No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S1720, S2700, S5700, and S6720 V200R011C10

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing Files When the Device Functions as an SCP Server

Managing Files When the Device Functions as an SCP Server

Pre-configuration Tasks

Before connecting to the SCP server to manage files, complete the following tasks:

  • Ensure that routes are reachable between the terminal and the device.
  • Ensure that the SSH client software supporting SCP has been installed on the terminal.

Configuration Procedure

Table 8-20 describes the procedure for managing files when the device functions as an SCP server.

Table 8-20  Managing files when the device functions as an SCP server
No. Task Description Remarks
1 Set SCP server parameters Generate local key pair, enable the SCP server, and configure SCP server parameters, including the listening port number, key pair updating time, SSH authentication timeout duration, and number of SSH authentication retries. Steps 1, 2, and 3 can be performed in any sequence.
2 Configure the VTY user interface for SSH users to log in to the device Configure the user authentication mode, SSH, and other basic attributes on the VTY user interface.
3 Configure SSH user information Create SSH users and set the authentication mode and service type on the SCP server.
4 Manage files when the device functions as an SCP server Upload and download files on the SCP client.

Default Parameter Settings

Table 8-21  Default parameter settings
Parameter Default Setting
SCP server function Disabled

Listening port number

22

Time for updating the key pair of the server

0, indicating the key pair of the server is never updated

SSH authentication timeout duration

60 seconds

Number of SSH authentication retries

3

SSH user

No SSH user is created.

Type of service for SSH users

No service type is supported.

Procedure

  • Set SCP server parameters.

    Table 8-22  Setting SCP server parameters
    Operation Command Description

    Enter the system view.

    system-view -

    Generate a local key pair.

    rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create.

    Perform one of the operations based on the key type.

    After the key pair is generated, you can run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to check the public key in the local key pair.
    NOTE:

    Because a longer key pair provides higher security, you are advised to use key pairs of the largest length.

    Enable the SCP server function.

    scp [ ipv4 | ipv6 ] server enable

    By default, the SCP server function is disabled.

    (Optional) Configure a key exchange algorithm list for the SSH server.

    ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    By default, an SSH server supports all key exchange algorithms.

    (Optional) Configure an encryption algorithm list for the SSH server.

    ssh server cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes256_cbc | aes256_ctr | des_cbc } *

    By default, an SSH server supports the following encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.

    (Optional) Configure an HMAC algorithm list for the SSH server.

    ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

    By default, an SSH server supports the following HMAC algorithms: MD5, MD5_96, SHA1, SHA1_96, SHA2_256, and SHA2_256_96.

    (Optional) Configure the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.

    ssh server dh-exchange min-len min-len

    By default, the minimum key length supported is 1024 bytes.

    (Optional) Configure the listening port number.

    ssh [ ipv4 | ipv6 ] server port port-number

    By default, the listening port number is 22.

    If a new port number is configured, the SSH server disconnects from all SSH clients and uses the new port number to listen to connection requests. Attackers do not know the port number and cannot access the listening port of the SSH server.

    (Optional) Configure the interval for updating the key pair of the server.

    ssh server rekey-interval hours

    By default, the interval for updating the key pair is 0. The value 0 indicates that the key pair is never updated.

    After the interval for updating the SSH server key pair is set using this command, the system will automatically update the key pair at intervals, which ensures security.

    This command takes effect only for SSH1.X. However, SSH1.X ensures poor security and is not recommended.

    (Optional) Configure the SSH authentication timeout duration.

    ssh server timeout seconds

    By default, the SSH authentication timeout duration is 60 seconds.

    (Optional) Configure the source IP address of the SSH server.

    ssh server-source -i loopback interface-number

    By default, the source interface of an SSH server is not specified.

    NOTE:

    Before specifying the source interface of the SSH server, ensure that the loopback interface to be specified as the source interface has been created. If the loopback interface is not created, this command cannot be correctly executed.

    (Optional) Configure the number of SSH authentication retries.

    ssh server authentication-retries times

    By default, the number of SSH authentication retries is 3.

    (Optional) Enable earlier versions to be compatible.

    ssh server compatible-ssh1x enable

    By default, the server's compatibility with earlier versions is disabled.

    When an SSH server is upgraded, the server's compatibility with earlier versions is the same as that in the configuration file.

    (Optional) Configure an ACL.

    ssh [ ipv6 ] server acl acl-number

    By default, no ACL is configured for the SSH server.

    An ACL is configured to determine which clients can log in to the current device through SSH.

    • When the local RSA key pair is generated, two key pairs (a server key pair and a host key pair) are generated at the same time. Each key pair contains a public key and a private key. The length of the two key pairs is 2048 bits.
    • When the local DSA key pair is generated, only the host key pair is generated. The length of the host key pair can be 1024 or 2048 bits. The default length is 2048 bits.
    • When the local ECC key pair is generated, only the host key pair is generated. The length of the host key pair can be 256, 384, or 521 bits. The default length is 521 bits.

  • Configure the VTY user interface for SSH users to log in to the device.

    SSH users use the VTY user interface to log in to the device using SCP. Attributes of the VTY user interface must be configured.

    Table 8-23  Configuring the VTY user interface for SSH users to log in to the device
    Operation Command Description

    Enter the system view.

    system-view -

    Enter the VTY user interface view.

    user-interface vty first-ui-number [ last-ui-number ] -

    Set the authentication mode of the VTY user interface to AAA.

    authentication-mode aaa

    By default, no authentication mode is configured for the VTY user interface.

    The authentication mode of the VTY user interface must be set to AAA. Otherwise, you cannot configure the protocol inbound ssh command and users cannot log in to the device.

    Configure a VTY user interface that supports SSH.

    protocol inbound ssh

    By default, the VTY user interface supports SSH.

    If no VTY user interface supports SSH, users cannot log in to the device.

    Configure the user level.

    user privilege level level

    The user level must be set to 3 or higher to ensure successful connection establishment.

    If a local user uses password authentication, you can run the local-user user-name privilege level level command to set the level of the user to 3 or higher.

    (Optional) Configure other attributes of the VTY user interface.

    -
    Other attributes of the VTY user interface are as follows:
    • Maximum number of VTY user interfaces
    • Restrictions on incoming calls and outgoing calls on the VTY user interface
    • Terminal attributes on the VTY user interface
    For details, see (Optional) Configuring Attributes for a VTY User Interface or (Optional) Configuring Attributes for a VTY User Interface.

  • Configure SSH user information.

    Configure SSH user information including the authentication mode. Authentication modes including RSA, password, password-rsa, DSA, password-dsa, ECC, password-ecc, and all are supported.
    • The password-rsa authentication mode consists of the password and RSA authentication modes.
    • The password-dsa authentication mode consists of the password and DSA authentication modes.
    • The password-ecc authentication mode consists of the password and ECC authentication modes.
    • The all authentication mode indicates that SSH users only need to authenticated by ECC, DSA, password, or RSA.
    Table 8-24  Configuring SSH user information
    Operation Command Description

    Enter the system view.

    system-view

    -

    Create SSH users.

    ssh user user-name

    -

    Configure the authentication mode for SSH users.

    ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | ecc | password-ecc | all }

    If SSH users are not created using the ssh user command, directly run the ssh authentication-type default password command to configure the default password authentication mode for users. This mode simplifies the configurations when a large number of users exist, because you need to configure only AAA users.

    NOTE:
    In all authentication mode, the user priority depends on the authentication mode selected.
    • If password authentication is selected, the user priority is the same as that specified on the AAA module.
    • If RSA/DSA/ECC authentication is selected, the user priority depends on the priority of the VTY window used during user access.

    If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA/DSA/ECC authentication modes. Set relevant parameters as needed.

    Set the service type to all for SSH users.

    ssh user username service-type all

    By default, the service type of SSH users is empty.

    • The password authentication mode is implemented based on the AAA. To log in to the device in the password-ecc, password-dsa, password, or password-rsa authentication mode, create a local user with the same user name in the AAA view.
    • If the SSH user uses the password authentication mode, only the SSH server needs to generate the RSA, DSA, or ECC key. If the SSH user uses the RSA, DSA, or ECC authentication mode, both the SSH server and client need to generate the RSA, DSA, or ECC key and configure the public key of the peer end locally.
    Perform any of the following configurations according to authentication mode:
    • To configure password authentication for the SSH user, see Table 8-25.

    • To configure RSA, DSA, or ECC authentication for the SSH user, see Table 8-26.

    • To configure password-rsa, password-dsa, or password-ecc authentication for the SSH user, configure an AAA user and set the RSA, DSA, or ECC public key. For details, see Table 8-25 and Table 8-26.

    Table 8-25  Configuring password, password-ecc, password-dsa, or password-rsa authentication for the SSH user
    Operation Command Description

    Enter the system view.

    system-view -

    Enter the AAA view.

    aaa -

    Configure the local user name and password.

    local-user user-name password irreversible-cipher password

    -

    Configure the service type for the local user.

    local-user user-name service-type ssh -

    Configure the level for the local user.

    local-user user-name privilege level level -

    Return to the system view.

    quit -
    Table 8-26  Configuring DSA, RSA, ECC, password-dsa, password-rsa, or password-ecc authentication for the SSH user
    Operation Command Description

    Enter the system view.

    system-view -

    Display the RSA, DSA, or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    ,

    dsa peer-public-key key-name encoding-type { der | openssh | pem }

    , or

    ecc peer-public-key key-name encoding-type { der | openssh | pem }

    -

    Display the public key editing view.

    public-key-code begin -

    Edit the public key.

    hex-data
    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the client software that supports SSH. For detailed operations, see the SSH client software help.
    • You must enter the RSA, DSA, ECC public key on the device that works as the SSH server.

    Exit the public key editing view.

    public-key-code end
    • If no key public code hex-data is entered, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted in another view, the system displays a message indicating that the key does not exist and returns to the system view directly when you run this command.

    Return to the system view from the public key view.

    peer-public-key end -

    Assign an RSA, DSA, or ECC public key to an SSH user.

    ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name -

  • Manage files when the device functions as an SCP server.

    The SSH client software supporting SCP must be installed on the terminal to ensure that the terminal can connect to the device using SCP to upload or download files. The following describes how to connect to the device using the OpenSSH and the Windows CLI.

    • For details how to install the OpenSSH, see the OpenSSH installation description.

    • To use the OpenSSH to connect to the device using SFTP, run the OpenSSH commands. For details about OpenSSH commands, see OpenSSH help.

    • Windows command prompt can identify commands supported by the OpenSSH only when the OpenSSH is installed on the terminal.

    Access the Windows CLI and run the commands supported by the OpenSSH to connect to the device using SCP to manage files. (The following information is only for reference.)

    C:\Documents and Settings\Administrator> scp scpuser@10.136.23.5:flash:/vrpcfg.zip vrpcfg-backup.zip
    The authenticity of host '10.136.23.5 (10.136.23.5)' can't be established.
    DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '10.136.23.5' (DSA) to the list of known hosts.
    
    User Authentication
    Password:
    vrpcfg.zip                                    100% 1257     1.2KByte(s)/sec   00:00
    Received disconnect from 10.136.23.5: 2: The connection is closed by SSH server
    
    
    C:\Documents and Settings\Administrator>

    The user terminal uploads or downloads files while connecting to the SCP server and access the user local directory.

    NOTE:

    The file system has a restriction on the number of files in the root directory. Therefore, if more than 50 files exist in the root directory, creating new files in this directory may fail.

Verifying the Configuration

  • Run the display ssh user-information [ username ] command to view SSH user information on the SSH server.

  • Run the display ssh server status command to view global configuration of the SSH server.

  • Run the display ssh server session command to view session information of the SSH client on the SSH server.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178166

Views: 269999

Downloads: 1988

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next