User Login Configuration Commands
- Command Support
- configuration exclusive
- configuration-occupied timeout
- display configuration-occupied user
- display dsa local-key-pair public
- display dsa peer-public-key
- display ecc local-key-pair public
- display ecc peer-public-key
- display http server
- display http user
- display rsa local-key-pair public
- display rsa peer-public-key
- display ssh server
- display ssh server-info
- display ssh user-information
- display telnet server status
- display telnet-client
- dsa local-key-pair create
- dsa local-key-pair destroy
- dsa peer-public-key
- ecc local-key-pair create
- ecc local-key-pair destroy
- ecc peer-public-key
- free http user-id
- http acl
- http secure-server enable
- http secure-server port
- http secure-server ssl-policy
- http server enable
- http server load
- http server port
- http server-source
- http timeout
- lock
- matched upper-view
- peer-public-key end
- public-key-code begin
- public-key-code end
- rsa local-key-pair create
- rsa local-key-pair destroy
- rsa peer-public-key
- run
- send
- ssh authentication-type default password
- ssh client assign
- ssh client cipher
- ssh client first-time enable
- ssh client hmac
- ssh client key-exchange
- ssh server acl
- ssh server authentication-retries
- ssh server authentication-type keyboard-interactive enable
- ssh server compatible-ssh1x enable
- ssh server cipher
- ssh server dh-exchange min-len
- ssh server hmac
- ssh server key-exchange
- ssh server port
- ssh server rekey-interval
- ssh server timeout
- ssh server-source
- ssh user
- ssh user assign
- ssh user authorization-cmd aaa
- ssh user authentication-type
- ssh user service-type
- stelnet
- stelnet server enable
- telnet
- telnet client-source
- telnet server acl
- telnet server-source
- telnet server enable
- telnet server port
configuration exclusive
Function
The configuration exclusive command locks the current system configuration. When the system configuration is locked, the user who locks it can query and modify the configuration while other users can only query the configuration.
The undo configuration exclusive command unlocks the system configuration.
By default, the system configuration is unlocked.
Usage Guidelines
Usage Scenario
The device allows simultaneous access and configuration by multiple users, which may cause configuration conflicts and service exceptions. To prevent service exceptions, run the configuration exclusive command to lock and modify the configuration. Other users can then only query the configuration.
- Run the undo configuration exclusive command.
- Do not modify the configuration in the configured lock interval. The system then automatically unlocks the configuration. To configure the lock interval, run the configuration-occupied timeout command.
Precautions
- After you run the configuration exclusive command, other users cannot modify the system configuration, so confirm your action before running this command.
- Before you run the configuration exclusive command, run the configuration-occupied timeout command to configure the maximum lock interval so that the system can automatically unlock the configuration after this interval.
configuration-occupied timeout
Function
The configuration-occupied timeout command sets the interval after which the system automatically unlocks the configuration.
The undo configuration-occupied timeout command restores the default automatic unlock interval.
By default, the value is 30 seconds.
Parameters
| Parameter | Description | Value |
|---|---|---|
| timeout-value | Specifies the interval after which the system automatically unlocks the configuration if no configuration command is run. | The value is an integer that ranges from 1 to 7200, in seconds. By default, the value is 30 seconds. |
Usage Guidelines
The configuration-occupied timeout command configures the longest lock interval. If no configuration command is delivered within this interval, the system automatically unlocks the configuration so that other users can modify the configuration.
- If the user does not have the configuration right, the system displays an error.
- If the configuration is locked by another user, the system displays a message indicating that the modification fails.
- If the configuration is locked by the user who configures the longest lock interval, the modification is valid.
NOTE: - The interval cannot be too short because the device will automatically unlock the configuration if no configuration command is delivered by the user who configures the interval.
- The interval cannot be too long because other users cannot modify the configuration within this period even if the user who locks the configuration delivers no configuration command within this period.
- The command is valid for all users.
display configuration-occupied user
Function
The display configuration-occupied user command displays information about the user who locks the configuration.
Usage Guidelines
You can run the display configuration-occupied user command to query the user who has the configuration right. If no user locks the system configuration, the system displays a corresponding message.
Example
<HUAWEI> display configuration-occupied user
User Index: 34
User Session Name: VTY0
User Name:**
IP Address: 10.135.19.22
Locked Time: 2012-09-16 15:26:32+10:00 DST
Last Configuration Time: 2012-09-16 15:26:32+10:00 DST
The time out value of configuration right locked is: 30 second(s)
| Item | Description |
|---|---|
User Index |
User index. |
User Session Name |
User session name. The value is CON0 or ranges from VTY0 to VTY14. snmp-agent: session name of an NMS user. |
User Name |
Name of a login user.
|
IP Address |
IP address of the user. |
Locked Time |
Time when the configuration was locked. |
Last Configuration Time |
Time when the user delivered the last configuration command. |
The time out value of configuration right locked is |
Duration for locking the configuration. To configure the duration, run the configuration-occupied timeout command. |
# Display the user who locks the system configuration (when no user locks the system configuration).
<HUAWEI> display configuration-occupied user
Info: No user locked the current configuration.
display dsa local-key-pair public
Function
The display dsa local-key-pair public command displays the public key in the local DSA key pair of the device.
Usage Guidelines
This command displays the public key in the local DSA key pair. You can copy the public key in the command output to the DSA public key of the SSH server to ensure that the public keys on the client and server are consistent and that the client can be authenticated by the server.
Example
# Display the public key in the client DSA key pair.
<HUAWEI> display dsa local-key-pair public ===================================================== Time of Key pair created:2014-08-27 06:35:16+08:00 Key name : HUAWEI_Host_DSA Key modulus : 2048 Key type : DSA encryption Key Key fingerprint: b5:82:31:f1:65:0f:97:81:dc:27:95:a8:f8:26:68:c4 ===================================================== Key code: 3081DC 0240 AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B A34004C1 B37824BB D3160595 702901CD 53F0EAE0 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE 87C63485 0214 94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F 0240 91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4 7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139 C986329F 0240 26D21FBE 18A9FCB3 C19A7430 A801D8A1 09CFC6E6 ACB104F4 B398B3B7 83A059EA BE23AE04 5D7AD134 4279637B 51AD9ADF 80B627EA 9328C95F 3DFF00EE 84847039 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWV cCkBzVPw6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biC kyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614 zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQCbSH74YqfyzwZp0MKgB 2KEJz8bmrLEE9LOYs7eDoFnqviOuBF160TRCeWN7Ua2a34C2J+qTKMlfPf8A7oSE cDk= ---- END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file : ssh-dss AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWVcCkBzVPw 6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biCkyrIhQirfIE/AAAAQQCR/w8s kZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKf AAAAQCbSH74YqfyzwZp0MKgB2KEJz8bmrLEE9LOYs7eDoFnqviOuBF160TRCeWN7Ua2a34C2J+qTKMlf Pf8A7oSEcDk= dsa-key
Item |
Description |
|---|---|
Time of Key pair created |
Time when the public key was created. |
Key name |
Name of the public key. |
Key modulus |
Length of the key. |
Key type |
Type of the public key. |
Key fingerprint |
Key fingerprint. |
Key code |
Content of the key. |
Host public key for PEM format code |
PEM code of the public key. |
Public key code for pasting into OpenSSH authorized_keys file |
Public key format in the OpenSSH file. |
display dsa peer-public-key
Function
The display dsa peer-public-key command displays the DSA public key that has been configured.
Parameters
| Parameter | Description | Value |
|---|---|---|
| brief | Displays the brief information. | - |
| name key-name | Displays the DSA public key with the specified name. | The value is a string of 1 to 30 case-insensitive characters without spaces. NOTE:
The string can contain spaces if it is enclosed with double quotation marks ("). |
Usage Guidelines
Usage Scenario
This command displays the DSA public key for you to check whether the local and peer public keys are consistent.
Precautions
You must complete the DSA public key configuration before running this command.
Example
# Display the DSA public key with the specified name.
<HUAWEI> display dsa peer-public-key name amar
=====================================
Key name: amar
Encoding type: DER
=====================================
Key Code:
3081DC
0240
AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B A34004C1 B37824BB D3160595
702901CD 53F0EAE0 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE 87C63485
0214
94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
0240
91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4 7BCA4251 9F04FD24 6CFB50A3
AD78CC0D 335DEFD2 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139 C986329F
0240
0E7BEFD5 594ECA9C CE574D9D 369BCD0C 19C94725 5FE8666E 73292AD6 908E4E0C
7F0EA3AF A02F17F7 3A0B1D15 E22420CB B5EC1D2C 8BA77729 276EDEBB 8DA843C7
display ecc local-key-pair public
Function
The display ecc local-key-pair public command displays information about the public key in the local Elliptic Curves Cryptography (ECC) key pair.
Usage Guidelines
Usage Scenario
You can run the display ecc local-key-pair public command to check information about the public key in the local ECC key pair on a client and then copy the public key to the server. The public key enables a server to authenticate users and ensures the login of authorized users.
Pre-configuration Tasks
You must run the ecc local-key-pair create command to generate a local ECC host key pair before using the command.
Example
# Display information about the public key in the local ECC key pair on a client.
<HUAWEI> display ecc local-key-pair public ===================================================== Time of Key pair created:2016-10-19 11:50:20+00:00 Key name : HUAWEI_Host_ECC Key modulus : 521 Key type : ECC encryption Key Key fingerprint: ===================================================== Key code: 0401CE1E 5EF3B843 CD917648 1D70EF8F CECE8518 5B32ED5F 529E9DC4 D16EDF1A 5F6E6389 10AAE2D4 74FD9DA7 F05AB123 9AF3EE64 9F0BAF99 A0CBF55B E319B2D1 8EDEBB01 7C63469B C62A2256 3EAEA0BD 486F9524 8559C7EF 24D969D1 11093BBF 27F770E7 03E28ABA BB357E5B 28EF04CC EA931C81 C7D7EBD8 5797B1CD 05D9B497 56D91126 E9 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---- AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHOHl7zuEPN kXZIHXDvj87OhRhbMu1fUp6dxNFu3xpfbmOJEKri1HT9nafwWrEjmvPuZJ8Lr5mg y/Vb4xmy0Y7euwF8Y0abxioiVj6uoL1Ib5UkhVnH7yTZadERCTu/J/dw5wPiirq7 NX5bKO8EzOqTHIHH1+vYV5exzQXZtJdW2REm6Q== ---- END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file : ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHOHl7z uEPNkXZIHXDvj87OhRhbMu1fUp6dxNFu3xpfbmOJEKri1HT9nafwWrEjmvPuZJ8Lr5mgy/Vb4xmy0Y7e uwF8Y0abxioiVj6uoL1Ib5UkhVnH7yTZadERCTu/J/dw5wPiirq7NX5bKO8EzOqTHIHH1+vYV5exzQXZ tJdW2REm6Q== ecdsa-key
Item |
Description |
|---|---|
Time of Key pair created |
Time when the public key in the local ECC key pair is generated, in the format of YYYY-MM-DD HH:MM:SS. |
Key Name |
Name of the public key in the local ECC key pair. |
Key modulus |
Length of the public key in the local ECC key pair on a client. |
Key Type |
Type of the public key in the local ECC key pair. "ECC encryption Key" indicates an ECC public key. |
Key Code |
Code of the public key in the local ECC key pair configured using the ecc local-key-pair create command. |
Host public key for PEM format code |
PEM code of the public key in the local ECC key pair on a client. |
Public key code for pasting into OpenSSH authorized_keys file |
Public key in the local ECC key pair on a client that is used for OpenSSH authorization. This information can be used after being copied to the OpenSSH authorized_keys file. |
display ecc peer-public-key
Function
The display ecc peer-public-key command displays information about the Elliptic Curves Cryptography (ECC) public key configured on the remote end.
Parameters
| Parameter | Description | Value |
|---|---|---|
| brief | Displays the brief information about the ECC public key configured on the remote end. | - |
| name key-name | Displays information about an ECC public key with a specified name configured on the remote end. | The value is a string of 1 to 30 case-sensitive characters, spaces not supported. |
Usage Guidelines
Usage Scenario
You can run the display ecc peer-public-key command on a client to check information about the public key configured on the remote end. The public key enables a server to authenticate users and ensures the login of authorized users.
Example
# Display the information about the ECC public keys of 127.0.0.1.
<HUAWEI> display ecc peer-public-key
=====================================
Key name: 127.0.0.1
Encoding type: DER
=====================================
Key Code:
04013184 A3311697 89DF558B 7F67BF9D BD95DBD5 280D659F 0E29852C AEC2FFBA
1913AC2A 88247ADA 46BEBEBE 1829C0DA 3BABC8FC 8F6EAD28 2AE2C6A8 116BAA3A
540E6B00 34E033D8 9D84841B 0D33DAD8 DEDD1C09 2B70B3DB 5AF0FCB2 37DF1C82
C4C622A6 85B23698 195DA60F 06858ADB DD743937 B4A29C4C FB28B40B BCEEE036
1DE61BD2 24
# Display the brief information about all the ECC public keys.
<HUAWEI> display ecc peer-public-key brief
Bits Name
----------------------
521 127.0.0.1
384 192.168.131.203
Item |
Description |
|---|---|
Bits |
Length of the ECC public key configured on the remote end. |
Name |
Name of the ECC public key configured on the remote end. |
Key name |
Name of the ECC public key configured on the remote end. |
Encoding type |
Encoding type of the ECC public key configured on the remote end.
|
Key Code |
Code of the public key in the local ECC key pair configured using the ecc local-key-pair create command. |
display http server
Usage Guidelines
You can view the HTTPS server information, including the status of HTTPS services, port number, maximum number of users allowed to access the HTTPS server, and number of current online users.
Example
# Display information about the current HTTPS server.
<HUAWEI> display http server
HTTP Server Status : enabled HTTP Server Port : 80(80) HTTP Timeout Interval : 20 Current Online Users : 3 Maximum Users Allowed : 5 HTTP Secure-server Status : enabled HTTP Secure-server Port : 443(443) HTTP SSL Policy : ssl_server HTTP IPv6 Server Status : disabled HTTP IPv6 Server Port : 80(80) HTTP IPv6 Secure-server Status : disabled HTTP IPv6 Secure-server Port : 443(443) HTTP server source address : 0.0.0.0
Item |
Description |
|---|---|
HTTP Server Status |
Status of the HTTP IPv4 server.
You can configure the HTTP IPv4 server status by running the http server enable command. |
HTTP Server Port |
Port number of the HTTP IPv4 server. The default value is 80. You can configure the port number of the HTTP IPv4 server by running the http server port command. |
HTTP Timeout Interval |
Timeout period of the HTTP/HTTPS server. The default value is 20 minutes. You can configure the timeout period of the HTTP/HTTPS server by running the http timeout command. |
Current Online Users |
Number of current online users. |
Maximum Users Allowed |
Maximum number of users allowed to access the HTTP server. |
HTTP Secure-server Status |
Status of the HTTPS IPv4 server.
You can configure the HTTPS IPv4 server status by running the http secure-server enable command. |
HTTP Secure-server Port |
Port number of the HTTPS IPv4 server. The default value is 443. You can configure the port number of the HTTPS IPv4 server by running the http secure-server port command. |
HTTP SSL Policy |
HTTPS SSL policy. You can configure the HTTPS SSL policy by running the ssl policy command. |
HTTP IPv6 Server Status |
Status of the HTTP IPv6 server function:
You can configure the HTTP IPv6 server status by running the http ipv6 server enable command. |
HTTP IPv6 Server Port |
Port number of the HTTP IPv6 server. The default value is 80. You can configure the port number of the HTTPS IPv6 server by running the http ipv6 server port command. |
HTTP IPv6 Secure-server Status |
Status of the HTTPS IPv6 server function:
You can configure the HTTPS IPv6 server status by running the http ipv6 secure-server enable command. |
HTTP IPv6 Secure-server Port |
Port number of the HTTPS IPv6 server. The default value is 443. You can configure the port number of the HTTPS IPv6 server by running the http ipv6 secure-server port command. |
HTTP server source address |
IP address of the source interface on the HTTP server. |
display http user
Parameters
| Parameter | Description | Value |
|---|---|---|
| username username | Specifies the name of the current online user. | The value is a string of 1 to 64 case-insensitive characters, with no space or wildcard. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Guidelines
If username is not specified, this command displays summary information about all online users.
If username is specified, this command displays detailed information about the specified online user.
Example
# Display general information about the current online user.
<HUAWEI> display http user
Total online users: 1
------------------------------------------------------
User name IP Address Login Date
------------------------------------------------------
admin 192.168.0.1 2012-03-23 15:30:55+00:00
# Display detailed information about the current online user admin.
<HUAWEI> display http user username admin
Client IP Address: 192.168.0.1 Login Date: 2012-03-19 15:30:55+00:00 User timeouts: 15 minute
display rsa local-key-pair public
Function
The display rsa local-key-pair public command displays the public key in the local key pair.
Usage Guidelines
You can run this command on the client and configure the client public key in the command output to the SSH server, which ensures that the SSH client validity check by the SSH server is successful and enables the secure data exchange between the SSH server and client.
Example
# Display the public key in the local key pair.
<HUAWEI> display rsa local-key-pair public
===================================================== Time of Key pair created: 2012-08-15 06:41:55+08:00 Key name: HUAWEI_Host Key type: RSA encryption Key Key fingerprint: ab:ec:d7:e1:22:5f:e4:e3:6e:f0:d6:1f:99:e4:f2:f3 ===================================================== Key code: 3047 0240 D8D10BE8 CD41AA43 862B6C2B 637D1A53 1EBB4015 96A70B13 72B17A16 84E02168 4061A4C2 A1CDB541 484F71DB D7271E5F E3C75BEA AF853023 0CDCE55D ECCB0461 0203 010001 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1yc2EAAAADAQABAAAAQQDY0QvozUGqQ4YrbCtjfRpTHrtAFZanCxNy sXoWhOAhaEBhpMKhzbVBSE9x29cnHl/jx1vqr4UwIwzc5V3sywRh ---- END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file : ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQDY0QvozUGqQ4YrbCtjfRpTHrtAFZanCxNysXoWhOAhaEBhpMKhzbVBSE9x29cnHl/jx1vqr4UwIwzc5V3sywRh rsa-key ===================================================== Time of Key pair created: 2012-08-15 06:42:03+08:00 Key name: HUAWEI_Server Key type: RSA encryption Key Key fingerprint: 16:3b:43:4f:74:16:98:b3:5c:51:b5:a3:83:f8:86:19 ===================================================== Key code: 3067 0260 F31D5536 26C05536 6703885D E8FCDB00 07C45437 B3D08086 9E25B7B6 CFE375B2 1AA957EE 24D2DC51 BAA81ECD 6894F71E 20596754 35653808 C8B74ACB DE94C584 1E234FED 840900F0 4A4100FB C133DFB7 12D4B4DB EF0C3E1F E211202A F45DD5DD 0203 010001
Item |
Description |
|---|---|
Time of Key pair created |
Time and date when the public key was created. |
Key Name |
The value can be the host or server public key. The server public key is saved only when the key type is RSA. |
Key Type |
Type of the public key. |
Key fingerprint |
Public key fingerprint. |
Key Code |
Code of the public key. |
display rsa peer-public-key
Function
The display rsa peer-public-key command displays the peer public key saved on the local host. If no parameter is specified, the command displays detailed information about all peer public keys.
Parameters
| Parameter | Description | Value |
|---|---|---|
| brief | Displays the brief information about all peer public keys. | - |
| name key-name | Specifies the key name. | The value is a string of 1 to 30 case-insensitive characters without spaces. NOTE:
The string can contain spaces if it is enclosed with double quotation marks ("). |
Usage Guidelines
Usage Scenario
You can run this command to check detailed information about the RSA public key and whether the local and peer public keys are the same.
Precautions
You must complete the RSA public key configuration before running this command.
Example
# Display the brief information about all RSA public keys.
<HUAWEI> display rsa peer-public-key brief
Address Bits Name
---------------------------
768 rsakey001
Item |
Description |
|---|---|
Address |
Brief information about the public key. |
Bits |
Bits in the public key. |
Name |
Name of the public key. |
# Display the detailed information about the RSA public key named rsakey001.
<HUAWEI> display rsa peer-public-key name rsakey001
=====================================
Key name: rsakey001
Key address:
=====================================
Key Code:
3067
0260
A3158E6C F252C039 135FFC45 F1E4BA9B 4AED2D88 D99B2463 3E42E13A 92A95A37
45CDF037 1AF1A910 AAE3601C 2EB70589 91AF1BB5 BD66E31A A9150911 859CAB0E
1E10548C D70D000C 55A1A217 F4EA2F06 E44BD438 DA472F14 3FB7087B 45E77C05
0203
010001
display ssh server
Parameters
| Parameter | Description | Value |
|---|---|---|
| status | Displays the global configuration on the SSH server. | - |
| session | Displays the current session connection information on the SSH server. | - |
Usage Guidelines
After configuring the SSH attributes, you can run this command to view the configuration or session connection information on the SSH server to verify that the SSH connection has been established.
Example
# Display the global configuration on the SSH server.
<HUAWEI> display ssh server status
SSH version :2.0 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH authentication retries :3 times SFTP IPv4 server :Enable SFTP IPv6 server :Enable STELNET IPv4 server :Enable STELNET IPv6 server :Enable SCP IPv4 server :Enable SCP IPv6 server :Enable SSH server source :0.0.0.0 ACL4 number :0 ACL6 number :0
Item |
Description |
|---|---|
SSH version |
Protocol version used for the SSH session connection. |
SSH connection timeout |
Timeout interval of SSH server authentication, in seconds. Run the ssh server timeout command to set this item. |
SSH server key generating interval |
Interval for generating an SSH server password, in hours. Run the ssh server rekey-interval command to set this item. |
SSH authentication retries |
Number of times for retrying the SSH session connection. Run the ssh server authentication-retries command to set this item. |
SFTP IPv4 server |
SFTP IPv4 service status. Run the sftp ipv4 server enable command to set this item. |
SFTP IPv6 server |
SFTP IPv6 service status. Run the sftp ipv6 server enable command to set this item. |
STELNET IPv4 server |
STelnet IPv4 service status. Run the stelnet ipv4 server enable command to set this item. |
STELNET IPv6 server |
STelnet IPv6 service status. Run the stelnet ipv6 server enable command to set this item. |
SCP IPv4 server |
SCP IPv4 service status. Run the scp ipv4 server enable command to set this item. |
SCP IPv6 server |
SCP IPv6 service status. Run the scp ipv6 server enable command to set this item. |
SSH server source |
Source address of the SSH server. Run the ssh server-source -i loopback interface-number command to set this item. |
ACL4 number |
ACL4 number of the SSH server. Run the ssh server acl acl-number command to set this item. |
ACL6 number |
ACL6 number of the SSH server. Run the ssh ipv6 server acl acl-number command to set this item. |
# Display the current session connection information on the SSH server.
<HUAWEI> display ssh server session
Session 1:
Conn : VTY 10
Version : 2.0
State : started
Username : client002
Retry : 1
CTOS Cipher : aes256-cbc
STOC Cipher : aes256-cbc
CTOS Hmac : hmac-sha2_256
STOC Hmac : hmac-sha2_256
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group1-sha1
Public Key : rsa
: sftp
Authentication Type : password
Session 2:
Conn : VTY 14
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes256-cbc
STOC Cipher : aes256-cbc
CTOS Hmac : hmac-sha2_256
STOC Hmac : hmac-sha2_256
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group1-sha1
Public Key : dsa
Service Type : stelnet
Authentication Type : password
Item |
Description |
|---|---|
Session |
SSH session ID. |
Conn |
Connection used by the SSH session. |
Version |
Protocol version used for the SSH session connection. |
State |
Status of the SSH session connection. |
Username |
User name for SSH session connection. Run the ssh user command to set this item. |
Retry |
Number of times for retrying the SSH session connection. Run the ssh server authentication-retries command to set this item. |
CTOS Cipher |
Encryption algorithm name from client to server. |
STOC Cipher |
Encryption algorithm name from server to client. |
CTOS Hmac |
HMAC algorithm name from client to server. |
STOC Hmac |
HMAC algorithm name from server to client. |
CTOS Compress |
Whether data is compressed for transmission from client to server, which can be specified for SCP connection. |
STOC Compress |
Whether data is compressed for transmission from server to client, which can be specified for SCP connection. |
Kex |
Exchange algorithm name. |
Public Key |
Public key algorithm used for server authentication, which can be RSA, DSA, or ECC. |
Service Type |
Service type for an SSH user. The options are as follows:
Run the ssh user service-type command to set this item. |
Authentication Type |
Authentication mode for an SSH user. The options
are as follows:
Run the ssh user authentication-type command to set this item. |
display ssh server-info
Function
The display ssh server-info command displays the binding between SSH servers and RSA, DSA, or ECC public keys when the current device works as an SSH client.
Usage Guidelines
When the SSH client needs to authenticate the server, the server public key saved in the local host is used to authenticate the connected SSH server. If the authentication fails, you can run the display ssh server-info command to check that the server public key is correct.
Example
# Display all bindings between the SSH servers and public keys on the SSH client.
<HUAWEI> display ssh server-info
Server Name(IP) Server Public Key Type Server public key name ______________________________________________________________________________ 192.168.50.207 RSA 192.168.50.207 192.168.50.204 DSA 192.168.50.204 192.168.50.208 ECC 192.168.50.208
display ssh user-information
Usage Guidelines
This command displays the SSH user name, bound RSA, DSA, or ECC public key name, and service type.
Example
# Display the configuration of the SSH user named client001.
<HUAWEI> display ssh user-information client001
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : -
Service-type : stelnet
Authorization-cmd : No
# Display the configuration of all SSH users.
<HUAWEI> display ssh user-information
User 1:
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : -
Service-type : stelnet
Authorization-cmd : No
User 2:
User Name : client002
Authentication-type : dsa
User-public-key-name : dsakey001
User-public-key-type : dsa
Sftp-directory : cfcard:
Service-type : sftp
Authorization-cmd : No
Item |
Description |
|---|---|
User Name |
SSH user name. Run the ssh user command to set this item. |
Authentication-type |
Authentication mode for an SSH user. The options
are as follows:
Run the ssh user authentication-type command to set this item. |
User-public-key-name |
Peer RSA, DSA, or ECC public key assigned to an SSH user. Run the rsa peer-public-key, dsa peer-public-key, or ecc peer-public-keycommand to set this item. |
User-public-key-type |
The public key type for an SSH user can be RSA, DSA, or ECC. |
Sftp-directory |
SFTP service directory of an SSH user. Run the ssh user sftp-directory command to set this item. |
Service-type |
Service type for an SSH user. The options are as follows:
Run the ssh user service-type command to set this item. |
Authorization-cmd |
Command line authentication mode configured for an SSH user. Run the ssh user authorization-cmd aaa command to set this item. |
display telnet server status
Function
The display telnet server status command displays the status and configuration of a Telnet server.
Usage Guidelines
- To check whether a device functions as a Telnet server, run the display telnet server status command.
- If you have set a port number for the Telnet server using the telnet server port port-number command, run display telnet server status command to check the port number.
Example
<HUAWEI> display telnet server status
TELNET IPv4 server :Enable
TELNET IPv6 server :Enable
TELNET server port :23
TELNET server source address :0.0.0.0
ACL4 number :0
ACL6 number :0
Item |
Description |
|---|---|
TELNET IPv4 server |
IPv4 Telnet server. |
TELNET IPv6 server |
IPv6 Telnet server. |
TELNET server port |
Listening port number of the Telnet server. |
TELNET Server Source address |
Source address of the Telnet server |
ACL4 number |
ACL4 number of the Telnet server |
ACL6 number |
ACL6 number of the Telnet server |
display telnet-client
Function
The display telnet-client command displays the source parameters when a device works as a Telnet client.
Usage Guidelines
After setting source parameters of a Telnet client, you can run this command to check the setting result. If you have not run the telnet client-source command, the default source IP address is 0.0.0.0.
dsa local-key-pair create
Usage Guidelines
Usage Scenario
Compared with RSA, Digital Signature Algorithm (DSA) has a wider application in the SSH protocol. The asymmetric encryption system generates public and private keys to implement secure key exchange, thereby ensuring secure sessions.
If a DSA key exists, when you run this command, the system prompts you to confirm whether to change the original key. If you agree, the key in the new key pair is named device name_Host_DSA, for example, HUAWEI_Host_DSA. The local DSA private key is saved in PKCS#8 format to the hostkey_dsa file in the system NOR FLASH.
After you enter the command, the device prompts you to enter the number of bits in the host key. The length of a host key pair can be 1024 or 2048. By default, the key length is 2048.
Precautions
This command is not saved in a configuration file and can take effect immediately after being run. After the device restarts, you do not need to run the command again.
To improve security of the device, it is recommended that you use a key pair of 2048 bits.
Example
# Generate DSA key pairs on the device.
<HUAWEI> system-view
[HUAWEI] dsa local-key-pair create
Info: The key name will be: HUAWEI_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
dsa local-key-pair destroy
Usage Guidelines
Usage Scenario
DSA applies to SSH verification. The asymmetric encryption system generates public and private keys to implement secure key exchange, thereby ensuring secure sessions. You can run the dsa local-key-pair create command to generate local DSA keys. When local DSA keys are unnecessary, you can run the dsa local-key-pair destroy command to delete these keys.
Prerequisite
The local DSA keys have been created.
Configuration Impact
After you run this command, the **_DSA file that stores DSA keys on the active and standby MPUs is cleared.
Precautions
The dsa local-key-pair destroy command takes effect once, and therefore will not be saved in the configuration file.
dsa peer-public-key
Function
The dsa peer-public-key command configures an encoding format for a DSA public key and displays the DSA public key view.
The undo dsa peer-public-key command deletes a DSA public key.
By default, no encoding format is configured for a DSA public key.
Format
dsa peer-public-key key-name encoding-type { der | openssh | pem }
undo dsa peer-public-key key-name
Parameters
Parameter |
Description |
Value |
|---|---|---|
| key-name | Specifies the public key name. | The value is a string of 1 to 30 case-insensitive
characters without spaces. NOTE:
The string can contain spaces if it is enclosed with double quotation marks ("). |
| encoding-type | Specifies an encoding format for a DSA public key. | - |
| der | Specifies the Distinguished Encoding Rules (DER) format for a DSA public key. DER encodes data in hexadecimal format. |
- |
| openssh | Specifies the OpenSSH format for a DSA public key. OpenSSH encodes data in base-64 format. OpenSSH is an encoding format based on PEM. |
- |
| pem | Specifies the Privacy Enhanced Mail (PEM) format for a DSA public key. PEM encodes data in base-64 format. |
- |
Usage Guidelines
Usage Scenario
When you use a DSA public key for authentication, you must specify the public key of the corresponding client for an SSH user on the server. When the client logs in to the server, the server uses the specified public key to authenticate the client. You can also save the public key generated on the server to the client. Then the client can be successfully authenticated by the server when it logs in to the server for the first time.
Huawei data communications devices support the DER, OpenSSH and PEM formats for DSA keys. If you use a DSA key in non-DER/OpenSSH/PEM format, use a third-party tool to convert the key into a key in DER, OpenSSH or PEM format.
Because a third-party tool is not released with Huawei system software, DSA usability is unsatisfactory. In addition to DER and PEM, DSA keys need to support the OpenSSH format to improve DSA usability.
- The SecureCRT and PuTTY generate DSA keys in PEM format.
- The OpenSSH generates DSA keys in OpenSSH format.
- The OpenSSL generates DSA keys in DER format.
OpenSSL is an open source software. You can download related documents at the OpenSSL official website.
After you configure an encoding format for a DSA public key, Huawei data communications device automatically generates a DSA public key in the configured encoding format and enters the DSA public key view. Then, you can run the public-key-code begin command and manually copy the DSA public key generated on the peer device to the local device.
Follow-up Procedure
- Run the public-key-code end command to return to the DSA public key view.
- Run the peer-public-key end command to exit the DSA public key view and return to the system view.
Precautions
If a DSA public key has been assigned to an SSH client, run the undo ssh user user-name assign { rsa-key | dsa-key | ecc-key } command to release the binding between the public key and the SSH client. If you do not release the binding between them, the undo dsa peer-public-key command will fail to delete the DSA public key.
The peer public key supports only PKCS#1. Other PKCS versions are not supported.
ecc local-key-pair create
Function
The ecc local-key-pair create command generates a local Elliptic Curves Cryptography (ECC) host key pair.
Usage Guidelines
Usage Scenario
A local key pair is a prerequisite to a successful SSH login. Compared with the RSA algorithm used by the rsa local-key-pair create command, the ECC algorithm shortens the key length, accelerates the encryption, and improves the security. The length of the server key pair and the host key pair can be 256 bits, 384 bits and 521 bits. By default, the length of the key pair is 521 bits.
Precautions
The generated ECC host key pair is named in the format of switch name_Host_ECC, such as HUAWEI_Host_ECC.
The local DSA private key is saved in PKCS#8 format to the hostkey_ecc file in the system NOR FLASH.
The ecc local-key-pair create and ecc local-key-pair destroy commands are not saved in the configuration file. They only need to be run once and take effect even after the switch restarts.
Do not delete the ECC key file from the switch. If the ECC key file is deleted, the ECC key pair cannot be restored after the switch is restarted.
Example
# Generate a local ECC host key pair.
<HUAWEI> system-view [HUAWEI] ecc local-key-pair create Info: The key name will be: HUAWEI_Host_ECC. Info: The ECC host key named HUAWEI_Host_ECC already exists. Warning: Do you want to replace it ? [Y/N]: Y Info: The key modulus can be any one of the following : 256, 384, 521. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=521]:521 Info: Generating keys... Info: Succeeded in creating the ECC host keys.
# Enter a key with incorrect length and re-enter the key with incorrect length for five times, which is the maximum number of retry attempts.
<HUAWEI> system-view [HUAWEI] ecc local-key-pair create Info: The key name will be: HUAWEI_Host_ECC. Info: The ECC host key named HUAWEI_Host_ECC already exists. Warning: Do you want to replace it ?[Y/N]: Y Info: The key modulus can be any one of the following : 256, 384, 521. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=521]:123 Error: Invalid ECC key modulus. Please input the modulus [default=521]:1024 Error: Invalid ECC key modulus. Please input the modulus [default=521]:512 Error: Invalid ECC key modulus. Please input the modulus [default=521]:2048 Error: Invalid ECC key modulus. Please input the modulus [default=521]:4096 Error: Invalid ECC key modulus. Error: The maximum number of retries has reached, and the command has already been canceled.
ecc local-key-pair destroy
Function
The ecc local-key-pair destroy command deletes the local Elliptic Curves Cryptography (ECC) keys.
Usage Guidelines
Usage Scenario
If you no longer need the local ECC key pairs, run the ecc local-key-pair destroy command to delete them.
Configuration Impact
After the ecc local-key-pair destroy command is run, the ECC key files on the device are cleared. Exercise caution when running the command.
Precautions
The ecc local-key-pair create and ecc local-key-pair destroy commands are not saved in the configuration file. They only need to be run once and take effect even after the switch restarts.
Do not delete the ECC key file from the switch. If the ECC key file is deleted, the ECC key pair cannot be restored after the switch is restarted.
ecc peer-public-key
Function
The ecc peer-public-key command creates an ECC public key and enters the Elliptic Curves Cryptography (ECC) public key view.
The undo ecc peer-public-key command deletes an ECC public key.
By default, no ECC public key is created.
Format
ecc peer-public-key key-name encoding-type { der | pem | openssh }
undo ecc peer-public-key key-name
Parameters
| Parameter | Description | Value |
|---|---|---|
| key-name | Specifies an ECC public key name. | The value is a string of 1 to 30 case-sensitive characters, spaces not supported. |
| encoding-type | Indicates the encoding type of an ECC public key. | - |
| der | Specifies DER as the encoding type of an ECC public key. If DER is specified, data is encoded in hexadecimal notation. |
- |
| openssh | Specifies OpenSSH as the encoding type of an ECC public key. If OpenSSH is specified, data is Base64 encoded. OpenSSH is derived from PEM. |
- |
| pem | Specifies PEM as the encoding type of an ECC public key. If PEM is specified, data is Base64 encoded. |
- |
Usage Guidelines
Usage Scenario
When ECC public key authentication is used, a client's public key must be specified on the server for an SSH user. When the client logs in to the server, the server performs authentication on the client based on the public key of the SSH user.
After an ECC public key is created and the ECC public key view is displayed, run the public-key-code begin command, then you can manually copy the client's public key to the server.
The client's public key is randomly generated by the client software.
If an ECC public key has been assigned to an SSH client, delete the binding between the public key and the SSH client before deleting the ECC public key. Otherwise, the undo dsa peer-public-key command will fail to delete the ECC public key.
Follow-up Procedure
- Run the public-key-code end command to return to the ECC public key view.
- Run the peer-public-key end command to quit the ECC public key view and return to the system view.
Precautions
A maximum of 20 ECC public keys can be created.
The peer public key supports only PKCS#1. Other PKCS versions are not supported.
Example
# Create an ECC public key and enter the ECC public key view.
<HUAWEI> system-view [HUAWEI] ecc peer-public-key ecc-peer-key encoding-type pem Info: Enter "ECC public key" view, return system view with "peer-public-key end". [HUAWEI-ecc-public-key] public-key-code begin Info: Enter "ECC key code" view, return the last view with "public-key-code end". [HUAWEI-ecc-key-code] ---- BEGIN SSH2 PUBLIC KEY ---- [HUAWEI-ecc-key-code] AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACDBL5J4v3pqi5S [HUAWEI-ecc-key-code] ALI9lvLw4cdvtpD2AC6sEJXg9GDCD5vGBnkXlKmnOy6d1TyrXx57ZPNnrSdqVkHC [HUAWEI-ecc-key-code] sMBa63vSwg1XsVW2qZgx8H57+FJiTPY61b1Vfst9GUif1ymfpB7XrbdYZDownoh0 [HUAWEI-ecc-key-code] FZNadZtIf2CRc0OeiKXbCSPP25dfoT/DTcc= [HUAWEI-ecc-key-code] ---- END SSH2 PUBLIC KEY ---- [HUAWEI-ecc-key-code] public-key-code end [HUAWEI-ecc-public-key] peer-public-key end
# Delete an ECC public key.
<HUAWEI> system-view [HUAWEI] undo ecc peer-public-key ecc-peer-key Warning: The public key named ecc-peer-key will be deleted. Continue? [Y/N]:Y
free http user-id
Parameters
| Parameter | Description | Value |
|---|---|---|
| user-id | Specifies the VTY ID of a web user to be released. You can run the display users command to query the VTY ID. | The value is an integer that ranges from 1 to 256. |
Usage Guidelines
Usage Scenario
A maximum of five web users are supported at present. If one of the five web users is logged out unexpectedly, the user's client keeps connection with the FTP server before the connection expires. During this period, other users cannot log in to the FTP server. To manually release the web user, run the free http user-id command.
Precautions
The free http user-id command is used only to release web users. user-id of web users ranges from 89 to 93, and a maximum of five users are allowed to stay online concurrently. If you set user-id to a value smaller than 89 or greater than 93, the message "Error: The specified user does not exist or is not an HTTP user." is displayed.
http acl
Function
The http acl command configures an ACL/ACL6 on the HTTPS server.
The undo http acl command deletes the ACL/ACL6 on the HTTPS server.
By default, no ACL/ACL6 is configured on the HTTPS server.
Format
HTTPS IPv4:
http acl acl-number
undo http acl
HTTPS IPv6:
http ipv6 acl acl6-number
undo http ipv6 acl
Parameters
| Parameter | Description | Value |
|---|---|---|
| acl-number | Specifies the ACL number for an HTTP IPv4 server. | The value is an integer that ranges from 2000 to 3999. |
| acl6-number | Specifies the ACL6 number for an HTTP IPv6 server. |
The value is an integer that ranges from 2000 to 3999. |
Usage Guidelines
Usage Scenario
To ensure the security of an HTTPS server, you need to configure an ACL/ACL6 for it to specify clients that can log in to the current HTTPS server.
Precautions
The http acl command takes effect only after you run the rule command to configure the ACL/ACL6 rule.
After an ACL/ACL6 rule is modified, the HTTPS server does not forcibly log out an online user who matches the ACL/ACL6 rule until the user sends the next login request.
If the http acl command is configured several times, only the latest configuration takes effect.
Example
# Set the ACL number to 2000 for the HTTPS IPv4 server.
<HUAWEI> system-view [HUAWEI] acl 2000 [HUAWEI-acl-basic-2000] rule 1 permit source 10.1.1.1 0 [HUAWEI-acl-basic-2000] quit [HUAWEI] http acl 2000
# Set the ACL6 number to 2000 for the HTTPS IPv6 server.
<HUAWEI> system-view [HUAWEI] acl ipv6 2000 [HUAWEI-acl6-basic-2000] rule 1 permit source fc00:1::1 128 [HUAWEI-acl6-basic-2000] quit [HUAWEI] http ipv6 acl 2000
http secure-server enable
Function
The http secure-server enable command enables the HTTPS service function.
The undo http secure-server enable command disables the HTTPS service function.
The http secure-server disable command disables the HTTPS service function.
By default, the HTTPS IPv4 service function is enabled, and the HTTPS IPv6 service function is disabled.
Format
http [ ipv6 ] secure-server enable
undo http [ ipv6 ] secure-server enable
http [ ipv6 ] secure-server disable
Parameters
| Parameter | Description | Value |
|---|---|---|
| ipv6 | Enables or disables the HTTPS IPv6 service function. If this parameter is not specified, the HTTPS IPv4 service function is enabled or disabled. |
- |
Usage Guidelines
Usage Scenario
After an SSL policy is loaded to an HTTPS server, the HTTPS server provides HTTPS service using SSL. The client and HTTPS server establish an SSL connection to protect user information from theft.
Prerequisites
The web page file has been loaded to the device.
Precautions
After the HTTPS service is enabled, only authenticated users can use the web browser to access the web network management system to manage devices.
After the HTTPS service is enabled, the SSL handshake negotiation is triggered.
After the http secure-server enable command is run, the device receives login connection requests from all interfaces by default. Therefore, there are security risks. You are advised to run the http server-source command to specify the source interface of the HTTP server.
http secure-server port
Function
The http secure-server port command sets a port number for an HTTPS server.
The undo http secure-server port command restores the default port number of an HTTPS server.
By default, the port number of an HTTPS server is 443.
Parameters
| Parameter | Description | Value |
|---|---|---|
| ipv6 | Specifies the port number for an HTTPS IPv6 server. If this parameter is not specified, the command sets the port number for an HTTPS IPv4 server. |
- |
| port-number | Specifies the port number of an HTTPS server. | The value is 443 or an integer that ranges from 1025 to 55535. |
Usage Guidelines
Usage Scenario
By default, the port number of an HTTPS server is 443. Attackers may frequently access an HTTPS server through the default port, consuming bandwidth, deteriorating server performance, and causing authorized users unable to access the server. You can run the http secure-server port command to specify another port number to prevent attackers from accessing the default port.
Precautions
If the http secure-server port command is configured several times, only the latest configuration takes effect.
http secure-server ssl-policy
Function
The http secure-server ssl-policy command configures an SSL policy for the HTTP server.
The undo http secure-server ssl-policy command restores the default SSL policy for the HTTP server.
A default SSL policy is available on an HTTP server.
Parameters
| Parameter | Description | Value |
|---|---|---|
| policy-name | Specifies the name of an SSL policy. | The value is a string of 1 to 23 case-insensitive characters without spaces. The value can contain digits, letters, and underscores (_). |
Usage Guidelines
Usage Scenario
Traditional HTTP service transmits data in plain text, which can be intercepted and tampered. User identity cannot be authenticated, and the HTTP server cannot ensure online data security of applications such as the e-commerce and online banks. You can run the http secure-server ssl-policy command to configure an SSL policy for the HTTP server to encrypt data, authenticate user identity, and check message integrity to ensure data security during the web access.
Prerequisites
Before running the http secure-server ssl-policy command, you must first run the ssl policy command to create an SSL policy on the HTTP server.
Precautions
The device provides a default SSL policy named Default. After the web page file is loaded to the device, the default SSL policy is loaded automatically, and you do not need to configure an SSL policy. To enhance device security, it is recommended that you obtain a new digital certificate from the CA and manually configure an SSL policy
Only one SSL policy can be configured for the HTTP server, and the latest configured SSL policy takes effect.
http server enable
Function
The http server enable command enables the HTTP server function.
The undo http server enable command disables the HTTP server function.
The http server disable command disables the HTTP server function.
By default, the HTTP IPv4 server function is enabled, and the HTTP IPv6 server function is disabled.
Parameters
| Parameter | Description | Value |
|---|---|---|
| ipv6 | Enables or disables the HTTP IPv6 server function. If this parameter is not specified, the HTTP IPv4 server function is enabled or disabled. |
- |
Usage Guidelines
Usage Scenario
After running the http server enable command to enable the HTTP server, you can use the browser to access the web NMS to manage devices.
If the web page to load does not exist, the HTTP service cannot be enabled.
Prerequisites
The HTTPS service has been enabled using the http secure-server enable command.
Precautions
After the http server enable command is run, the device receives login connection requests from all interfaces by default. Therefore, there are security risks. You are advised to run the http server-source command to specify the source interface of the HTTP server.
Example
# Enable the HTTP IPv4 server.
<HUAWEI> system-view [HUAWEI] http secure-server enable [HUAWEI] http server enable Warning: HTTP is not a secure protocol, and it is recommended to use HTTPS. Info: Succeeded in starting the HTTP server.
<HUAWEI> system-view [HUAWEI] http ipv6 secure-server enable [HUAWEI] http ipv6 server enable Warning: HTTP is not a secure protocol, and it is recommended to use HTTPS. Info: Succeeded in starting the HTTP IPv6 server.
http server load
Function
The http server load command loads a web page file.
The undo http server load command cancels loading of a specified web page file.
By default, the web page file in the system software has been loaded to the system.
Parameters
| Parameter | Description | Settings |
|---|---|---|
| file-name | Specifies the name of the web page file to load. The web page file must be stored in the root directory of the storage device. |
The value is a string of 4 to 64 characters without spaces. The file name is in the *.web.7z format. |
| default | Specifies the web page file in the current system software that is to be loaded. |
– |
Usage Guidelines
Usage Scenario
If you need to manage and maintain devices on the graphical user interface (GUI), configure the Web network management function. When you need to update web page file when using the Web network management function, run this command to load web page file.
Prerequisites
Before loading the web page file using the http server load command, ensure that the web page file has been stored to the root directory of the storage device on the device; otherwise, file loading will fail.
Precautions
If the system software is upgraded from V200R006 or an earlier version to V200R007 or a later version, but the target software version conflicts with the configuration file for next startup, the device will cancel the configuration of loading the web page file in the original system software after the upgrade, and loads the web page file integrated in the new system software by default.
The web page file contains the SSL certificate, which is used to authenticate the HTTP server during login to ensure information security. When a user attempts to log in to the device through HTTP, the HTTPS login page is pushed to the user. After the user is authenticated, the system returns to the HTTP page. The SSL certificate is also used in the HTTPS login mode to ensure security of user information and data exchanged between the client and server. You can load a new digital certificate to the device.
If the loaded web page file does not exist, the HTTP service cannot be enabled when the device restarts.
To disable a loaded web page file, you must load another file.
http server port
Function
The http server port command sets the listening port number of the HTTP server.
The undo http server port command restores the default listening port number of the HTTP server.
By default, the listening port number of the HTTP server is 80.
Parameters
| Parameter | Description | Value |
|---|---|---|
| ipv6 | Specifies a listening port number for an HTTP IPv6 server. If this parameter is not specified, the command configures a listening port number for an HTTP IPv4 server. |
- |
| port-number | Specifies the listening port number of the HTTP server. | The value is 80, or an integer that ranges from 1025 to 55535. The default value is 80. |
Usage Guidelines
Usage Scenario
By default, the listening port number of the security HTTP server is 80. Attackers may frequently access the default listening port, which wastes bandwidth, deteriorates server performance, and prevents authorized users from accessing the HTTP server through the listening port. You can run the http server port command to specify another listening port number to prevent attackers from accessing the listening port.
Precautions
If the http server port command is configured several times, only the latest configuration takes effect.
http server-source
Function
The http server-source command specifies a source interface for an HTTP server.
The undo http server-source command cancels the source interface specified for an HTTP server.
By default, no source interface is specified for an HTTP server.
Parameters
| Parameter | Description | Value |
|---|---|---|
| -i loopback interface-number | Specifies a loopback interface as the source interface of an HTTP server. |
- |
Usage Guidelines
Usage Scenario
By default, an HTTP server accepts login requests from all interfaces, so the system is vulnerable to attacks. To enhance system security, specify a source interface for the HTTP server, so that only authorized users can log in to the server from this interface.
Prerequisites
A loopback interface has been configured.
Configuration Impact
Users can log in to an HTTP server only from the specified source interface.
After you run http server-source command, the HTTP IPv4 user that has logged in to the server will be forcibly logged out and needs to log in again.
Precautions
After the source interface of an HTTP server is specified using the http server-source command, ensure that HTTP users can access the source interface at Layer 3. Otherwise, the HTTP users will fail to log in to the HTTP server.
http timeout
Function
The http timeout command sets the idle timeout duration of the web server.
The undo http timeout command restores the default idle timeout duration of the web server.
By default, the idle timeout duration of the web server is 20 minutes.
Parameters
| Parameter | Description | Value |
|---|---|---|
| timeout | Specifies the idle timeout duration of the web server for online users. | The value is an integer that ranges from 1 to 60, in minutes. |
Usage Guidelines
Usage Scenario
A maximum of five web users are supported at present. When the fifth web user logs in to the web server, any other user cannot log in to the web server even if any of the five users does not perform operations for a long time. The idle timeout duration is configured to release web resources in time. To occupy web channels for a long time, you must set the idle timeout duration to the maximum value.
Precautions
After you run the http timeout command, the idle timeout durations are the same for all web users who log in to the web server. If the idle timeout duration expires, a user is disconnected from the web server and the web server notifies the user only after the user sends the next login request.
If the http timeout command is configured several times, only the latest configuration takes effect.
lock
Function
The lock command locks the current user interface to prevent unauthorized users from operating the interface.
By default, the system does not automatically lock the current user interface.
Usage Guidelines
Usage Scenario
Lock the current user interface using this command to prevent other users from operating the interface. The user interface can be console or VTY.
After running the lock command, you are prompted to enter a password twice. If you enter the correct password twice, the user interface is locked.
Precautions
- The passwords must meet the following requirements:
The password must be a string of 8 to 16 case-sensitive characters.
The password must contain at least two types of the following characters: upper-case characters, lower-case characters, digits, and special characters.
Special characters do not include the question mark (?) and space.
The password entered in interactive mode is not displayed on the screen.
You can press CTRL_C to cancel the password-based locking operation.
To unlock the user interface, press Enter, and then enter the correct password as prompted.
Example
# Lock the current user interface after logging in through the console port.
<HUAWEI> lock
Please configure the login password (8-16)
Enter Password:
Confirm Password:
Info: The terminal is locked.
# To log in to the system again, press Enter. The following information is displayed:
Enter Password:
# Enter the correct password and return to the user view.
<HUAWEI>
matched upper-view
Function
The matched upper-view command allows a device to search for the undo command in the upper view, and returns to the upper view.
The undo matched upper-view command prohibits a device from searching for the undo command in the upper view.
By default, a device does not search for the undo command in the upper view.
Usage Guidelines
If the matched upper-view command is run, when you run an undo command that is not registered in the current view, a device searches for the undo in the upper view. If the device finds the same undo command, it executes this command in the upper view. If the device does not find the same undo command in the upper view, it continues to search for this command in more upper views till the system view.
Running this command brings security risks. For example, if you run the undo ftp server command in the interface view, while this command is not registered in the interface view, the device automatically searches for it in the upper view, that is, the system view, and disables the FTP function.
The matched upper-view command is valid only for current login users who run this command.
Example
# Allow a device to search for the undo command in the upper view.
<HUAWEI> system-view [HUAWEI] matched upper-view [HUAWEI] interface gigabitethernet1/0/1 [HUAWEI-GigabitEthernet1/0/1] undo ftp server Info: Succeeded in closing the FTP server.
# Prohibit a device from searching for the undo command in the upper view.
<HUAWEI> system-view [HUAWEI] undo matched upper-view [HUAWEI] interface gigabitethernet1/0/1 [HUAWEI-GigabitEthernet1/0/1] undo ftp server ^ Error: Unrecognized command found at '^' position.
peer-public-key end
Function
The peer-public-key end command returns to the system view from the public key view and saves the configured public keys.
Usage Guidelines
Usage Scenario
You must save the public key generated on the remote host to the local host, which ensures that the validity check on the remote end is successful. After editing a public key in the public key view, you can run this command to return to the system view.
Prerequisites
Before you run this command, the rsa peer-public-key command has been run to enter the RSA public key view, the dsa peer-public-key command has been run to enter the DSA public key view, or the ecc peer-public-key command has been run to enter the ECC public key view.
Example
# Return to the system view from the public key view.
<HUAWEI> system-view
[HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[HUAWEI-dsa-public-key] public-key-code begin
[HUAWEI-dsa-key-code] 308188
[HUAWEI-dsa-key-code] 028180
[HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[HUAWEI-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[HUAWEI-dsa-key-code] 171896FB 1FFC38CD
[HUAWEI-dsa-key-code] 0203
[HUAWEI-dsa-key-code] 010001
[HUAWEI-dsa-key-code] public-key-code end
[HUAWEI-dsa-public-key] peer-public-key end
[HUAWEI]
public-key-code begin
Usage Guidelines
Usage Scenario
To ensure that the remote host passes the validity check performed by the local host, the public key generated on the remote host must be saved to the local host. To save the public key, run the public-key-code begin command to enter the public key editing view and then enter the key. The key characters can contain spaces. You can also press Enter to enter data in another line.
Prerequisite
A key name has been specified using the rsa peer-public-key, dsa peer-public-key, or ecc peer-public-key command.
Precautions
- The public key must be a hexadecimal character string in the public key encoding format, and generated by the client or server that supports SSH.
- The public key displayed using the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command can be used as the key data to enter.
Example
# Display the RSA public key editing view and enter the key data.
<HUAWEI> system-view
[HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[HUAWEI-dsa-public-key] public-key-code begin
[HUAWEI-dsa-key-code] 308188
[HUAWEI-dsa-key-code] 028180
[HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[HUAWEI-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[HUAWEI-dsa-key-code] 171896FB 1FFC38CD
[HUAWEI-dsa-key-code] 0203
[HUAWEI-dsa-key-code] 010001
[HUAWEI-dsa-key-code] public-key-code end
[HUAWEI-dsa-public-key] peer-public-key end
[HUAWEI]
public-key-code end
Function
The public-key-code end command returns to the public key view from the public key editing view and saves the configured public key.
Usage Guidelines
Usage Scenario
- If there are illegal characters in the public key configured by the user, the system displays an error prompt. The public key is then discarded, and the configuration fails.
- If the public key configured is valid, it is saved in the public key chain table of the host.
Prerequisites
Before you run this command, the public-key-code begin command has been run to enter the public key edit view.
Precautions
- Generally, in the public key view, only the public-key-code end command can be used to exit. The quit command cannot be used.
- If no valid key coding is input, the key cannot be generated after the public-key-code end command is used. The system prompts that key generation fails.
- If the key has been deleted in another window, when you run the public-key-code end command, the system prompts that the key does not exist and returns to the system view.
Example
# Exit the DSA public key editing view and saves the DSA key configuration.
<HUAWEI> system-view
[HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[HUAWEI-dsa-public-key] public-key-code begin
[HUAWEI-dsa-key-code] 308188
[HUAWEI-dsa-key-code] 028180
[HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[HUAWEI-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[HUAWEI-dsa-key-code] 171896FB 1FFC38CD
[HUAWEI-dsa-key-code] 0203
[HUAWEI-dsa-key-code] 010001
[HUAWEI-dsa-key-code] public-key-code end
[HUAWEI-dsa-public-key] peer-public-key end
[HUAWEI]
rsa local-key-pair create
Function
The rsa local-key-pair create command generates the local RSA host and server key pairs.
By default, the local RSA host and server key pairs are not configured.
Usage Guidelines
Usage Scenario
To implement secure data exchange between the server and client, run the rsa local-key-pair create command to generate a local key pair.
Precautions
If the RSA key pair exists, the system prompts you to confirm whether to replace the original key pair. The keys in the new key pair are named device name_Server and device name_Host, for example, HUAWEI_Host and HUAWEI_Server. After being encrypted by AES256, the local RSA private key is saved to the hostkey and serverkey files in the system NOR FLASH.
After you run this command, the system prompts you to enter the number of bits in the host key. The difference between the bits in the server and host key pairs must be at least 128 bits. The length of the server or host key pair is 2048 bits.
After you run this command, the generated key pair is saved in the device and will not be lost after the device restarts.
To improve security of the device, it is recommended that you use a key pair of 2048 bits.
This command is not saved in a configuration file.
Example
# Generate the local RSA host and server key pairs.
<HUAWEI> system-view
[HUAWEI] rsa local-key-pair create
The key name will be: HUAWEI_Host The range of public key size is (2048 ~ 2048). NOTES: If the key modulus is greater than 512, it will take a few minutes. Input the bits in the modulus[default = 2048]: Generating keys... ......................++++++++ ........................................................++++++++ ........+++++++++ .....+++++++++
rsa local-key-pair destroy
Usage Guidelines
Usage Scenario
To delete the local key pairs, run rsa local-key-pair destroy command. If the host key pair and server key pair of an SSH server are deleted, run the rsa local-key-pair create command to create a new host key pair and server key pair for the SSH server.
After you run this command, verify that all local RSA keys are deleted. This command is not saved in a configuration file.
Prerequisite
The local RSA key pairs that can be deleted exist.
rsa peer-public-key
Function
The rsa peer-public-key command configures an encoding format for an RSA public key and displays the RSA public key view.
The undo rsa peer-public-key command deletes an RSA public key.
By default, the encoding format is distinguished encoding rules (DER) for an RSA public key.
Format
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]
undo rsa peer-public-key key-name
Parameters
Parameter |
Description |
Value |
|---|---|---|
| key-name | Specifies the RSA public key name. | The value is a string of 1 to 30 case-insensitive
characters without spaces. NOTE:
The string can contain spaces if it is enclosed with double quotation marks ("). |
| encoding-type | Specifies the encoding format of an RSA public key. | - |
| der | Specifies the DER format of an RSA public key. DER encodes data in hexadecimal format. |
- |
| openssh | Specifies the OpenSSH format of an RSA public key. OpenSSH encodes data in base-64 format. OpenSSH is an encoding format based on PEM. |
- |
| pem | Specifies the PEM format of an RSA public key. PEM encodes data in base-64 format. |
- |
Usage Guidelines
Usage Scenario
When you use an RSA public key for authentication, you must specify the public key of the corresponding client for an SSH user on the server. When the client logs in to the server, the server uses the specified public key to authenticate the client. You can also save the public key generated on the server to the client. Then the client can be successfully authenticated by the server when it logs in to the server for the first time.
Huawei data communications devices support the DER, OpenSSH and PEM formats for RSA keys. If you use an RSA key in non-DER/OpenSSH/PEM format, use a third-party tool to convert the key into a key in DER, OpenSSH or PEM format.
Because a third-party tool is not released with Huawei system software, RSA usability is unsatisfactory. In addition to DER, RSA keys need to support the privacy-enhanced mail (PEM) and OpenSSH formats to improve RSA usability.
- The SecureCRT and PuTTY generate RSA keys in PEM format.
- The OpenSSH generates RSA keys in OpenSSH format.
- The OpenSSL generates RSA keys in DER format.
OpenSSL is an open source software. You can download related documents at the OpenSSL official website.
After you configure an encoding format for an RSA public key, Huawei data communications device automatically generates an RSA public key in the configured encoding format and enters the RSA public key view. Then you can run the public-key-code begin command and manually copy the RSA public key generated on the peer device to the local device.
Prerequisite
The RSA public key in hexadecimal notation on the remote host has been obtained and recorded.
Follow-up Procedure
- Run the public-key-code end command to return to the RSA public key view.
- Run the peer-public-key end command to exit the RSA public key view and return to the system view.
Precautions
If an RSA public key has been assigned to an SSH client, run the undo ssh user user-name assign { rsa-key | dsa-key | ecc-key } command to release the binding between the public key and the SSH client. If you do not release the binding, the undo rsa peer-public-key command will fail to delete the RSA public key.
The peer public key supports only PKCS#1. Other PKCS versions are not supported.
Example
<HUAWEI> system-view
[HUAWEI] rsa peer-public-key rsakey001
[HUAWEI-rsa-public-key]
<HUAWEI> system-view
[HUAWEI] rsa peer-public-key RsaKey001 encoding-type openssh
[HUAWEI-rsa-public-key]
run
Function
The run command runs a user view command in the system view.
By default, a user view command cannot be run in the system view.
Usage Guidelines
Usage Scenario
Some commands can be run only in the user view. To run these commands, you must return to the user view first. To facilitate command execution, the device allows you to run the run command to run such commands in the other views without returning to the user view.
Precautions
- The command specified in the run command must can be run in the user view.
- When you run the run command, the association help function is unavailable.
- When you check the command history on the device using the display history-command command, only the commands that you enter are recorded. The command format is run command-line.
- When you check log information using the SHELL/5/CMDRECORD command, only the commands that are actually run are recorded in logs. The command format is run command-line.
Example
# Run the dir *.cfg command to check the .cfg file in the system view.
<HUAWEI> system-view
[HUAWEI] run dir *.cfg
Directory of cfcard:/
Idx Attr Size(Byte) Date Time FileName
0 -rw- 11,970 Mar 14 2012 19:11:22 31.cfg
1 -rw- 12,033 Apr 22 2012 17:10:30 31_new.cfg
509,256 KB total (118,784 KB free)
send
Parameters
| Parameter | Description | Value |
|---|---|---|
| all | Specifies that the device sends messages to all user interfaces. | - |
| ui-number | Specifies the absolute number of a user interface. | The minimum value is 0. The maximum value is the number of the user interfaces that the device supports minus 1. |
| ui-type | Specifies the type of a user interface. | - |
| ui-number1 | Specifies the relative number of a user interface. | - |
Usage Guidelines
After you run the send command on a device, the device prompts you to enter a message to send. After you confirm to send this message, the user who logs in to the device from a specified user interface can receive this message.
Example
# Send a message to the user interface VTY 0.
<HUAWEI> send vty 0
Enter message, end with CTRL+Z or Enter; abort with CTRL+C: Hello, good morning!
Warning: Send the message? [Y/N]: y
# After you confirm to send the message, the user who logs in to the HUAWEI from VTY 0 can receive this message.
<HUAWEI>
Info: Receive a message from VTY2:Hello, good morning!
ssh authentication-type default password
Function
The ssh authentication-type default password command configures password authentication as the default authentication mode for SSH users.
The undo ssh authentication-type default password command cancels the default password authentication mode for SSH users.
By default, the default authentication mode of SSH users is password authentication.
Usage Guidelines
Usage Scenario
When there are multiple SSH users, the default password authentication mode simplifies the configuration.
When a TACACS server is used to authenticate a user who uses SSH to log in to a device, the network administrator must specify the SSH user on the TACACS server. In most cases, the SSH server cannot obtain the user information from the TACACS server. In this situation, you can set the authentication mode to password. SSH users can then directly log in to the device without additional SSH user configurations on the device.
Precautions
To configure password authentication for a specific SSH user, you can also run the ssh user user-name authentication-type password command.
ssh client assign
Function
The ssh client assign command specifies the host public key of an SSH server on an SSH client.
The undo ssh client assign command cancels the specified host public key of the SSH server on the SSH client.
By default, the host public key of a server is not specified on clients.
Format
ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname
undo ssh client servername assign { rsa-key | dsa-key | ecc-key }
Parameters
| Parameter | Description | Value |
|---|---|---|
| servername | Specifies the host name or IP address of an SSH server. | The value is a string of 1 to 255 characters without spaces. |
| rsa-key | Specifies the RSA public key. | - |
| dsa-key | Specifies the DSA public key. | - |
| ecc-key | Specifies the ECC public key. | - |
| keyname | Specifies the SSH server public key name that has been configured on an SSH client. | The value is a string of 1 to 30 case-insensitive characters without spaces. |
Usage Guidelines
Usage Scenario
If an SSH client connects to an SSH server for the first time and first authentication is not enabled on the SSH client using the ssh client first-time enable command, the SSH client must determine whether the server is reliable. To do so, run the ssh client assign command to specify the host public key of the SSH server and the mapping between the key and SSH server on the SSH client. The client then uses the correct public key to determine whether the server is reliable based on the mapping.
Precautions
The RSA, DSA, or ECC public key to be assigned to the SSH server must have been configured on the SSH client using the rsa peer-public-key, dsa peer-public-key, or ecc peer-public-key command. If the key has not been configured, the verification for the RSA, DSA, or ECC public key of the SSH server on the SSH client fails.
ssh client cipher
Function
The ssh client cipher command configures an encryption algorithm list for an SSH client.
The undo ssh client cipher command restores the default encryption algorithm list of an SSH client.
By default, an SSH client supports five encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.
Format
ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr } *
undo ssh client cipher
Parameters
Parameter |
Description |
Value |
|---|---|---|
| des_cbc | Specifies the CBC DES encryption algorithm. | - |
| 3des_cbc | Specifies the CBC 3DES encryption algorithm. | - |
| aes128_cbc | Specifies the CBC AES128 encryption algorithm. | - |
| aes256_cbc | Specifies the CBC AES256 encryption algorithm. | - |
| aes128_ctr | Specifies the CTR AES128 encryption algorithm. | - |
| aes256_ctr | Specifies the CTR AES256 encryption algorithm. | - |
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an encryption algorithm for the packets exchanged between them. You can run the ssh client cipher command to configure an encryption algorithm list for the SSH client. After the SSH server receives a packet from the client, the server matches the encryption algorithm list of the client against its local list and selects the first matched encryption algorithm. If no encryption algorithm matches, the negotiation fails.
Precautions
The security levels of encryption algorithms are as follows, from high to low: aes256_ctr, aes128_ctr, aes256_cbc, aes128_cbc, 3des_cbc, and des_cbc.
aes256_cbc, aes128_cbc, 3des_cbc and des_cbc provide weak security. Therefore, they are not recommended in the encryption algorithm list.
ssh client first-time enable
Function
The ssh client first-time enable command enables the first authentication function on an SSH client.
The undo ssh client first-time enable command disables the first authentication function on the SSH client.
By default, the first authentication function is disabled on the SSH client.
Usage Guidelines
Usage Scenario
When an SSH client accesses an SSH server for the first time and the public host key of the SSH server is not configured on the SSH client, run the ssh client first-time enable command to enable the first authentication function. The SSH client then can access the SSH server and save the public host key on the SSH client. When the SSH client accesses the SSH server next time, the saved public host key is used to authenticate the SSH server.
Precautions
To log in to the SSH server successfully at the first time, you can also run the ssh client assign command to pre-assign a public host key to the SSH server.
ssh client hmac
Function
The ssh client hmac command configures an HMAC algorithm list for an SSH client.
The undo ssh client hmac command restores the default HMAC algorithm list of an SSH client.
By default, an SSH client supports all HMAC algorithms.
Format
ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *
undo ssh client hmac
Parameters
Parameter |
Description |
Value |
|---|---|---|
| md5 | Specifies the HMAC MD5 algorithm. | - |
| md5_96 | Specifies the HMAC MD5_96 algorithm. | - |
| sha1 | Specifies the HMAC SHA1 algorithm. | - |
| sha1_96 | Specifies the HMAC SHA1_96 algorithm. | - |
| sha2_256 | Specifies the HMAC SHA2_256 algorithm. | - |
| sha2_256_96 | Specifies the HMAC SHA2_256_96 algorithm. | - |
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an HMAC algorithm for the packets exchanged between them. You can run the ssh client hmac command to configure an HMAC algorithm list for the SSH client. After the SSH server receives a packet from the client, the server matches the list of the client against its local list and selects the first matched HMAC algorithm. If no matched HMAC algorithms, the negotiation fails.
Precautions
The security levels of HMAC algorithms are as follows, from high to low: sha2_256, sha2_256_96, sha1, sha1_96, md5, and md5_96.
sha2_256_96, sha1, sha1_96, md5, and md5_96 provide weak security. Therefore, they are not recommended in the HMAC algorithm list.
ssh client key-exchange
Function
The ssh client key-exchange command configures a key exchange algorithm list on an SSH client.
The undo ssh client key-exchange command restores the default configuration.
By default, an SSH client supports all key exchange algorithms.
Format
ssh client key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *
undo ssh client key-exchange
Parameters
| Parameter | Description | Value |
|---|---|---|
| dh_group_exchange_sha1 | Specifies that the Diffie-hellman-group-exchange-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH client. | - |
| dh_group14_sha1 | Specifies that the Diffie-hellman-group14-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH client. | - |
| dh_group1_sha1 | Specifies that the Diffie-hellman-group1-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH client. | - |
Usage Guidelines
Usage Scenario
The client and server negotiate the key exchange algorithm used for packet transmission. You can run the ssh client key-exchange command to configure a key exchange algorithm list on the SSH client. The SSH server compares the configured key exchange algorithm list with the counterpart sent by the client and then selects the first matched key exchange algorithm for packet transmission. If the key exchange algorithm list sent by the client does not match any algorithm in the key exchange algorithm list configured on the server, the negotiation fails.
Precautions
The security levels of key exchange algorithms are as follows, from high to low: dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. The dh_group_exchange_sha1 algorithm is recommended.
ssh server acl
Function
The ssh server acl command configures an ACL that the SSH server uses to control the access permission of SSH clients.
The undo ssh server acl command cancels the configured ACL of the SSH server.
By default, no ACL is configured for SSH servers.
Parameters
| Parameter | Description | Value |
|---|---|---|
| acl-number | Specifies an ACL number. | The value is an integer that ranges from 2000 to 3999. |
Usage Guidelines
Usage Scenario
- STelnet server: controls which clients can log in to this server through STelnet.
- SFTP server: controls which clients can log in to this server through SFTP.
- SCP server: controls which clients can log in to this server through SCP.
Prerequisites
An ACL has been configured using the acl (system view) command in the system view, and an ACL rule has been configured using the rule (basic ACL view) or rule (advanced ACL view) command.
Precautions
A basic ACL can be configured to restrict source addresses. An advanced ACL can be configured to restrict source and destination addresses.
ssh server authentication-retries
Function
The ssh server authentication-retries command sets the maximum number of authentication retries for an SSH connection.
The undo ssh server authentication-retries command restores the default maximum number of authentication retries for an SSH connection.
The default maximum number of authentication retries for an SSH connection is 3.
Parameters
| Parameter | Description | Value |
|---|---|---|
| times | Specifies the maximum number of authentication retries for an SSH connection. | The value is an integer that ranges from 1 to 5. |
Usage Guidelines
Usage Scenario
To configure the maximum number of authentication retries for an SSH connection, run the ssh server authentication-retries command. This prevents server overload due to numerous malicious access requests.
Precautions
The configured number of retries takes effect upon the next login.
ssh server authentication-type keyboard-interactive enable
Function
The ssh server authentication-type keyboard-interactive enable command enables keyboard interactive authentication on an SSH server.
The undo ssh server authentication-type keyboard-interactive enable command disables keyboard interactive authentication on an SSH server.
By default, keyboard interactive authentication is enabled on SSH servers.
Format
ssh server authentication-type keyboard-interactive enable
undo ssh server authentication-type keyboard-interactive enable
Usage Guidelines
Usage Scenario
To log in to the SSH server in keyboard interactive authentication mode, run the ssh server authentication-type keyboard-interactive enable command.
To log in to the SSH server in password authentication mode, run the undo ssh server authentication-type keyboard-interactive enable command to disable keyboard interactive authentication.
ssh server compatible-ssh1x enable
Function
The ssh server compatible-ssh1x enable command enables an SSH server to be compatible with earlier versions.
The undo ssh server compatible-ssh1x enable command disables an SSH server from being compatible with earlier versions.
By default, this function is disabled on unconfigured devices. After a device is upgraded, whether an SSH server is allowed to be compatible with earlier versions is determined by the configuration in the configuration file.
Usage Guidelines
Usage Scenario
The ssh server compatible-ssh1x enable command applies to scenarios where a client and a server negotiate with each other on a working version. After a TCP connection is set up between a client and a server, the client negotiates with the server on a version that both the client and server support.
The server compares its own version with that sent by the client and determines whether it can work with the client.
- If the protocol version on the client is earlier than 1.3 or later than 2.0, version negotiation fails and the server disconnects from the client.
- If the protocol version on the client is later than or equal to 1.3 and earlier than 1.99, the SSH1.5 server module is invoked, and the SSH1.X process is performed when the SSH1.X-compatible mode is configured. When the SSH1.X-incompatible mode is configured, version negotiation fails, and the server disconnects from the client.
- If the protocol version on the client is 1.99 or 2.0, the SSH2.0 server module is invoked, and the SSH2.0 process is performed.
Precautions
- If the SSH server is enabled to be compatible with earlier SSH versions, a device prompts a security risk.
The configuration takes effect upon the next login.
SSH2.0 has an extended structure and supports more authentication modes and key exchange methods than SSH1.X. SSH 2.0 can eliminate the security risks that SSH 1.X has. SSH 2.0 is more secure and therefore is recommended.
If a device has empty configuration, the device delivers the undo ssh server compatible-ssh1x enable command to disable the SSH server's compatibility with earlier versions. If a device is upgraded, the SSH server's compatibility with earlier versions is the same as that in the configuration file.
NOTE: - STelnet: The device supports SSH v1.99. That is SSH1 (SSH1.x) and SSH2 (SSH2.0) are supported. By default, SSH2 (SSH2.0) is supported.
- SFTP: Only SSH2 (SSH2.0) is supported.
- SCP: Only SSH2 (SSH2.0) is supported.
ssh server cipher
Function
The ssh server cipher command configures an encryption algorithm list for an SSH server.
The undo ssh server cipher command restores the default encryption algorithm list of an SSH server.
By default, an SSH server supports five encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.
Format
ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr | blowfish_cbc } *
undo ssh server cipher
Parameters
Parameter |
Description |
Value |
|---|---|---|
| des_cbc | Specifies the CBC DES encryption algorithm. | - |
| 3des_cbc | Specifies the CBC 3DES encryption algorithm. | - |
| aes128_cbc | Specifies the CBC AES128 encryption algorithm. | - |
| aes256_cbc | Specifies the CBC AES256 encryption algorithm. | - |
| aes128_ctr | Specifies the CTR AES128 encryption algorithm. | - |
| aes256_ctr | Specifies the CTR AES256 encryption algorithm. | - |
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an encryption algorithm for the packets exchanged between them. You can run the ssh server cipher command to configure an encryption algorithm list for the SSH server. After the SSH server receives a packet from the client, the server matches the encryption algorithm list of the client against its local list and selects the first matched encryption algorithm. If no matched encryption algorithms, the negotiation fails.
Precautions
The security levels of encryption algorithms are as follows, from high to low: aes256_ctr, aes128_ctr, aes256_cbc, aes128_cbc, 3des_cbc, and des_cbc.
aes256_cbc, aes128_cbc, 3des_cbc and des_cbc provide weak security. Therefore, they are not recommended in the encryption algorithm list.
ssh server dh-exchange min-len
Function
The ssh server dh-exchange min-len command configures the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.
The undo ssh server dh-exchange min-len command restores the default minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.
Parameters
| Parameter | Description | Value |
|---|---|---|
| min-len | Specifies the minimum Diffie-hellman-group-exchange key length supported on the SSH server. | The value can be either 1024 or 2048, in bytes. |
Usage Guidelines
Usage Scenario
The Diffie-hellman-group-exchange key of 1024 bytes poses security risks. If the SSH client supports the Diffie-hellman-group-exchange key of more than 1024 bytes, run the ssh server dh-exchange min-len command to set the minimum key length to 2048 bytes to improve security.
Precautions
Security risks exist if the minimum Diffie-hellman-group-exchange key length is less than 2048 bytes. You are advised to set the minimum key length to 2048 bytes.
ssh server hmac
Function
The ssh server hmac command configures an HMAC algorithm list for an SSH server.
The undo ssh server hmac command restores the default HMAC algorithm list of an SSH server.
By default, an SSH server supports all HMAC algorithms.
Format
ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *
undo ssh server hmac
Parameters
Parameter |
Description |
Value |
|---|---|---|
| md5 | Specifies the HMAC MD5 algorithm. | - |
| md5_96 | Specifies the HMAC MD5_96 algorithm. | - |
| sha1 | Specifies the HMAC SHA1 algorithm. | - |
| sha1_96 | Specifies the HMAC SHA1_96 algorithm. | - |
| sha2_256 | Specifies the HMAC SHA2_256 algorithm. | - |
| sha2_256_96 | Specifies the HMAC SHA2_256_96 algorithm. | - |
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an HMAC algorithm for the packets exchanged between them. You can run the ssh server hmac command to configure an HMAC algorithm list for the SSH server. After the server receives a packet from the client, the server matches the list of the client against its local list and selects the first matched HMAC algorithm. If no matched HMAC algorithms, the negotiation fails.
Precautions
The security levels of HMAC algorithms are as follows, from high to low: sha2_256, sha2_256_96, sha1, sha1_96, md5, and md5_96.
sha2_256_96, sha1, sha1_96, md5, and md5_96 provide weak security. Therefore, they are not recommended in the HMAC algorithm list.
ssh server key-exchange
Function
The ssh server key-exchange command configures a key exchange algorithm list on an SSH server.
The undo ssh server key-exchange command restores the default configuration.
By default, an SSH server supports Diffie-hellman-group-exchange-sha1 and Diffie-hellman-group14-sha1 key exchange algorithms.
Format
ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *
undo ssh server key-exchange
Parameters
| Parameter | Description | Value |
|---|---|---|
| dh_group_exchange_sha1 | Specifies that the Diffie-hellman-group-exchange-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH server. | - |
| dh_group14_sha1 | Specifies that the Diffie-hellman-group14-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH server. | - |
| dh_group1_sha1 | Specifies that the Diffie-hellman-group1-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH server. | - |
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate a key exchange algorithm for the packets exchanged between them. You can run the ssh server key-exchange command to configure a key exchange algorithm list for the SSH server. After the server receives a packet from the client, the server matches the key exchange algorithm list of the client against its local list and selects the first matched key exchange algorithm. If no matched key exchange algorithms, the negotiation fails.
Precautions
The security levels of key exchange algorithms are as follows, from high to low: dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. The dh_group_exchange_sha1 algorithm is recommended.
ssh server port
Function
The ssh server port command configures a listening port number for an SSH server.
The undo ssh server port command restores the default listening port number of an SSH server.
The default listening port number of the SSH server is 22.
Parameters
| Parameter | Description | Value |
|---|---|---|
| port-number | Specifies the listening port number of the SSH server. | The value is 22 or an integer ranging from 1025 to 55535. |
Usage Guidelines
Usage Scenario
To prevent attackers from attacking the standard SSH listening port number, run the ssh server port command to configure a new listening port. This improves security.
Precautions
If the server is listening on port 22, the SSH client can log in successfully with no port specified. If the server is listening on another port, the port number must be specified.
Before changing the current port number, disconnect all devices from the port. After the port number is changed, the server starts to listen on the new port.
After the ssh server port port-number command is run, the numbers of IPv4 port and IPv6 port are both changed. To change the number of IPv4 port or IPv6 port separately, run the ssh { ipv4 | ipv6 } server port port-number command.
ssh server rekey-interval
Function
The ssh server rekey-interval command sets the interval for updating the SSH server key pair.
The undo ssh server rekey-interval command restores the default interval for updating the SSH server key pair.
The default interval for updating the SSH server key pair is 0, indicating that the key pair is never updated.
Parameters
| Parameter | Description | Value |
|---|---|---|
| hours | Specifies the interval for updating the server key pair. | The value is an integer that ranges from 0 to 24, in hours. |
Usage Guidelines
Usage Scenario
If the server key pair is not updated for a long time, the key is easy to decrypt, and the server is insecure. After the interval for updating the SSH server key pair is set using the ssh server rekey-interval command, the device will automatically update the key pair at the specified interval.
Precautions
If the client is connected to the server, the server public key on the client is not updated immediately. This key is updated only when the client is reconnected to the server.
This command takes effect only for SSH1.X. However, SSH1.X provides poor security and is therefore not recommended.
ssh server timeout
Function
The ssh server timeout command sets the timeout period for SSH connection authentication.
The undo ssh server timeout restores the default timeout period for SSH connection authentication.
The default timeout period for SSH connection authentication is 60 seconds.
Parameters
| Parameter | Description | Value |
|---|---|---|
| seconds | Specifies the timeout period for SSH connection authentication. | The value is an integer ranging from 1 to 120, in seconds. |
Usage Guidelines
Usage Scenario
If a user has not logged in successfully before the timeout period for SSH connection authentication expires, the current connection is terminated to ensure security. To query the current timeout period, run the display ssh server command.
Precautions
The timeout period setting takes effect upon next login.
NOTE: ssh server-source
Function
The ssh server-source command specifies a source interface for an SSH server.
The undo ssh server-source command restores the default setting.
By default, the source interface of an SSH server is not specified.
Parameters
| Parameter | Description | Value |
|---|---|---|
| -i loopback interface-number | Specifies a loopback interface as the source interface of an SSH server. | The value is an integer that ranges from 0 to 1023. |
Usage Guidelines
Usage Scenario
By default, an SSH server receives connection requests from all interfaces, incurring security risks. To enhance system security, you can specify a source interface for an SSH server. Users can log in to the SSH server only from this interface.
Prerequisites
The loopback interface to be specified as the source interface exists and has an IP address configured. If the loopback interface is not created, the ssh server-source command cannot be correctly run.
Precautions
After the source interface is specified, a device only allows SSH users to log in to the SSH server through this source interface, and SSH users logging in through other interfaces are denied. Note that setting this parameter only affects SSH users who attempt to log in to the SSH server. It does not affect SSH users who have logged in to the server.
After the source interface of an SSH server is specified using this command, ensure that SSH users can access the source interface at Layer 3. Otherwise, the SSH users will fail to log in to the SSH server.
ssh user
Function
The ssh user command creates an SSH user.
The undo ssh user command deletes an SSH user.
By default, no SSH user is created.
Parameters
| Parameter | Description | Value |
|---|---|---|
| user-name | Specifies the SSH user name. | The value is a string of 1 to 64 case-insensitive characters without
spaces.
NOTE:
The string can contain spaces if it is enclosed with double quotation marks ("). |
Usage Guidelines
You can create an SSH user in either of the following ways:
Run the ssh user command.
Run the ssh user authentication-type, ssh user service-type, or ssh user sftp-directory command with the user name you want to create. If the device cannot find the user with the name you specified, it automatically creates the user.
ssh user assign
Function
The ssh user assign command assigns an existing public key to a user.
The undo ssh user assign command deletes the mapping between the user and public key.
By default, no public key is assigned to a user.
Format
ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name
undo ssh user user-name assign { rsa-key | dsa-key | ecc-key }
Parameters
| Parameter | Description | Value |
|---|---|---|
| user-name | Specifies the SSH user name. | The value is a string of 1 to 64 case-insensitive characters without
spaces.
NOTE:
The string can contain spaces if it is enclosed with double quotation marks ("). |
| rsa-key | Specifies an RSA public key. | - |
| dsa-key | Specifies a DSA public key. | - |
| ecc-key | Specifies an ECC public key. | - |
| key-name | Specifies the client public key name. | The value is a string of 1 to 30 characters. |
Usage Guidelines
Usage Scenario
When an SSH client needs to log in to the SSH server in RSA, DSA, or ECC mode, run the ssh user assign command to assign a public key to the client. If the client has been assigned keys, the latest assigned key takes effect.
Precautions
The newly configured public key takes effect upon next login.
If the user named user-name to whom a public key is assigned does not exist, the device automatically creates an SSH user named user-name and performs the configured authentication for the SSH user.
ssh user authorization-cmd aaa
Function
The ssh user authorization-cmd aaa command enables command line authorization for an SSH user.
The undo ssh user authorization-cmd aaa command restores the default authorization mode.
By default, command line authorization is disabled for an SSH user.
Parameters
| Parameter | Description | Value |
|---|---|---|
| user-name | Specifies the name of a valid SSH user defined by the AAA. | The value is a string of 1 to 64 case-insensitive characters without spaces. |
ssh user authentication-type
Function
The ssh user authentication-type command configures an authentication mode for an SSH user.
The undo ssh user authentication-type command restores the default authentication mode for an SSH user.
By default, no authentication mode is configured for an SSH user.
Format
ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | ecc | password-ecc | all }
undo ssh user user-name authentication-type
Parameters
Parameter |
Description |
Value |
|---|---|---|
| user-name | Specifies an SSH user name. | The value is a string of 1 to 64 case-insensitive characters without
spaces.
NOTE:
The string can contain spaces if it is enclosed with double quotation marks ("). |
| password | Specifies the password authentication mode. | - |
| rsa | Specifies the RSA authentication mode. | - |
| password-rsa | Specifies the password and RSA authentication modes. | - |
| dsa | Specifies the DSA authentication mode. | - |
| password-dsa | Specifies the password and DSA authentication modes. | - |
| ecc | Specifies the ECC authentication mode. | - |
| password-ecc | Specifies the password and ECC authentication modes. | - |
| all | Specifies the password, ECC, DSA, or RSA authentication mode. NOTE:
In all authentication mode, the user priority depends on the authentication
mode that the user selected.
If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA, DSA, or ECC authentication modes. Set relevant parameters as needed. |
- |
Usage Guidelines
Usage Scenario
When you configure an authentication mode for an SSH user, if the user does not exist, a device automatically creates an SSH user named user-name.
Table 2-51 describes the usage scenarios for different authentication modes.
Authentication Mode |
Usage Scenario |
|---|---|
RSA |
It is a public key encryption architecture and an asymmetric encryption algorithm. RSA is mainly used to transmit the keys of the symmetric encryption algorithm, which improves encryption efficiency and simplify key management. The server checks whether the SSH user, public key, and digital user signature are valid. If all of them are valid, the user is permitted to access the server. If any of them is invalid, the authentication fails, and the user is denied to access the server. |
DSA |
It is same as RSA authentication in implementation. The server checks whether the SSH user, public key, and digital user signature are valid. If all of them are valid, the user is permitted to access the server. If any of them is invalid, the authentication fails, and the user is denied to access the server. Compared with RSA authentication,
DSA authentication uses the digital signature algorithm for encryption
and has a wider application scope.
|
ECC |
Like RSA authentication, the server first checks the validity
of the SSH user and whether the public key and the numeric signature
are valid. If all of them are consistent with those configured on
the server, user authentication succeeds. If any of the three cannot
pass authentication, the user access is denied. Compared with the
RSA algorithm, the ECC authentication has the following advantages:
|
password |
On the server, the AAA module assigns each authorized user a password for login. The server has the mapping between user names and passwords. When a user requests to access the server, the server authenticates the user name and password. If either of them fails to be authenticated, the access request of the user is denied. The account information of users who are configured with the password authentication mode can be configured on devices or remote authentication servers (for example, RADIUS servers). |
password-rsa, password-dsa, and password-ecc |
The SSH server authenticates a client by checking both the public key and password. The client can be authenticated only when both the public key and password meet the requirement. |
all |
The SSH server authenticates a client by checking the public key or password. The client can be authenticated when either the public key or password meets the requirement. |
Precautions
A new SSH user cannot log in to the SSH server unless being configured with an authentication mode. The newly configured authentication mode takes effect upon next login.
ssh user service-type
Function
The ssh user service-type command configures a service type for an SSH user.
The undo ssh user service-type command restores the default service type for an SSH user.
By default, no service type is configured for an SSH user.
Format
ssh user user-name service-type { sftp | stelnet | all }
undo ssh user user-name service-type
Parameters
| Parameter | Description | Value |
|---|---|---|
| user-name | Specifies the SSH user name. | The value is a string of 1 to 64 case-insensitive characters without
spaces.
NOTE:
The string can contain spaces if it is enclosed with double quotation marks ("). |
| sftp | Specifies the SFTP service type. | - |
| stelnet | Specifies the STelnet service type. | - |
| all | Specifies the SFTP and STelnet service types. |
- |
Usage Guidelines
Usage Scenario
To configure a service type for an SSH user, run the ssh user service-type command on a device. If the specified user does not exist, the device creates an SSH user who has the same name as the specified user and uses the configured service type for the SSH user.
Precautions
If the SFTP service type is configured for an SSH user, you need to run the ssh user sftp-directory command to set an authorized directory for the user. By default, the SFTP service authorized directory is cfcard: for the SSH user.
stelnet
Function
The stelnet command enables a user to use the STelnet protocol to log in to another device from the current device.
Format
# IPv4 address
stelnet [ -a source-address | -i interface-type interface-number ] host-ip [ port-number ] [ [ -vpn-instance vpn-instance-name ] | [ identity-key { dsa | rsa | ecc } ] | [ user-identity-key { rsa | dsa | ecc } ] | [ prefer_kex prefer_key-exchange ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] *
# IPv6 address
stelnet ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] [ [ identity-key { dsa | rsa | ecc } ] | [ user-identity-key { rsa | dsa | ecc } ] | [ prefer_kex prefer_key-exchange ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] *
Parameters
Parameter |
Description |
Value |
|---|---|---|
| -a source-address | Specifies the STelnet source IP address. | - |
| -i interface-type interface-number | Specifies the STelnet source interface. If the source interface is specified using -i interface-type interface-number, the -vpn-instance vpn-instance-name parameter is not supported. |
- |
| host-ip | Specifies the IP address or host name of the remote IPv4 STelnet server. | The value is a string of 1 to 255 case-insensitive characters without spaces. If the string is enclosed within double quotation marks ("), the string can contain spaces. |
| host-ipv6 | Specifies the IPv6 address or host name of the remote IPv6 STelnet server. | The value is a string of 1 to 255 case-insensitive characters without spaces. |
| -oi interface-type interface-number | Specifies the outbound interface on the local device. | If the IPv6 address of the remote host is linked to a local address, the outbound interface must be specified. |
| port-number | Specifies the port number that the SSH server is listening on. | The value is an integer that ranges from 1 to 65535. The default value 22 is the standard port number. |
| identity-key | Specifies the public key for server authentication. | The public key algorithm includes dsa, rsa, and ecc. |
| user-identity-key | Specifies the public key algorithm for the client authentication. | The public key algorithm includes dsa, rsa, and ecc. NOTE:
To improve security, it is not recommended that you use
RSA or DSA as the authentication algorithm. |
| prefer_kex prefer_key-exchange | Indicates the preferred key exchange algorithm. |
Specifies the preferred key exchange algorithm. The dh_group1, dh_exchange_group and dh_group14_sha1 algorithms are supported currently. The default key exchange algorithm is dh_group14_sha1. NOTE:
To enable the dh_group1 algorithm, run the ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } * and ssh client key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } * commands. By default, the dh_group1 algorithm is not supported. The dh_exchange_group algorithm is recommended. |
| prefer_ctos_cipher prefer_ctos_cipher | Specifies the preferred encryption algorithm from the client to the server. The des, 3des, aes128, aes256, aes128_ctr, and aes256_ctr algorithms are supported currently. |
The default algorithm is aes256_ctr. To improve security, it is recommended that you use aes128_ctr and aes256_ctr algorithms. NOTE:
|
| prefer_stoc_cipher prefer_stoc_cipher | Specifies the preferred encryption algorithm from the server to the client. The des, 3des, aes128, aes256, aes128_ctr, and aes256_ctr algorithms are supported currently. |
The default algorithm is aes256_ctr. To improve security, it is recommended that you use aes128_ctr and aes256_ctr algorithms. NOTE:
|
| prefer_ctos_hmac prefer_ctos_hmac | Specifies the preferred HMAC algorithm from the client to the server. The sha1, sha1_96, md5, md5_96, sha2_256, and sha2_256_96 algorithms are supported currently. |
The default algorithm is sha2_256. To improve security, it is recommended that you use sha2_256 and sha2_256_96 algorithms. |
| prefer_stoc_hmac prefer_ctos_hmac | Specifies the preferred HMAC algorithm from the server to the client. The sha1, sha1_96, md5, md5_96, sha2_256, and sha2_256_96 algorithms are supported currently. |
The default algorithm is sha2_256. To improve security, it is recommended that you use sha2_256 and sha2_256_96 algorithms. |
| -vpn-instance vpn-instance-name | Specifies the name of the VPN instance to which the server belongs. | The value must be an existing VPN instance name. |
| -ki aliveinterval | Specifies the interval for sending keepalive packets when no packet is received. | The value is an integer that ranges from 1 to 3600, in seconds. |
| -kc alivecountmax | Specifies the number of times for no reply of keepalive packets. | The value is an integer that ranges from 3 to 10. The default value is 5. |
Usage Guidelines
Logins through Telnet bring security risks because Telnet does not provide any authentication mechanism and data is transmitted using TCP in plain text. Compared with Telnet, SSH guarantees secure file transfer on a traditional insecure network by authenticating clients and encrypting data in bidirectional mode. The SSH protocol supports STelnet. You can run this command to use STelnet to log in to another device from the current device.
STelnet is a secure Telnet service. SSH users can use the STelnet service in the same way as the Telnet service.
When a fault occurs in the connection between the client and server, the client needs to detect the fault in real time and proactively release the connection. You need to set the interval for sending keepalive packets and the maximum number of times on the client that logs in to the server through STelnet.
- Interval for sending keepalive packets: If a client does not receive any packet within the specified interval, the client sends a keepalive packet to the server.
- Maximum number of times the server has no response: If the number of times that the server does not respond exceeds the specified value, the client proactively releases the connection.
Before connecting the SSH server using the STelnet command, run the stelnet server enable command to enable the STelnet service on the SSH server.
If the server is listening on port 22, the SSH client can log in to the SSH server with no port specified. If the server is listening on another port, the port number must be specified upon login.
Example
# Set keepalive parameters when a client logs in to a server through STelnet.
<HUAWEI> system-view
[HUAWEI] stelnet 10.164.39.209 -ki 10 -kc 4
<HUAWEI> system-view
[HUAWEI] stelnet ipv6 fc00:2001:db8::1 prefer_ctos_cipher aes128
stelnet server enable
Function
The stelnet server enable command enables the STelnet service on an SSH server.
The undo stelnet server enable command disables the STelnet service on an SSH server.
By default, the STelnet service is disabled on SSH servers.
Parameters
| Parameter | Description | Value |
|---|---|---|
| ipv4 | Configures a device as the STelnet IPv4 server. | - |
| ipv6 | Configure a device as the STelnet IPv6 server. | - |
Usage Guidelines
Usage Scenario
To connect a client to an SSH server through STelnet, you must enable the STelnet service on the SSH server.
Precautions
After you disable the STelnet service on the SSH server, all clients that have logged in through STelnet are disconnected.
After the stelnet server enable command is run, the device receives login connection requests from all interfaces by default, incurring security risks. To improve security, you are advised to run the ssh server-source command to specify a source interface for the STelnet server.
After the stelnet server enable command is run, the numbers of IPv4 port and IPv6 port are both changed. To change the number of IPv4 port or IPv6 port separately, run the stelnet { ipv4 | ipv6 } server enable command.
telnet
Function
The telnet command enables a user to use the Telnet protocol to log in to another device from the current device.
Format
# Log in to another device through Telnet based on IPv4.
telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i interface-type interface-number ] host-ip [ port-number ]
# Log in to another device through Telnet based on IPv6.
telnet ipv6 [ -a source-ip-address ] [ vpn6-instance vpn6-instance-name ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
| vpn-instance vpn-instance-name | Specifies the VPN4 instance name of the device to log in through Telnet. |
The value must be an existing VPN instance name. |
| -a source-ip-address | Specifies a source IP address through which a server communicates with the device. This improves security. If no source address is specified, a device will use the IP address of the local outbound interface to initiate a Telnet connection. |
- |
| -i interface-type interface-number | Specifies the source interface type and number on the local device. | - |
| vpn6-instance vpn6-instance-name | Specifies the name of the VPN6 instance to which the login device belongs. | The value must be an existing VPN instance name. |
| host-ip | Specifies the IPv4 address or host name of the remote device. | The value is a string of 1 to 255
case-insensitive characters without spaces. NOTE:
The string can contain spaces if it is enclosed with double quotation marks ("). |
| host-ipv6 | Specifies the IPv6 address or host name of the remote device. | The value is a string of 1 to 255 case-insensitive characters without spaces. NOTE:
The string can contain spaces if it is enclosed with double quotation marks ("). |
| -oi interface-type interface-number | Specifies the outbound interface on the local device. | If the IPv6 address of the remote host is linked to a local address, the outbound interface must be specified. |
| port-number | Specifies the number of the TCP port that is used by the remote device to provide the Telnet service. | The value is an integer that ranges from 1 to 65535. The default value is 23. |
Usage Guidelines
Usage Scenario
If multiple devices on a network need to be configured and managed, run the telnet command to log in to these devices from your terminal for remote device configuration, facilitating device management.
You can press Ctrl+K to terminate an active connection between the local and remote devices.
Precautions
Before you run the telnet command to connect to the Telnet server, the Telnet client and server must be able to communicate at Layer 3 and the Telnet service must be enabled on the Telnet server.
Logins through Telnet bring security risks because Telnet does not provide any authentication mechanism and data is transmitted using TCP in plain text. The STelnet mode is recommended for networks that have high security requirements.
telnet client-source
Function
The telnet client-source command specifies a source IP address or source interface for a Telnet client.
The undo telnet client-source command restores the default settings.
The default source IP address of a Telnet client is 0.0.0.0, and there is no default source interface.
Format
telnet client-source { -a source-ip-address | -i interface-type interface-number }
undo telnet client-source
Parameters
| Parameter | Description | Value |
|---|---|---|
| -a source-ip-address | Specifies the IPv4 address of the local switch. | - |
| -i interface-type interface-number | Specifies the source interface of the local switch. | - |
Usage Guidelines
Usage Scenario
If the source IP address is not specified in the telnet command, the source IP address specified using the telnet client-source is used. If a source IP address is specified in the telnet command, the specified setting is used. Check the current Telnet connection on the server. The IP address displayed is the specified source IP address or the primary IP address of the specified interface.
Prerequisites
The source interface specified using the command must exist and have an IP address configured.
telnet server acl
Function
The telnet server acl command configures an ACL to control the access of clients to the Telnet server.
The undo telnet server acl command cancels the configuration of the ACL.
By default, no ACL is configured for Telnet servers.
Parameters
| Parameter | Description | Value |
|---|---|---|
| ipv6 | Specifies a Telnet IPv6 server. | - |
| acl-number | Specifies an ACL number. | The value is an integer that ranges from 2000 to 3999. |
Usage Guidelines
Usage Scenario
When a device functions as a Telnet server, configure an ACL on the device to control the login of the clients to the device.
Prerequisites
An ACL has been configured using the acl (system view) command in the system view, and an ACL rule has been configured using the rule (basic ACL view) or rule (advanced ACL view) command.
Precautions
None.
telnet server-source
Function
The telnet server-source command specifies a source interface for a Telnet server.
The undo telnet server-source command restores the default setting.
By default, the source interface of a Telnet server is not specified.
Parameters
| Parameter | Description | Value |
|---|---|---|
| -i loopback interface-number | Specifies a loopback interface as the source interface of the Telnet server. | The value is an integer that ranges from 0 to 1023. |
Usage Guidelines
Usage Scenario
By default, a Telnet server receives connection requests from all interfaces, incurring security risks. To enhance system security, you can specify a source interface for the Telnet server. Users are then allowed to log in to the Telnet server only through this interface.
Prerequisites
A loopback interface to be specified as the source interface exists and has an IP address configured. If the loopback interface is not created, the telnet server-source command cannot be correctly run.
Precautions
After the source interface is specified, a device allows Telnet users to log in to the Telnet server only through this source interface, and Telnet users logging in through other interfaces are denied. Note that setting this parameter only affects Telnet users who attempt to log in to the Telnet server, and it does not affect Telnet users who have logged in to the server.
After the source interface of a Telnet server is specified using this command, ensure that Telnet users can access the source interface at Layer 3. Otherwise, the Telnet users will fail to log in to the Telnet server.
telnet server enable
Function
The telnet server enable command enables the Telnet service.
The undo telnet server enable command disables the Telnet service.
The telnet server disable command disables the Telnet service.
By default, the Telnet service is disabled.
Format
telnet [ ipv6 ] server enable
undo telnet [ ipv6 ] server enable
telnet [ ipv6 ] server disable
Usage Guidelines
You can run the telnet server enable command to enable the Telnet service. A Telnet server can be connected only when it is enabled.
If the user who logged in to the server through Telnet is online, the undo telnet [ ipv6 ] server enable command fails to be run on the server.
When a Telnet server is disabled, you can log in to the device only through the console port or SSH.
The Telnet protocol poses a security risk, and therefore using STelnet V2 is recommended.
After the telnet server enable command is run, the device receives login connection requests from all interfaces by default, incurring security risks. You are advised to run the telnet server-source command to specify a source interface for the Telnet server.
Example
# Enable the Telnet service.
<HUAWEI> system-view
[HUAWEI] telnet server enable Info: TELNET server has been enabled.
# Disable the Telnet service.
<HUAWEI> system-view
[HUAWEI] undo telnet server enable
# Enable the IPv6 Telnet service.
<HUAWEI> system-view
[HUAWEI] telnet ipv6 server enable
telnet server port
Function
The telnet server port command configures a listening port number for a Telnet server.
The undo telnet server port command restores the default listening port of a Telnet server.
The default listening port of a Telnet server is 23.
Parameters
| Parameter | Description | Value |
|---|---|---|
| port-number | Specifies the listening port number of a Telnet server. | The value is an integer that is 23 or ranges from 1025 to 55535. The default value 23 is the standard Telnet server port number. |
Usage Guidelines
Usage Scenario
To prevent attackers from attacking the standard Telnet listening port number, run the telnet server port command to configure a new listening port. This improves security.
Precautions
If the server is listening on port 23, the Telnet client can log in successfully with no port specified. If the server is listening on another port, the port number must be specified.
Before changing the current port number, disconnect all devices from the port. After the port number is changed, the server starts to listen on the new port.
- Command Support
- configuration exclusive
- configuration-occupied timeout
- display configuration-occupied user
- display dsa local-key-pair public
- display dsa peer-public-key
- display ecc local-key-pair public
- display ecc peer-public-key
- display http server
- display http user
- display rsa local-key-pair public
- display rsa peer-public-key
- display ssh server
- display ssh server-info
- display ssh user-information
- display telnet server status
- display telnet-client
- dsa local-key-pair create
- dsa local-key-pair destroy
- dsa peer-public-key
- ecc local-key-pair create
- ecc local-key-pair destroy
- ecc peer-public-key
- free http user-id
- http acl
- http secure-server enable
- http secure-server port
- http secure-server ssl-policy
- http server enable
- http server load
- http server port
- http server-source
- http timeout
- lock
- matched upper-view
- peer-public-key end
- public-key-code begin
- public-key-code end
- rsa local-key-pair create
- rsa local-key-pair destroy
- rsa peer-public-key
- run
- send
- ssh authentication-type default password
- ssh client assign
- ssh client cipher
- ssh client first-time enable
- ssh client hmac
- ssh client key-exchange
- ssh server acl
- ssh server authentication-retries
- ssh server authentication-type keyboard-interactive enable
- ssh server compatible-ssh1x enable
- ssh server cipher
- ssh server dh-exchange min-len
- ssh server hmac
- ssh server key-exchange
- ssh server port
- ssh server rekey-interval
- ssh server timeout
- ssh server-source
- ssh user
- ssh user assign
- ssh user authorization-cmd aaa
- ssh user authentication-type
- ssh user service-type
- stelnet
- stelnet server enable
- telnet
- telnet client-source
- telnet server acl
- telnet server-source
- telnet server enable
- telnet server port
Previous
