE:

    Do not add md5, sha1, md5_96, sha1_96, or sha2_256_96 to the HMAC algorithm list because they provide the lowest security among the supported HMAC algorithms.

    (Optional) Set the key exchange algorithm list for the SSH client.

    ssh client key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    By default, an SSH client supports the Diffie-hellman-group-exchange-sha1 and Diffie-hellman-group14-sha1 algorithm.

    The client and server negotiate the key exchange algorithm used for packet transmission. You can run the ssh client key-exchange command to configure a key exchange algorithm list on the SSH server. The SSH server compares the configured key exchange algorithm list with the counterpart sent by the client and then selects the first matched key exchange algorithm for packet transmission. If the key exchange algorithm list sent by the client does not match any algorithm in the key exchange algorithm list configured on the server, the negotiation fails.

    NOTE:

    The security levels of key exchange algorithms are as follows, from high to low: dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. The dh_group_exchange_sha1 algorithm is recommended.

    Use the IPv4 address to log in to the SSH server through STelnet.

    stelnet [ -a source-address ] host-ip [ port-number ] [ [ prefer_kex prefer_key-exchange } ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

    The STelnet client can log in successfully with no port specified only when the server is listening on port 22. If the server is listening on another port, the port number must be specified upon login.

    When logging in to the SSH server, the STelnet client can carry the source IP address and select a key exchange algorithm, an encryption algorithm, and an HMAC algorithm, and configure the keepalive function.

    (Optional) Use the name or ID to log in to the RU through STelnet.

    stelnet ap { ap-name ap-name | ap-id ap-id }

    The device working as an STelnet client can log in to the RU using the name or ID through STelnet, without the need to enter the IP address of the RU.

Checking the Configuration

Run the display ssh server { status | session } command to check the mapping between all SSH servers and RSA public keys on the SSH client.

Translation
Download
Updated: 2019-01-11

Document ID: EDOC1000176006

Views: 130544

Downloads: 312

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next