No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S1720, S2700, S5700, and S6720 V200R011C10

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Enabling the SSH Server Function

Enabling the SSH Server Function

Context

A device serving as an SSH server must generate a key pair of the same type as the client's key for data encryption and server authentication on the client. The device also supports configuration of rich SSH server attributes for flexible control on SSH login.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run stelnet [ ipv4 | ipv6 ] server enable

    The SSH server function is enabled on the device.

    By default, the SSH server function is disabled.

  3. (Optional) Run ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    A key exchange algorithm list is configured for the SSH server.

    By default, an SSH server supports all key exchange algorithms.

    NOTE:

    Do not add dh_group14_sha1 or dh_group1_sha1 to the list because they provide the lowest security among the supported key exchange algorithms.

  4. (Optional) Run ssh server cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes256_cbc | aes256_ctr | des_cbc } *

    An encryption algorithm list is configured for the SSH server.

    By default, an SSH server supports five encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.

    NOTE:

    Do not add des_cbc or 3des_cbc to the list because they provide the lowest security among the supported encryption algorithms.

  5. (Optional) Run ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

    An HMAC algorithm list is configured for the SSH server.

    By default, an SSH server supports all HMC algorithms.

    NOTE:

    Do not add md5, sha1, md5_96, sha1_96, or sha2_256_96 to the HMAC algorithm list because they provide the lowest security among the supported HMAC algorithms.

  6. (Optional) Run ssh server dh-exchange min-len min-len

    The minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client is configured.

    The Diffie-hellman-group-exchange key of 1024 bytes poses security risks. If the SSH client supports the Diffie-hellman-group-exchange key of more than 1024 bytes, run the ssh server dh-exchange min-len command to set the minimum key length to 2048 bytes to improve security.

  7. (Optional) Run rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create

    A local RSA, DSA, or ECC key pair is generated.

    NOTE:

    Run either of the commands based on the key pair type you desire. A longer key pair indicates higher security. It is recommended that you use the maximum key pair length.

  8. (Optional) Run ssh [ ipv4 | ipv6 ] server port port-number

    The port number of the SSH server is specified.

    By default, the port number of the SSH server is 22.

    Configuring a port number for an SSH server can prevent attackers from accessing the SSH server using the default port, improving SSH server security.

  9. (Optional) Run ssh server rekey-interval hours

    The interval for updating key pairs is set.

    The default interval is 0, indicating that the key pairs are never updated.

    An SSH server automatically updates key pairs at the configured intervals, which ensures security.

    This command takes effect only for SSH1.X. However, SSH1.X ensures poor security and is not recommended.

  10. (Optional) Run ssh server timeout seconds

    The timeout period is set for SSH authentication.

    The default timeout period is 60 seconds.

    If a user fails to log in within the timeout period for SSH authentication, the device disconnects the current connection to ensure system security.

  11. (Optional) Run ssh server authentication-retries times

    The maximum number of SSH authentication retries is set.

    The default maximum number of SSH authentication retries is 3.

    You can set the maximum number of SSH authentication retries to prevent unauthorized access.

  12. (Optional) Run ssh server compatible-ssh1x enable

    Compatibility with earlier SSH versions is enabled.

    By default, compatibility with earlier SSH versions is disabled on an unconfigured device. When a device is upgraded to a later version, the configuration of the compatibility function is the same as that specified in the configuration file.
    NOTE:

    If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk.

  13. (Optional) Run ssh server-source -i loopback interface-number

    The source interface is specified for the SSH server.

    By default, the source interface of an SSH server is not specified.

    Configuring a source interface for an SSH server prevents exposure of the device's management IP address, which ensures device security.

    NOTE:

    Before specifying a loopback interface as the source interface for an SSH server, ensure that the loopback interface has been created and the route between the client and the loopback interface is reachable; otherwise, the configuration cannot be correctly executed.

  14. (Optional) Configure ACL-based access control.

    • Control access from other devices to the local device.

      • Method 1
        1. Run acl acl-number Or acl ipv6 acl6-number

          An ACL or ACL6 is created, and the ACL or ACL6 view is displayed.

          The value of acl-number or acl6-number must be within the range from 2000 to 3999.

        2. Run rule permit source source-address 0 or rule permit source source-ipv6-address 0

          An ACL or ACL6 rule is configured to prohibit devices except the device with the address specified by source-address or source-ipv6-address from accessing the local device.

          If the value of acl-number or acl6-number is within the range from 2000 to 2999, the ACL or ACL6 rule is configured in the basic ACL view or basic ACL6 view.

          If the value of acl-number or acl6-number is within the range from 3000 to 3999, the ACL or ACL6 rule is configured in the advanced ACL view or advanced ACL6 view.

          Ensure that packets can be matched based on the source IP address or source IPv6 address specified in the ACL or ACL6 rule.

        3. Run quit

          Exit from the ACL or ACL6 view.

        4. Run ssh [ ipv6 ] server acl acl-number

          The ACL is configured to control devices that can access the local device using STelnet.

      • Method 2:
        1. Run acl acl-number or acl ipv6 acl6-number

          An ACL or ACL6 is created, and the ACL or ACL6 view is displayed.

          The value of acl-number or acl6-number must be within the range from 2000 to 2999 (basic ACLs).

        2. Run rule permit source source-address 0 or rule permit source source-ipv6-address 0

          An ACL or ACL6 rule is configured to prohibit devices except the device with the address specified by source-address or source-ipv6-address from accessing the local device.

        3. Run quit

          Exit from the ACL or ACL6 view.

        4. Run user-interface vty first-ui-number [ last-ui-number ]

          The VTY user interface view is displayed.

        5. Run acl [ ipv6 ] { acl-number | acl-name } inbound

          ACL-based access control is configured for the VTY user interface.

    • Control access from the local device to other devices.
      1. Run acl acl-number Or acl ipv6 acl6-number

        An ACL or ACL6 is created, and the ACL or ACL6 view is displayed.

        The value of acl-number or acl6-number must be within the range from 3000 to 3999 (advanced ACLs).

      2. Run rule deny tcp destination-port eq 22

        An ACL or ACL6 rule is configured to prohibit the local device from accessing other devices.

      3. Run quit

        Exit from the ACL or ACL6 view.

      4. Run user-interface vty first-ui-number [ last-ui-number ]

        The VTY user interface view is displayed.

      5. Run acl [ ipv6 ] { acl-number | acl-name } outbound

        ACL-based access control is configured for the VTY user interface.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178166

Views: 251257

Downloads: 1919

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next