No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S7700 and S9700 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
User Login Configuration Commands

User Login Configuration Commands

Command Support

Commands provided in this section and all the parameters in the commands are supported by all switch models by default, unless otherwise specified. For details, see specific commands.

configuration exclusive

Function

The configuration exclusive command locks the current system configuration. When the system configuration is locked, the user who locks it can query and modify the configuration while other users can only query the configuration.

The undo configuration exclusive command unlocks the system configuration.

By default, the system configuration is unlocked.

Format

configuration exclusive

undo configuration exclusive

Parameters

None

Views

All views

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device allows simultaneous access and configuration by multiple users, which may cause configuration conflicts and service exceptions. To prevent service exceptions, run the configuration exclusive command to lock and modify the configuration. Other users can then only query the configuration.

To unlock the configuration, do either of the following:
  • Run the undo configuration exclusive command.
  • Do not modify the configuration in the configured lock interval. The system then automatically unlocks the configuration. To configure the lock interval, run the configuration-occupied timeout command.

Precautions

  • After you run the configuration exclusive command, other users cannot modify the system configuration, so confirm your action before running this command.
  • Before you run the configuration exclusive command, run the configuration-occupied timeout command to configure the maximum lock interval so that the system can automatically unlock the configuration after this interval.

Example

# Lock the current system configuration.
<HUAWEI> configuration exclusive
# Unlock the system configuration.
<HUAWEI> undo configuration exclusive

configuration-occupied timeout

Function

The configuration-occupied timeout command sets the interval after which the system automatically unlocks the configuration.

The undo configuration-occupied timeout command restores the default automatic unlock interval.

By default, the value is 30 seconds.

Format

configuration-occupied timeout timeout-value

undo configuration-occupied timeout

Parameters

Parameter Description Value
timeout-value Specifies the interval after which the system automatically unlocks the configuration if no configuration command is run. The value is an integer that ranges from 1 to 7200, in seconds. By default, the value is 30 seconds.

Views

System view

Default Level

3: Management level

Usage Guidelines

The configuration-occupied timeout command configures the longest lock interval. If no configuration command is delivered within this interval, the system automatically unlocks the configuration so that other users can modify the configuration.

The usage scenarios for this command are as follows:
  • If the user does not have the configuration right, the system displays an error.
  • If the configuration is locked by another user, the system displays a message indicating that the modification fails.
  • If the configuration is locked by the user who configures the longest lock interval, the modification is valid.
NOTE:
Note the following when running the configuration-occupied timeout command:
  • The interval cannot be too short because the device will automatically unlock the configuration if no configuration command is delivered by the user who configures the interval.
  • The interval cannot be too long because other users cannot modify the configuration within this period even if the user who locks the configuration delivers no configuration command within this period.
  • The command is valid for all users.

Example

# Set the automatic unlock interval to 120 seconds.
<HUAWEI> system-view
[HUAWEI] configuration-occupied timeout 120

display configuration-occupied user

Function

The display configuration-occupied user command displays information about the user who locks the configuration.

Format

display configuration-occupied user

Parameters

None

Views

All views

Default Level

2: Configuration level

Usage Guidelines

You can run the display configuration-occupied user command to query the user who has the configuration right. If no user locks the system configuration, the system displays a corresponding message.

Example

# Display the user who locks the configuration.
<HUAWEI> display configuration-occupied user
User Index: 34
User Session Name: VTY0
User Name:**
IP Address: 10.135.19.22
Locked Time: 2012-09-16 15:26:32+10:00 DST
Last Configuration Time: 2012-09-16 15:26:32+10:00 DST
The time out value of configuration right locked is: 30 second(s)
Table 2-35  Description of the display configuration-occupied user command output
Item Description

User Index

User index.

User Session Name

User session name. The value is CON0 or ranges from VTY0 to VTY14.

snmp-agent: session name of an NMS user.

User Name

Name of a login user.

  • If a login user name is **, the user logs in to a device using a serial port or the password authentication mode.
  • If the login user name is a community or V3 user name, the user is an NMS user.

IP Address

IP address of the user.

Locked Time

Time when the configuration was locked.

Last Configuration Time

Time when the user delivered the last configuration command.

The time out value of configuration right locked is

Duration for locking the configuration.

To configure the duration, run the configuration-occupied timeout command.

# Display the user who locks the system configuration (when no user locks the system configuration).

<HUAWEI> display configuration-occupied user
Info: No user locked the current configuration.

display dsa local-key-pair public

Function

The display dsa local-key-pair public command displays the public key in the local DSA key pair of the device.

Format

display dsa local-key-pair public

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

This command displays the public key in the local DSA key pair. You can copy the public key in the command output to the DSA public key of the SSH server to ensure that the public keys on the client and server are consistent and that the client can be authenticated by the server.

Example

# Display the public key in the client DSA key pair.

<HUAWEI> display dsa local-key-pair public
=====================================================
Time of Key pair created:2014-08-27 06:35:16+08:00
Key name    : HUAWEI_Host_DSA
Key modulus : 2048
Key type    : DSA encryption Key
Key fingerprint: b5:82:31:f1:65:0f:97:81:dc:27:95:a8:f8:26:68:c4
=====================================================
Key code:
3081DC
  0240
    AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
    A34004C1 B37824BB D3160595 702901CD 53F0EAE0
    6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
    87C63485
  0214
    94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
  0240
    91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4
    7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
    0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139
    C986329F
  0240
    26D21FBE 18A9FCB3 C19A7430 A801D8A1 09CFC6E6
    ACB104F4 B398B3B7 83A059EA BE23AE04 5D7AD134
    4279637B 51AD9ADF 80B627EA 9328C95F 3DFF00EE
    84847039

 Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWV
cCkBzVPw6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biC
kyrIhQirfIE/AAAAQQCR/w8skZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614
zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKfAAAAQCbSH74YqfyzwZp0MKgB
2KEJz8bmrLEE9LOYs7eDoFnqviOuBF160TRCeWN7Ua2a34C2J+qTKMlfPf8A7oSE
cDk=
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-dss AAAAB3NzaC1kc3MAAABBAK4K5Gcr81h/MP6B/6FNgHAfwpMLo0AEwbN4JLvTFgWVcCkBzVPw
6uBsxG0tvnj2pD3Equ/HIo4BnC73zofGNIUAAAAVAJT8ViTc6wna6biCkyrIhQirfIE/AAAAQQCR/w8s
kZloKLqtUGjNL+g+zvoc9HvKQlGfBP0kbPtQo614zA0zXe/SC0w1MNqiVZLer6DrYSJXEuSvYTnJhjKf
AAAAQCbSH74YqfyzwZp0MKgB2KEJz8bmrLEE9LOYs7eDoFnqviOuBF160TRCeWN7Ua2a34C2J+qTKMlf
Pf8A7oSEcDk= dsa-key
Table 2-36  Description of the display dsa local-key-pair public command output

Item

Description

Time of Key pair created

Time when the public key was created.

Key name

Name of the public key.

Key modulus

Length of the key.

Key type

Type of the public key.

Key fingerprint

Key fingerprint.

Key code

Content of the key.

Host public key for PEM format code

PEM code of the public key.

Public key code for pasting into OpenSSH authorized_keys file

Public key format in the OpenSSH file.

display dsa peer-public-key

Function

The display dsa peer-public-key command displays the DSA public key that has been configured.

Format

display dsa peer-public-key [ brief | name key-name ]

Parameters

Parameter Description Value
brief Displays the brief information. -
name key-name Displays the DSA public key with the specified name.

The value is a string of 1 to 30 case-insensitive characters without spaces.

NOTE:

The string can contain spaces if it is enclosed with double quotation marks (").

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

This command displays the DSA public key for you to check whether the local and peer public keys are consistent.

Precautions

You must complete the DSA public key configuration before running this command.

Example

# Display the DSA public key with the specified name.

<HUAWEI> display dsa peer-public-key name amar
=====================================
    Key name: amar
    Encoding type: DER
=====================================
Key Code:
3081DC
  0240
    AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B A34004C1 B37824BB D3160595
    702901CD 53F0EAE0 6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE 87C63485
  0214
    94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
  0240
    91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4 7BCA4251 9F04FD24 6CFB50A3
    AD78CC0D 335DEFD2 0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139 C986329F
  0240
    0E7BEFD5 594ECA9C CE574D9D 369BCD0C 19C94725 5FE8666E 73292AD6 908E4E0C
    7F0EA3AF A02F17F7 3A0B1D15 E22420CB B5EC1D2C 8BA77729 276EDEBB 8DA843C7
Table 2-37  Description of the display dsa peer-public-key command output

Item

Description

Key name

Type of the public key.

Encoding type

Type of the public key encoding format.

Key code

Code of the public key.

display ecc local-key-pair public

Function

The display ecc local-key-pair public command displays information about the public key in the local Elliptic Curves Cryptography (ECC) key pair.

Format

display ecc local-key-pair public

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run the display ecc local-key-pair public command to check information about the public key in the local ECC key pair on a client and then copy the public key to the server. The public key enables a server to authenticate users and ensures the login of authorized users.

Pre-configuration Tasks

You must run the ecc local-key-pair create command to generate a local ECC host key pair before using the command.

Example

# Display information about the public key in the local ECC key pair on a client.

<HUAWEI> display ecc local-key-pair public
=====================================================                           
Time of Key pair created:2016-10-19 11:50:20+00:00                              
Key name    : HUAWEI_Host_ECC         
Key modulus : 521                                                               
Key type    : ECC encryption Key                                                
Key fingerprint:                                                                
=====================================================                           
Key code:                                                                       
    0401CE1E 5EF3B843 CD917648 1D70EF8F CECE8518 5B32ED5F 529E9DC4 D16EDF1A     
    5F6E6389 10AAE2D4 74FD9DA7 F05AB123 9AF3EE64 9F0BAF99 A0CBF55B E319B2D1     
    8EDEBB01 7C63469B C62A2256 3EAEA0BD 486F9524 8559C7EF 24D969D1 11093BBF     
    27F770E7 03E28ABA BB357E5B 28EF04CC EA931C81 C7D7EBD8 5797B1CD 05D9B497     
    56D91126 E9                                                                 
                                                                                
 Host public key for PEM format code:                                           
---- BEGIN SSH2 PUBLIC KEY ----                                                 
AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHOHl7zuEPN                
kXZIHXDvj87OhRhbMu1fUp6dxNFu3xpfbmOJEKri1HT9nafwWrEjmvPuZJ8Lr5mg                
y/Vb4xmy0Y7euwF8Y0abxioiVj6uoL1Ib5UkhVnH7yTZadERCTu/J/dw5wPiirq7                
NX5bKO8EzOqTHIHH1+vYV5exzQXZtJdW2REm6Q==                                        
---- END SSH2 PUBLIC KEY ----                                                   
                                                                                
Public key code for pasting into OpenSSH authorized_keys file :                 
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAHOHl7z
uEPNkXZIHXDvj87OhRhbMu1fUp6dxNFu3xpfbmOJEKri1HT9nafwWrEjmvPuZJ8Lr5mgy/Vb4xmy0Y7e
uwF8Y0abxioiVj6uoL1Ib5UkhVnH7yTZadERCTu/J/dw5wPiirq7NX5bKO8EzOqTHIHH1+vYV5exzQXZ
tJdW2REm6Q== ecdsa-key   
Table 2-38  Description of the display ecc local-key-pair public command output

Item

Description

Time of Key pair created

Time when the public key in the local ECC key pair is generated, in the format of YYYY-MM-DD HH:MM:SS.

Key Name

Name of the public key in the local ECC key pair.

Key modulus

Length of the public key in the local ECC key pair on a client.

Key Type

Type of the public key in the local ECC key pair. "ECC encryption Key" indicates an ECC public key.

Key Code

Code of the public key in the local ECC key pair configured using the ecc local-key-pair create command.

Host public key for PEM format code

PEM code of the public key in the local ECC key pair on a client.

Public key code for pasting into OpenSSH authorized_keys file

Public key in the local ECC key pair on a client that is used for OpenSSH authorization. This information can be used after being copied to the OpenSSH authorized_keys file.

display ecc peer-public-key

Function

The display ecc peer-public-key command displays information about the Elliptic Curves Cryptography (ECC) public key configured on the remote end.

Format

display ecc peer-public-key [ brief | name key-name ]

Parameters

Parameter Description Value
brief Displays the brief information about the ECC public key configured on the remote end. -
name key-name Displays information about an ECC public key with a specified name configured on the remote end. The value is a string of 1 to 30 case-sensitive characters, spaces not supported.

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run the display ecc peer-public-key command on a client to check information about the public key configured on the remote end. The public key enables a server to authenticate users and ensures the login of authorized users.

Example

# Display the information about the ECC public keys of 127.0.0.1.

<HUAWEI> display ecc peer-public-key
=====================================                                           
    Key name: 127.0.0.1                                                         
    Encoding type: DER                                                          
=====================================                                           
Key Code:                                                                       
    04013184 A3311697 89DF558B 7F67BF9D BD95DBD5 280D659F 0E29852C AEC2FFBA     
    1913AC2A 88247ADA 46BEBEBE 1829C0DA 3BABC8FC 8F6EAD28 2AE2C6A8 116BAA3A     
    540E6B00 34E033D8 9D84841B 0D33DAD8 DEDD1C09 2B70B3DB 5AF0FCB2 37DF1C82     
    C4C622A6 85B23698 195DA60F 06858ADB DD743937 B4A29C4C FB28B40B BCEEE036     
    1DE61BD2 24     

# Display the brief information about all the ECC public keys.

<HUAWEI> display ecc peer-public-key brief
  Bits   Name                                                                   
----------------------                                                          
  521   127.0.0.1                                                               
  384   192.168.131.203     
Table 2-39  Description of the display ecc peer-public-key command output

Item

Description

Bits

Length of the ECC public key configured on the remote end.

Name

Name of the ECC public key configured on the remote end.

Key name

Name of the ECC public key configured on the remote end.

Encoding type

Encoding type of the ECC public key configured on the remote end.

  • OPENSSH

    If OpenSSH is specified, data is Base64 encoded.

    OpenSSH is derived from PEM.

  • PEM

    If PEM is specified, data is Base64 encoded.

  • DER

    If DER is specified, data is Base16 encoded.

Key Code

Code of the public key in the local ECC key pair configured using the ecc local-key-pair create command.

Related Topics

display http server

Function

The display http server command displays information about the current HTTPS server.

Format

display http server

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can view the HTTPS server information, including the status of HTTPS services, port number, maximum number of users allowed to access the HTTPS server, and number of current online users.

Example

# Display information about the current HTTPS server.

<HUAWEI> display http server
   HTTP Server Status              : enabled
   HTTP Server Port                : 80(80)
   HTTP Timeout Interval           : 20
   Current Online Users            : 3
   Maximum Users Allowed           : 5
   HTTP Secure-server Status       : enabled
   HTTP Secure-server Port         : 443(443)
   HTTP SSL Policy                 : ssl_server
   HTTP IPv6 Server Status         : disabled
   HTTP IPv6 Server Port           : 80(80)
   HTTP IPv6 Secure-server Status  : disabled
   HTTP IPv6 Secure-server Port    : 443(443)
   HTTP server source address      : 0.0.0.0
Table 2-40  Description of the display http server command output

Item

Description

HTTP Server Status

Status of the HTTP IPv4 server.
  • Enabled: The HTTP IPv4 service is enabled.
  • Disabled: The HTTP IPv4 service is disabled.

You can configure the HTTP IPv4 server status by running the http server enable command.

HTTP Server Port

Port number of the HTTP IPv4 server. The default value is 80.

You can configure the port number of the HTTP IPv4 server by running the http server port command.

HTTP Timeout Interval

Timeout period of the HTTP/HTTPS server. The default value is 20 minutes.

You can configure the timeout period of the HTTP/HTTPS server by running the http timeout command.

Current Online Users

Number of current online users.

Maximum Users Allowed

Maximum number of users allowed to access the HTTP server.

HTTP Secure-server Status

Status of the HTTPS IPv4 server.
  • Enabled: The HTTPS IPv4 service is enabled.
  • Disabled: The HTTPS IPv4 service is disabled.

You can configure the HTTPS IPv4 server status by running the http secure-server enable command.

HTTP Secure-server Port

Port number of the HTTPS IPv4 server. The default value is 443.

You can configure the port number of the HTTPS IPv4 server by running the http secure-server port command.

HTTP SSL Policy

HTTPS SSL policy.

You can configure the HTTPS SSL policy by running the ssl policy command.

HTTP IPv6 Server Status

Status of the HTTP IPv6 server function:
  • enabled: The HTTP IPv6 server function is enabled.
  • disabled: The HTTP IPv6 server function is disabled.

You can configure the HTTP IPv6 server status by running the http ipv6 server enable command.

HTTP IPv6 Server Port

Port number of the HTTP IPv6 server. The default value is 80.

You can configure the port number of the HTTPS IPv6 server by running the http ipv6 server port command.

HTTP IPv6 Secure-server Status

Status of the HTTPS IPv6 server function:
  • enabled: The secure HTTPS IPv6 server function is enabled.
  • disabled: The secure HTTPS IPv6 server function is disabled.

You can configure the HTTPS IPv6 server status by running the http ipv6 secure-server enable command.

HTTP IPv6 Secure-server Port

Port number of the HTTPS IPv6 server. The default value is 443.

You can configure the port number of the HTTPS IPv6 server by running the http ipv6 secure-server port command.

HTTP server source address

IP address of the source interface on the HTTP server.

display http user

Function

The display http user command displays information about current online users.

Format

display http user [ username username ]

Parameters

Parameter Description Value
username username Specifies the name of the current online user. The value is a string of 1 to 64 case-insensitive characters, with no space or wildcard. When double quotation marks are used around the string, spaces are allowed in the string.

Views

All views

Default Level

3: Management level

Usage Guidelines

If username is not specified, this command displays summary information about all online users.

If username is specified, this command displays detailed information about the specified online user.

Example

# Display general information about the current online user.

<HUAWEI> display http user
Total online users: 1
------------------------------------------------------
User name    IP Address            Login Date
------------------------------------------------------
admin        192.168.0.1           2012-03-23 15:30:55+00:00

# Display detailed information about the current online user admin.

<HUAWEI> display http user username admin
Client IP Address: 192.168.0.1
Login Date: 2012-03-19 15:30:55+00:00
User timeouts: 15 minute
Table 2-41  Description of the display http user command output

Item

Description

User name

User name.

Client IP Address

IP address of the HTTP client.

Login Date

Login date and time.

User timeouts

Idle timeout duration of online users.

Related Topics

display rsa local-key-pair public

Function

The display rsa local-key-pair public command displays the public key in the local key pair.

Format

display rsa local-key-pair public

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

You can run this command on the client and configure the client public key in the command output to the SSH server, which ensures that the SSH client validity check by the SSH server is successful and enables the secure data exchange between the SSH server and client.

Example

# Display the public key in the local key pair.

<HUAWEI> display rsa local-key-pair public
=====================================================                                                                               
Time of Key pair created: 2012-08-15 06:41:55+08:00           
Key name: HUAWEI_Host                                                                                                       
Key type: RSA encryption Key                                                                                                        
Key fingerprint: ab:ec:d7:e1:22:5f:e4:e3:6e:f0:d6:1f:99:e4:f2:f3
=====================================================                                                                               
Key code:                                                                                                                           
3047                                                                                                                                
  0240                                                                                                                              
    D8D10BE8 CD41AA43 862B6C2B 637D1A53 1EBB4015                                                                                    
    96A70B13 72B17A16 84E02168 4061A4C2 A1CDB541                                                                                    
    484F71DB D7271E5F E3C75BEA AF853023 0CDCE55D                                                                                    
    ECCB0461                                                                                                                        
  0203                                                                                                                              
    010001                                                                                                                          
                                                                                                                                    
 Host public key for PEM format code:                                                                                               
---- BEGIN SSH2 PUBLIC KEY ----                                                                                                     
AAAAB3NzaC1yc2EAAAADAQABAAAAQQDY0QvozUGqQ4YrbCtjfRpTHrtAFZanCxNy                                                                    
sXoWhOAhaEBhpMKhzbVBSE9x29cnHl/jx1vqr4UwIwzc5V3sywRh                                                                                
---- END SSH2 PUBLIC KEY ----                                                                                                       
                                                                                                                                    
Public key code for pasting into OpenSSH authorized_keys file :                                                                     
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQDY0QvozUGqQ4YrbCtjfRpTHrtAFZanCxNysXoWhOAhaEBhpMKhzbVBSE9x29cnHl/jx1vqr4UwIwzc5V3sywRh rsa-key
                                                                                                                                    
                                                                                                                                    
=====================================================                                                                               
Time of Key pair created: 2012-08-15 06:42:03+08:00                                                                                 
Key name: HUAWEI_Server                                                                                                     
Key type: RSA encryption Key                                                                                                        
Key fingerprint: 16:3b:43:4f:74:16:98:b3:5c:51:b5:a3:83:f8:86:19
=====================================================                                                                               
Key code:                                                                                                                           
3067                                                                                                                                
  0260                                                                                                                              
    F31D5536 26C05536 6703885D E8FCDB00 07C45437                                                                                    
    B3D08086 9E25B7B6 CFE375B2 1AA957EE 24D2DC51                                                                                    
    BAA81ECD 6894F71E 20596754 35653808 C8B74ACB                                                                                    
    DE94C584 1E234FED 840900F0 4A4100FB C133DFB7                                                                                    
    12D4B4DB EF0C3E1F E211202A F45DD5DD                                                                                             
  0203                                                                                                                              
    010001 
Table 2-42  Description of the display rsa local-key-pair public command output

Item

Description

Time of Key pair created

Time and date when the public key was created.

Key Name

The value can be the host or server public key. The server public key is saved only when the key type is RSA.

Key Type

Type of the public key.

Key fingerprint

Public key fingerprint.

Key Code

Code of the public key.

display rsa peer-public-key

Function

The display rsa peer-public-key command displays the peer public key saved on the local host. If no parameter is specified, the command displays detailed information about all peer public keys.

Format

display rsa peer-public-key [ brief | name key-name ]

Parameters

Parameter Description Value
brief Displays the brief information about all peer public keys. -
name key-name Specifies the key name. The value is a string of 1 to 30 case-insensitive characters without spaces.
NOTE:

The string can contain spaces if it is enclosed with double quotation marks (").

Views

All views

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You can run this command to check detailed information about the RSA public key and whether the local and peer public keys are the same.

Precautions

You must complete the RSA public key configuration before running this command.

Example

# Display the brief information about all RSA public keys.

<HUAWEI> display rsa peer-public-key brief
Address         Bits   Name
---------------------------
                 768   rsakey001    
Table 2-43  Description of the display rsa peer-public-key brief command output

Item

Description

Address

Brief information about the public key.

Bits

Bits in the public key.

Name

Name of the public key.

# Display the detailed information about the RSA public key named rsakey001.

<HUAWEI> display rsa peer-public-key name rsakey001
=====================================
    Key name: rsakey001
    Key address:
=====================================
Key Code:
3067
  0260
    A3158E6C F252C039 135FFC45 F1E4BA9B 4AED2D88 D99B2463 3E42E13A 92A95A37
    45CDF037 1AF1A910 AAE3601C 2EB70589 91AF1BB5 BD66E31A A9150911 859CAB0E
    1E10548C D70D000C 55A1A217 F4EA2F06 E44BD438 DA472F14 3FB7087B 45E77C05
  0203
    010001 
Table 2-44  Description of the display rsa peer-public-key name command output

Item

Description

Key name

Name of the public key.

Key address

Brief information about the public key.

Key Code

Code of the public key.

Related Topics

display ssh server

Function

The display ssh server command displays the SSH server information.

Format

display ssh server { status | session }

Parameters

Parameter Description Value
status Displays the global configuration on the SSH server. -
session Displays the current session connection information on the SSH server. -

Views

All views

Default Level

3: Management level

Usage Guidelines

After configuring the SSH attributes, you can run this command to view the configuration or session connection information on the SSH server to verify that the SSH connection has been established.

Example

# Display the global configuration on the SSH server.

<HUAWEI> display ssh server status
 SSH version                         :2.0
 SSH connection timeout              :60 seconds
 SSH server key generating interval  :0 hours
 SSH authentication retries          :3 times
 SFTP IPv4 server                    :Enable
 SFTP IPv6 server                    :Enable
 STELNET IPv4 server                 :Enable
 STELNET IPv6 server                 :Enable
 SCP IPv4 server                     :Enable
 SCP IPv6 server                     :Enable
 SSH server source                   :0.0.0.0
 ACL4 number                         :0
 ACL6 number                         :0
Table 2-45  Description of the display ssh server status command output

Item

Description

SSH version

Protocol version used for the SSH session connection.

SSH connection timeout

Timeout interval of SSH server authentication, in seconds.

Run the ssh server timeout command to set this item.

SSH server key generating interval

Interval for generating an SSH server password, in hours.

Run the ssh server rekey-interval command to set this item.

SSH authentication retries

Number of times for retrying the SSH session connection.

Run the ssh server authentication-retries command to set this item.

SFTP IPv4 server

SFTP IPv4 service status.

Run the sftp ipv4 server enable command to set this item.

SFTP IPv6 server

SFTP IPv6 service status.

Run the sftp ipv6 server enable command to set this item.

STELNET IPv4 server

STelnet IPv4 service status.

Run the stelnet ipv4 server enable command to set this item.

STELNET IPv6 server

STelnet IPv6 service status.

Run the stelnet ipv6 server enable command to set this item.

SCP IPv4 server

SCP IPv4 service status.

Run the scp ipv4 server enable command to set this item.

SCP IPv6 server

SCP IPv6 service status.

Run the scp ipv6 server enable command to set this item.

SSH server source

Source address of the SSH server.

Run the ssh server-source -i loopback interface-number command to set this item.

ACL4 number

ACL4 number of the SSH server.

Run the ssh server acl acl-number command to set this item.

ACL6 number

ACL6 number of the SSH server.

Run the ssh ipv6 server acl acl-number command to set this item.

# Display the current session connection information on the SSH server.

<HUAWEI> display ssh server session
  Session 1:
       Conn                 : VTY 10
       Version              : 2.0
       State                : started
       Username             : client002
       Retry                : 1
       CTOS Cipher          : aes256-cbc
       STOC Cipher          : aes256-cbc
       CTOS Hmac            : hmac-sha2_256
       STOC Hmac            : hmac-sha2_256
       CTOS Compress        : none
       STOC Compress        : none
       Kex                  : diffie-hellman-group1-sha1
       Public Key           : rsa
                : sftp
       Authentication Type  : password
  Session 2:
       Conn                 : VTY 14
       Version              : 2.0
       State                : started
       Username             : client001
       Retry                : 1
       CTOS Cipher          : aes256-cbc
       STOC Cipher          : aes256-cbc
       CTOS Hmac            : hmac-sha2_256
       STOC Hmac            : hmac-sha2_256
       CTOS Compress        : none
       STOC Compress        : none
       Kex                  : diffie-hellman-group1-sha1
       Public Key           : dsa
       Service Type         : stelnet
       Authentication Type  : password 
Table 2-46  Description of the display ssh server session command output

Item

Description

Session

SSH session ID.

Conn

Connection used by the SSH session.

Version

Protocol version used for the SSH session connection.

State

Status of the SSH session connection.

Username

User name for SSH session connection.

Run the ssh user command to set this item.

Retry

Number of times for retrying the SSH session connection.

Run the ssh server authentication-retries command to set this item.

CTOS Cipher

Encryption algorithm name from client to server.

STOC Cipher

Encryption algorithm name from server to client.

CTOS Hmac

HMAC algorithm name from client to server.

STOC Hmac

HMAC algorithm name from server to client.

CTOS Compress

Whether data is compressed for transmission from client to server, which can be specified for SCP connection.

STOC Compress

Whether data is compressed for transmission from server to client, which can be specified for SCP connection.

Kex

Exchange algorithm name.

Public Key

Public key algorithm used for server authentication, which can be RSA, DSA, or ECC.

Service Type

Service type for an SSH user. The options are as follows:
  • sftp
  • stelnet
  • all (including SCP, SFTP and STelnet)

Run the ssh user service-type command to set this item.

Authentication Type

Authentication mode for an SSH user. The options are as follows:
  • password
  • rsa
  • dsa
  • ecc
  • password-rsa (password and RSA)
  • password-dsa (password and DSA)
  • password-ecc (password and ECC)
  • all (password, ECC, DSA, or RSA)

Run the ssh user authentication-type command to set this item.

display ssh server-info

Function

The display ssh server-info command displays the binding between SSH servers and RSA, DSA, or ECC public keys when the current device works as an SSH client.

Format

display ssh server-info

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

When the SSH client needs to authenticate the server, the server public key saved in the local host is used to authenticate the connected SSH server. If the authentication fails, you can run the display ssh server-info command to check that the server public key is correct.

Example

# Display all bindings between the SSH servers and public keys on the SSH client.

<HUAWEI> display ssh server-info
Server Name(IP)                  Server Public Key Type  Server public key name
______________________________________________________________________________

192.168.50.207                   RSA                     192.168.50.207
192.168.50.204                   DSA                     192.168.50.204
192.168.50.208                   ECC                     192.168.50.208
Table 2-47  Description of the display ssh server-info command output

Item

Description

Server Name(IP)

Host name of the SSH server.

Server Public Key Type

Type of the public key on the SSH server.

Server public key name

Name of the public key on the SSH server.

display ssh user-information

Function

The display ssh user-information command displays the configuration of all SSH users.

Format

display ssh user-information [ username ]

Parameters

Parameter Description Value
username Displays the SSH user name.
The value is a string of 1 to 64 case-insensitive characters without spaces.
NOTE:

The string can contain spaces if it is enclosed with double quotation marks (").

Views

All views

Default Level

3: Management level

Usage Guidelines

This command displays the SSH user name, bound RSA, DSA, or ECC public key name, and service type.

Example

# Display the configuration of the SSH user named client001.

<HUAWEI> display ssh user-information client001
       User Name            : client001
       Authentication-type  : password
       User-public-key-name : -
       User-public-key-type : -
       Sftp-directory       : -
       Service-type         : stelnet
       Authorization-cmd    : No 

# Display the configuration of all SSH users.

<HUAWEI> display ssh user-information
  User 1:
       User Name            : client001
       Authentication-type  : password
       User-public-key-name : -
       User-public-key-type : -
       Sftp-directory       : -
       Service-type         : stelnet
       Authorization-cmd    : No
  User 2:
       User Name            : client002
       Authentication-type  : dsa
       User-public-key-name : dsakey001
       User-public-key-type : dsa
       Sftp-directory       : cfcard:
       Service-type         : sftp
       Authorization-cmd    : No
Table 2-48  Description of the display ssh user-information command output

Item

Description

User Name

SSH user name.

Run the ssh user command to set this item.

Authentication-type

Authentication mode for an SSH user. The options are as follows:
  • password
  • rsa
  • dsa
  • ecc
  • password-rsa (password and RSA)
  • password-dsa (password and DSA)
  • password-ecc (password and ECC)
  • all (password, ECC, DSA, or RSA)

Run the ssh user authentication-type command to set this item.

User-public-key-name

Peer RSA, DSA, or ECC public key assigned to an SSH user.

Run the rsa peer-public-key, dsa peer-public-key, or ecc peer-public-keycommand to set this item.

User-public-key-type

The public key type for an SSH user can be RSA, DSA, or ECC.

Sftp-directory

SFTP service directory of an SSH user.

Run the ssh user sftp-directory command to set this item.

Service-type

Service type for an SSH user. The options are as follows:
  • sftp
  • stelnet
  • all: The service types are SFTP and STelnet.

Run the ssh user service-type command to set this item.

Authorization-cmd

Command line authentication mode configured for an SSH user.

Run the ssh user authorization-cmd aaa command to set this item.

display telnet server status

Function

The display telnet server status command displays the status and configuration of a Telnet server.

Format

display telnet server status

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

  • To check whether a device functions as a Telnet server, run the display telnet server status command.
  • If you have set a port number for the Telnet server using the telnet server port port-number command, run display telnet server status command to check the port number.

Example

# Display the status and configuration of the Telnet server.
<HUAWEI> display telnet server status
 TELNET IPv4 server                       :Enable
 TELNET IPv6 server                       :Enable
 TELNET server port                       :23
 TELNET server source address             :0.0.0.0                              
 ACL4 number                              :0                                    
 ACL6 number                              :0 
Table 2-49  Description of the display telnet server status command output

Item

Description

TELNET IPv4 server

IPv4 Telnet server.

TELNET IPv6 server

IPv6 Telnet server.

TELNET server port

Listening port number of the Telnet server.

TELNET Server Source address

Source address of the Telnet server

ACL4 number

ACL4 number of the Telnet server

ACL6 number

ACL6 number of the Telnet server

display telnet-client

Function

The display telnet-client command displays the source parameters when a device works as a Telnet client.

Format

display telnet-client

Parameters

None

Views

All views

Default Level

3: Management level

Usage Guidelines

After setting source parameters of a Telnet client, you can run this command to check the setting result. If you have not run the telnet client-source command, the default source IP address is 0.0.0.0.

Example

# Display the source parameters of the device functioning as a Telnet client.

<HUAWEI> display telnet-client
 The source address of telnet client is 10.1.1.1
Table 2-50  Description of the display telnet-client command output

Item

Description

The source address of telnet client is 10.1.1.1

The source IP address of the Telnet client is 10.1.1.1.

dsa local-key-pair create

Function

The dsa local-key-pair create command generates the local DSA host key pairs.

Format

dsa local-key-pair create

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Compared with RSA, Digital Signature Algorithm (DSA) has a wider application in the SSH protocol. The asymmetric encryption system generates public and private keys to implement secure key exchange, thereby ensuring secure sessions.

If a DSA key exists, when you run this command, the system prompts you to confirm whether to change the original key. If you agree, the key in the new key pair is named device name_Host_DSA, for example, HUAWEI_Host_DSA. The local DSA private key is saved in PKCS#8 format to the hostkey_dsa file in the system NOR FLASH.

After you enter the command, the device prompts you to enter the number of bits in the host key. The length of a host key pair can be 1024 or 2048. By default, the key length is 2048.

Precautions

This command is not saved in a configuration file and can take effect immediately after being run. After the device restarts, you do not need to run the command again.

To improve security of the device, it is recommended that you use a key pair of 2048 bits.

Example

# Generate DSA key pairs on the device.

<HUAWEI> system-view
[HUAWEI] dsa local-key-pair create
Info: The key name will be: HUAWEI_Host_DSA.                                                                                
Info: The key modulus can be any one of the following : 1024, 2048.                                                            
Info: If the key modulus is greater than 512, it may take a few minutes.        
Please input the modulus [default=2048]:                                        
Info: Generating keys...                                                        
Info: Succeeded in creating the DSA host keys.

dsa local-key-pair destroy

Function

The dsa local-key-pair destroy command deletes local DSA host key pairs.

Format

dsa local-key-pair destroy

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

DSA applies to SSH verification. The asymmetric encryption system generates public and private keys to implement secure key exchange, thereby ensuring secure sessions. You can run the dsa local-key-pair create command to generate local DSA keys. When local DSA keys are unnecessary, you can run the dsa local-key-pair destroy command to delete these keys.

Prerequisite

The local DSA keys have been created.

Configuration Impact

After you run this command, the **_DSA file that stores DSA keys on the active and standby MPUs is cleared.

Precautions

The dsa local-key-pair destroy command takes effect once, and therefore will not be saved in the configuration file.

Example

# Delete local DSA keys.

<HUAWEI> system-view
[HUAWEI] dsa local-key-pair destroy
Info: The name of the key which will be destroyed is HUAWEI_Host_DSA.                                                       
Warning: These keys will be destroyed. Continue? [Y/N]:y                                                             
Info: Succeeded in destroying the DSA host keys. 

dsa peer-public-key

Function

The dsa peer-public-key command configures an encoding format for a DSA public key and displays the DSA public key view.

The undo dsa peer-public-key command deletes a DSA public key.

By default, no encoding format is configured for a DSA public key.

Format

dsa peer-public-key key-name encoding-type { der | openssh | pem }

undo dsa peer-public-key key-name

Parameters

Parameter

Description

Value

key-name Specifies the public key name. The value is a string of 1 to 30 case-insensitive characters without spaces.
NOTE:

The string can contain spaces if it is enclosed with double quotation marks (").

encoding-type Specifies an encoding format for a DSA public key. -
der

Specifies the Distinguished Encoding Rules (DER) format for a DSA public key.

DER encodes data in hexadecimal format.

-
openssh

Specifies the OpenSSH format for a DSA public key.

OpenSSH encodes data in base-64 format.

OpenSSH is an encoding format based on PEM.

-
pem

Specifies the Privacy Enhanced Mail (PEM) format for a DSA public key.

PEM encodes data in base-64 format.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When you use a DSA public key for authentication, you must specify the public key of the corresponding client for an SSH user on the server. When the client logs in to the server, the server uses the specified public key to authenticate the client. You can also save the public key generated on the server to the client. Then the client can be successfully authenticated by the server when it logs in to the server for the first time.

Huawei data communications devices support the DER, OpenSSH and PEM formats for DSA keys. If you use a DSA key in non-DER/OpenSSH/PEM format, use a third-party tool to convert the key into a key in DER, OpenSSH or PEM format.

Because a third-party tool is not released with Huawei system software, DSA usability is unsatisfactory. In addition to DER and PEM, DSA keys need to support the OpenSSH format to improve DSA usability.

Third-party software, such as SecureCRT, PuTTY, OpenSSH, and OpenSSL, can be used to generate DSA keys in different formats. The details are as follows:
  • The SecureCRT and PuTTY generate DSA keys in PEM format.
  • The OpenSSH generates DSA keys in OpenSSH format.
  • The OpenSSL generates DSA keys in DER format.

OpenSSL is an open source software. You can download related documents at the OpenSSL official website.

After you configure an encoding format for a DSA public key, Huawei data communications device automatically generates a DSA public key in the configured encoding format and enters the DSA public key view. Then, you can run the public-key-code begin command and manually copy the DSA public key generated on the peer device to the local device.

Follow-up Procedure

After you copy the DSA public key generated on the peer device to the local device, perform the following operations to exit the DSA public key view:
  1. Run the public-key-code end command to return to the DSA public key view.
  2. Run the peer-public-key end command to exit the DSA public key view and return to the system view.

Precautions

If a DSA public key has been assigned to an SSH client, run the undo ssh user user-name assign { rsa-key | dsa-key | ecc-key } command to release the binding between the public key and the SSH client. If you do not release the binding between them, the undo dsa peer-public-key command will fail to delete the DSA public key.

The peer public key supports only PKCS#1. Other PKCS versions are not supported.

Example

# Configure an encoding format for a DSA public key and enter the DSA public key view.

<HUAWEI> system-view
[HUAWEI] dsa peer-public-key 23 encoding-type der
[HUAWEI-dsa-public-key]

ecc local-key-pair create

Function

The ecc local-key-pair create command generates a local Elliptic Curves Cryptography (ECC) host key pair.

Format

ecc local-key-pair create

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A local key pair is a prerequisite to a successful SSH login. Compared with the RSA algorithm used by the rsa local-key-pair create command, the ECC algorithm shortens the key length, accelerates the encryption, and improves the security. The length of the server key pair and the host key pair can be 256 bits, 384 bits and 521 bits. By default, the length of the key pair is 521 bits.

Precautions

  • The generated ECC host key pair is named in the format of switch name_Host_ECC, such as HUAWEI_Host_ECC.

    The local DSA private key is saved in PKCS#8 format to the hostkey_ecc file in the system NOR FLASH.

  • The ecc local-key-pair create and ecc local-key-pair destroy commands are not saved in the configuration file. They only need to be run once and take effect even after the switch restarts.

  • Do not delete the ECC key file from the switch. If the ECC key file is deleted, the ECC key pair cannot be restored after the switch is restarted.

Example

# Generate a local ECC host key pair.

<HUAWEI> system-view
[HUAWEI] ecc local-key-pair create
Info: The key name will be: HUAWEI_Host_ECC.
Info: The ECC host key named HUAWEI_Host_ECC already exists.
Warning: Do you want to replace it ? [Y/N]: Y
Info: The key modulus can be any one of the following : 256, 384, 521.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=521]:521
Info: Generating keys...
Info: Succeeded in creating the ECC host keys.

# Enter a key with incorrect length and re-enter the key with incorrect length for five times, which is the maximum number of retry attempts.

<HUAWEI> system-view
[HUAWEI] ecc local-key-pair create
Info: The key name will be: HUAWEI_Host_ECC.
Info: The ECC host key named HUAWEI_Host_ECC already exists.
Warning: Do you want to replace it ?[Y/N]: Y
Info: The key modulus can be any one of the following : 256, 384, 521.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=521]:123
Error: Invalid ECC key modulus.
Please input the modulus [default=521]:1024
Error: Invalid ECC key modulus.
Please input the modulus [default=521]:512
Error: Invalid ECC key modulus.
Please input the modulus [default=521]:2048
Error: Invalid ECC key modulus.
Please input the modulus [default=521]:4096
Error: Invalid ECC key modulus.
Error: The maximum number of retries has reached, and the command has already been canceled.

ecc local-key-pair destroy

Function

The ecc local-key-pair destroy command deletes the local Elliptic Curves Cryptography (ECC) keys.

Format

ecc local-key-pair destroy

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If you no longer need the local ECC key pairs, run the ecc local-key-pair destroy command to delete them.

Configuration Impact

After the ecc local-key-pair destroy command is run, the ECC key files on the device are cleared. Exercise caution when running the command.

Precautions

  • The ecc local-key-pair create and ecc local-key-pair destroy commands are not saved in the configuration file. They only need to be run once and take effect even after the switch restarts.

  • Do not delete the ECC key file from the switch. If the ECC key file is deleted, the ECC key pair cannot be restored after the switch is restarted.

Example

# Delete the local ECC host key pair and server key pair.

<HUAWEI> system-view
[HUAWEI] ecc local-key-pair destroy
Info: The name of the key which will be destroyed is HUAWEI_Host_ECC.
Warning: These keys will be destroyed. Continue? [Y/N]:Y
Info: Succeeded in destroying the ECC host keys.

ecc peer-public-key

Function

The ecc peer-public-key command creates an ECC public key and enters the Elliptic Curves Cryptography (ECC) public key view.

The undo ecc peer-public-key command deletes an ECC public key.

By default, no ECC public key is created.

Format

ecc peer-public-key key-name encoding-type { der | pem | openssh }

undo ecc peer-public-key key-name

Parameters

Parameter Description Value
key-name Specifies an ECC public key name. The value is a string of 1 to 30 case-sensitive characters, spaces not supported.
encoding-type Indicates the encoding type of an ECC public key. -
der

Specifies DER as the encoding type of an ECC public key.

If DER is specified, data is encoded in hexadecimal notation.

-
openssh

Specifies OpenSSH as the encoding type of an ECC public key.

If OpenSSH is specified, data is Base64 encoded.

OpenSSH is derived from PEM.

-
pem

Specifies PEM as the encoding type of an ECC public key.

If PEM is specified, data is Base64 encoded.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When ECC public key authentication is used, a client's public key must be specified on the server for an SSH user. When the client logs in to the server, the server performs authentication on the client based on the public key of the SSH user.

After an ECC public key is created and the ECC public key view is displayed, run the public-key-code begin command, then you can manually copy the client's public key to the server.

The client's public key is randomly generated by the client software.

If an ECC public key has been assigned to an SSH client, delete the binding between the public key and the SSH client before deleting the ECC public key. Otherwise, the undo dsa peer-public-key command will fail to delete the ECC public key.

Follow-up Procedure

After copying the client's ECC public key to the server, run the following commands to quit the ECC public key view:
  1. Run the public-key-code end command to return to the ECC public key view.
  2. Run the peer-public-key end command to quit the ECC public key view and return to the system view.

Precautions

A maximum of 20 ECC public keys can be created.

The peer public key supports only PKCS#1. Other PKCS versions are not supported.

Example

# Create an ECC public key and enter the ECC public key view.

<HUAWEI> system-view
[HUAWEI] ecc peer-public-key ecc-peer-key encoding-type pem
Info: Enter "ECC public key" view, return system view with "peer-public-key end".
[HUAWEI-ecc-public-key] public-key-code begin
Info: Enter "ECC key code" view, return the last view with "public-key-code end". 
[HUAWEI-ecc-key-code] ---- BEGIN SSH2 PUBLIC KEY ----
[HUAWEI-ecc-key-code] AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACDBL5J4v3pqi5S
[HUAWEI-ecc-key-code] ALI9lvLw4cdvtpD2AC6sEJXg9GDCD5vGBnkXlKmnOy6d1TyrXx57ZPNnrSdqVkHC
[HUAWEI-ecc-key-code] sMBa63vSwg1XsVW2qZgx8H57+FJiTPY61b1Vfst9GUif1ymfpB7XrbdYZDownoh0
[HUAWEI-ecc-key-code] FZNadZtIf2CRc0OeiKXbCSPP25dfoT/DTcc=
[HUAWEI-ecc-key-code] ---- END SSH2 PUBLIC KEY ----
[HUAWEI-ecc-key-code] public-key-code end
[HUAWEI-ecc-public-key] peer-public-key end

# Delete an ECC public key.

<HUAWEI> system-view
[HUAWEI] undo ecc peer-public-key ecc-peer-key
Warning: The public key named ecc-peer-key will be deleted. Continue? [Y/N]:Y

free http user-id

Function

The free http user-id command configures a device to release web users.

Format

free http user-id user-id

Parameters

Parameter Description Value
user-id Specifies the VTY ID of a web user to be released. You can run the display users command to query the VTY ID. The value is an integer that ranges from 1 to 256.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A maximum of five web users are supported at present. If one of the five web users is logged out unexpectedly, the user's client keeps connection with the FTP server before the connection expires. During this period, other users cannot log in to the FTP server. To manually release the web user, run the free http user-id command.

Precautions

The free http user-id command is used only to release web users. user-id of web users ranges from 89 to 93, and a maximum of five users are allowed to stay online concurrently. If you set user-id to a value smaller than 89 or greater than 93, the message "Error: The specified user does not exist or is not an HTTP user." is displayed.

Example

# Release the web user whose VTY ID is 89.

<HUAWEI> system-view
[HUAWEI] free http user-id 89

http acl

Function

The http acl command configures an ACL/ACL6 on the HTTPS server.

The undo http acl command deletes the ACL/ACL6 on the HTTPS server.

By default, no ACL/ACL6 is configured on the HTTPS server.

Format

HTTPS IPv4:

http acl acl-number

undo http acl

HTTPS IPv6:

http ipv6 acl acl6-number

undo http ipv6 acl

Parameters

Parameter Description Value
acl-number Specifies the ACL number for an HTTP IPv4 server. The value is an integer that ranges from 2000 to 3999.
acl6-number

Specifies the ACL6 number for an HTTP IPv6 server.

The value is an integer that ranges from 2000 to 3999.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To ensure the security of an HTTPS server, you need to configure an ACL/ACL6 for it to specify clients that can log in to the current HTTPS server.

Precautions

  • The http acl command takes effect only after you run the rule command to configure the ACL/ACL6 rule.

  • After an ACL/ACL6 rule is modified, the HTTPS server does not forcibly log out an online user who matches the ACL/ACL6 rule until the user sends the next login request.

  • If the http acl command is configured several times, only the latest configuration takes effect.

Example

# Set the ACL number to 2000 for the HTTPS IPv4 server.

<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule 1 permit source 10.1.1.1 0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] http acl 2000

# Set the ACL6 number to 2000 for the HTTPS IPv6 server.

<HUAWEI> system-view
[HUAWEI] acl ipv6 2000
[HUAWEI-acl6-basic-2000] rule 1 permit source fc00:1::1 128
[HUAWEI-acl6-basic-2000] quit
[HUAWEI] http ipv6 acl 2000
Related Topics

http secure-server enable

Function

The http secure-server enable command enables the HTTPS service function.

The undo http secure-server enable command disables the HTTPS service function.

The http secure-server disable command disables the HTTPS service function.

By default, the HTTPS IPv4 service function is enabled, and the HTTPS IPv6 service function is disabled.

Format

http [ ipv6 ] secure-server enable

undo http [ ipv6 ] secure-server enable

http [ ipv6 ] secure-server disable

Parameters

Parameter Description Value
ipv6

Enables or disables the HTTPS IPv6 service function.

If this parameter is not specified, the HTTPS IPv4 service function is enabled or disabled.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After an SSL policy is loaded to an HTTPS server, the HTTPS server provides HTTPS service using SSL. The client and HTTPS server establish an SSL connection to protect user information from theft.

Prerequisites

The web page file has been loaded to the device.

Precautions

  • After the HTTPS service is enabled, only authenticated users can use the web browser to access the web network management system to manage devices.

  • After the HTTPS service is enabled, the SSL handshake negotiation is triggered.

  • After the http secure-server enable command is run, the device receives login connection requests from all interfaces by default. Therefore, there are security risks. You are advised to run the http server-source command to specify the source interface of the HTTP server.

Example

# Enable the HTTPS IPv4 service.

<HUAWEI> system-view
[HUAWEI] http secure-server enable
# Enable the HTTPS IPv6 service.
<HUAWEI> system-view
[HUAWEI] http ipv6 secure-server enable

http secure-server port

Function

The http secure-server port command sets a port number for an HTTPS server.

The undo http secure-server port command restores the default port number of an HTTPS server.

By default, the port number of an HTTPS server is 443.

Format

http [ ipv6 ] secure-server port port-number

undo http [ ipv6 ] secure-server port

Parameters

Parameter Description Value
ipv6 Specifies the port number for an HTTPS IPv6 server.

If this parameter is not specified, the command sets the port number for an HTTPS IPv4 server.

-
port-number Specifies the port number of an HTTPS server. The value is 443 or an integer that ranges from 1025 to 55535.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, the port number of an HTTPS server is 443. Attackers may frequently access an HTTPS server through the default port, consuming bandwidth, deteriorating server performance, and causing authorized users unable to access the server. You can run the http secure-server port command to specify another port number to prevent attackers from accessing the default port.

Precautions

If the http secure-server port command is configured several times, only the latest configuration takes effect.

Example

# Set the port number of an HTTPS IPv4 server to 8080.

<HUAWEI> system-view
[HUAWEI] http secure-server port 8080
# Set the port number of an HTTPS IPv6 server to 8080.
<HUAWEI> system-view
[HUAWEI] http ipv6 secure-server port 8080

http secure-server ssl-policy

Function

The http secure-server ssl-policy command configures an SSL policy for the HTTP server.

The undo http secure-server ssl-policy command restores the default SSL policy for the HTTP server.

A default SSL policy is available on an HTTP server.

Format

http secure-server ssl-policy policy-name

undo http secure-server ssl-policy

Parameters

Parameter Description Value
policy-name Specifies the name of an SSL policy.

The value is a string of 1 to 23 case-insensitive characters without spaces. The value can contain digits, letters, and underscores (_).

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Traditional HTTP service transmits data in plain text, which can be intercepted and tampered. User identity cannot be authenticated, and the HTTP server cannot ensure online data security of applications such as the e-commerce and online banks. You can run the http secure-server ssl-policy command to configure an SSL policy for the HTTP server to encrypt data, authenticate user identity, and check message integrity to ensure data security during the web access.

Prerequisites

Before running the http secure-server ssl-policy command, you must first run the ssl policy command to create an SSL policy on the HTTP server.

Precautions

  • The device provides a default SSL policy named Default. After the web page file is loaded to the device, the default SSL policy is loaded automatically, and you do not need to configure an SSL policy. To enhance device security, it is recommended that you obtain a new digital certificate from the CA and manually configure an SSL policy

  • Only one SSL policy can be configured for the HTTP server, and the latest configured SSL policy takes effect.

Example

# Configure an SSL policy for the HTTP server.

<HUAWEI> system-view
[HUAWEI] http secure-server ssl-policy http_server

http server enable

Function

The http server enable command enables the HTTP server function.

The undo http server enable command disables the HTTP server function.

The http server disable command disables the HTTP server function.

By default, the HTTP IPv4 server function is enabled, and the HTTP IPv6 server function is disabled.

Format

http [ ipv6 ] server enable

undo http [ ipv6 ] server enable

http [ ipv6 ] server disable

Parameters

Parameter Description Value
ipv6

Enables or disables the HTTP IPv6 server function.

If this parameter is not specified, the HTTP IPv4 server function is enabled or disabled.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After running the http server enable command to enable the HTTP server, you can use the browser to access the web NMS to manage devices.

If the web page to load does not exist, the HTTP service cannot be enabled.

Prerequisites

The HTTPS service has been enabled using the http secure-server enable command.

Precautions

After the http server enable command is run, the device receives login connection requests from all interfaces by default. Therefore, there are security risks. You are advised to run the http server-source command to specify the source interface of the HTTP server.

Example

# Enable the HTTP IPv4 server.

<HUAWEI> system-view
[HUAWEI] http secure-server enable
[HUAWEI] http server enable
Warning: HTTP is not a secure protocol, and it is recommended to use HTTPS.     
Info: Succeeded in starting the HTTP server.
# Enable the HTTP IPv6 server.
<HUAWEI> system-view
[HUAWEI] http ipv6 secure-server enable
[HUAWEI] http ipv6 server enable
Warning: HTTP is not a secure protocol, and it is recommended to use HTTPS.
Info: Succeeded in starting the HTTP IPv6 server.

http server load

Function

The http server load command loads a web page file.

The undo http server load command cancels loading of a specified web page file.

By default, the web page file in the system software has been loaded to the system.

Format

http server load { file-name | default }

undo http server load

Parameters

Parameter Description Settings
file-name

Specifies the name of the web page file to load.

The web page file must be stored in the root directory of the storage device.

The value is a string of 4 to 64 characters without spaces. The file name is in the *.web.7z format.
default

Specifies the web page file in the current system software that is to be loaded.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If you need to manage and maintain devices on the graphical user interface (GUI), configure the Web network management function. When you need to update web page file when using the Web network management function, run this command to load web page file.

Prerequisites

Before loading the web page file using the http server load command, ensure that the web page file has been stored to the root directory of the storage device on the device; otherwise, file loading will fail.

Precautions

  • If the system software is upgraded from V200R006 or an earlier version to V200R007 or a later version, but the target software version conflicts with the configuration file for next startup, the device will cancel the configuration of loading the web page file in the original system software after the upgrade, and loads the web page file integrated in the new system software by default.

  • The web page file contains the SSL certificate, which is used to authenticate the HTTP server during login to ensure information security. When a user attempts to log in to the device through HTTP, the HTTPS login page is pushed to the user. After the user is authenticated, the system returns to the HTTP page. The SSL certificate is also used in the HTTPS login mode to ensure security of user information and data exchanged between the client and server. You can load a new digital certificate to the device.

  • If the loaded web page file does not exist, the HTTP service cannot be enabled when the device restarts.

  • To disable a loaded web page file, you must load another file.

Example

# Load the web page file web_1.web.7z.

<HUAWEI> system-view
[HUAWEI] http server load web_1.web.7z
Related Topics

http server port

Function

The http server port command sets the listening port number of the HTTP server.

The undo http server port command restores the default listening port number of the HTTP server.

By default, the listening port number of the HTTP server is 80.

Format

http [ ipv6 ] server port port-number

undo http [ ipv6 ] server port

Parameters

Parameter Description Value
ipv6 Specifies a listening port number for an HTTP IPv6 server.

If this parameter is not specified, the command configures a listening port number for an HTTP IPv4 server.

-
port-number Specifies the listening port number of the HTTP server. The value is 80, or an integer that ranges from 1025 to 55535. The default value is 80.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, the listening port number of the security HTTP server is 80. Attackers may frequently access the default listening port, which wastes bandwidth, deteriorates server performance, and prevents authorized users from accessing the HTTP server through the listening port. You can run the http server port command to specify another listening port number to prevent attackers from accessing the listening port.

Precautions

If the http server port command is configured several times, only the latest configuration takes effect.

Example

# Set the listening port number of the HTTP IPv4 server to 1025.

<HUAWEI> system-view
[HUAWEI] http server port 1025

# Set the listening port number of the HTTP IPv6 server to 1500.

<HUAWEI> system-view
[HUAWEI] http ipv6 server port 1500
Related Topics

http server-source

Function

The http server-source command specifies a source interface for an HTTP server.

The undo http server-source command cancels the source interface specified for an HTTP server.

By default, no source interface is specified for an HTTP server.

Format

http server-source -i loopback interface-number

undo http server-source

Parameters

Parameter Description Value
-i loopback interface-number

Specifies a loopback interface as the source interface of an HTTP server.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, an HTTP server accepts login requests from all interfaces, so the system is vulnerable to attacks. To enhance system security, specify a source interface for the HTTP server, so that only authorized users can log in to the server from this interface.

Prerequisites

A loopback interface has been configured.

Configuration Impact

Users can log in to an HTTP server only from the specified source interface.

After you run http server-source command, the HTTP IPv4 user that has logged in to the server will be forcibly logged out and needs to log in again.

Precautions

After the source interface of an HTTP server is specified using the http server-source command, ensure that HTTP users can access the source interface at Layer 3. Otherwise, the HTTP users will fail to log in to the HTTP server.

Example

# Specify loopback 0 as the source interface of an HTTP server.

<HUAWEI> system-view
[HUAWEI] interface loopback 0
[HUAWEI-LoopBack0] quit
[HUAWEI] http server-source -i loopback 0

http timeout

Function

The http timeout command sets the idle timeout duration of the web server.

The undo http timeout command restores the default idle timeout duration of the web server.

By default, the idle timeout duration of the web server is 20 minutes.

Format

http timeout timeout

undo http timeout

Parameters

Parameter Description Value
timeout Specifies the idle timeout duration of the web server for online users. The value is an integer that ranges from 1 to 60, in minutes.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A maximum of five web users are supported at present. When the fifth web user logs in to the web server, any other user cannot log in to the web server even if any of the five users does not perform operations for a long time. The idle timeout duration is configured to release web resources in time. To occupy web channels for a long time, you must set the idle timeout duration to the maximum value.

Precautions

  • After you run the http timeout command, the idle timeout durations are the same for all web users who log in to the web server. If the idle timeout duration expires, a user is disconnected from the web server and the web server notifies the user only after the user sends the next login request.

  • If the http timeout command is configured several times, only the latest configuration takes effect.

Example

# Set the idle timeout duration of the web server to 6 minutes.

<HUAWEI> system-view
[HUAWEI] http timeout 6
Related Topics

lock

Function

The lock command locks the current user interface to prevent unauthorized users from operating the interface.

By default, the system does not automatically lock the current user interface.

Format

lock

Parameters

None

Views

User view

Default Level

0: Visit level

Usage Guidelines

Usage Scenario

Lock the current user interface using this command to prevent other users from operating the interface. The user interface can be console or VTY.

After running the lock command, you are prompted to enter a password twice. If you enter the correct password twice, the user interface is locked.

Precautions

  • The passwords must meet the following requirements:
    • The password must be a string of 8 to 16 case-sensitive characters.

    • The password must contain at least two types of the following characters: upper-case characters, lower-case characters, digits, and special characters.

      Special characters do not include the question mark (?) and space.

  • The password entered in interactive mode is not displayed on the screen.

  • You can press CTRL_C to cancel the password-based locking operation.

  • To unlock the user interface, press Enter, and then enter the correct password as prompted.

Example

# Lock the current user interface after logging in through the console port.

<HUAWEI> lock
Please configure the login password (8-16)
Enter Password:
Confirm Password:
Info: The terminal is locked.

# To log in to the system again, press Enter. The following information is displayed:

Enter Password:

# Enter the correct password and return to the user view.

<HUAWEI>

matched upper-view

Function

The matched upper-view command allows a device to search for the undo command in the upper view, and returns to the upper view.

The undo matched upper-view command prohibits a device from searching for the undo command in the upper view.

By default, a device does not search for the undo command in the upper view.

Format

matched upper-view

undo matched upper-view

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

If the matched upper-view command is run, when you run an undo command that is not registered in the current view, a device searches for the undo in the upper view. If the device finds the same undo command, it executes this command in the upper view. If the device does not find the same undo command in the upper view, it continues to search for this command in more upper views till the system view.

Running this command brings security risks. For example, if you run the undo ftp server command in the interface view, while this command is not registered in the interface view, the device automatically searches for it in the upper view, that is, the system view, and disables the FTP function.

The matched upper-view command is valid only for current login users who run this command.

Example

# Allow a device to search for the undo command in the upper view.

<HUAWEI> system-view
[HUAWEI] matched upper-view
[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo ftp server
Info: Succeeded in closing the FTP server.

# Prohibit a device from searching for the undo command in the upper view.

<HUAWEI> system-view
[HUAWEI] undo matched upper-view
[HUAWEI] interface gigabitethernet1/0/1
[HUAWEI-GigabitEthernet1/0/1] undo ftp server 
                                   ^
Error: Unrecognized command found at '^' position.
Related Topics

peer-public-key end

Function

The peer-public-key end command returns to the system view from the public key view and saves the configured public keys.

Format

peer-public-key end

Parameters

None

Views

Public key view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

You must save the public key generated on the remote host to the local host, which ensures that the validity check on the remote end is successful. After editing a public key in the public key view, you can run this command to return to the system view.

Prerequisites

Before you run this command, the rsa peer-public-key command has been run to enter the RSA public key view, the dsa peer-public-key command has been run to enter the DSA public key view, or the ecc peer-public-key command has been run to enter the ECC public key view.

Example

# Return to the system view from the public key view.

<HUAWEI> system-view
[HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[HUAWEI-dsa-public-key] public-key-code begin
[HUAWEI-dsa-key-code] 308188
[HUAWEI-dsa-key-code] 028180
[HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[HUAWEI-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[HUAWEI-dsa-key-code] 171896FB 1FFC38CD
[HUAWEI-dsa-key-code] 0203
[HUAWEI-dsa-key-code] 010001
[HUAWEI-dsa-key-code] public-key-code end
[HUAWEI-dsa-public-key] peer-public-key end
[HUAWEI]

public-key-code begin

Function

The public-key-code begin command displays the public key editing view.

Format

public-key-code begin

Parameters

None

Views

Public key view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To ensure that the remote host passes the validity check performed by the local host, the public key generated on the remote host must be saved to the local host. To save the public key, run the public-key-code begin command to enter the public key editing view and then enter the key. The key characters can contain spaces. You can also press Enter to enter data in another line.

Prerequisite

A key name has been specified using the rsa peer-public-key, dsa peer-public-key, or ecc peer-public-key command.

Precautions

Example

# Display the RSA public key editing view and enter the key data.

<HUAWEI> system-view
[HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[HUAWEI-dsa-public-key] public-key-code begin
[HUAWEI-dsa-key-code] 308188
[HUAWEI-dsa-key-code] 028180
[HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[HUAWEI-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[HUAWEI-dsa-key-code] 171896FB 1FFC38CD
[HUAWEI-dsa-key-code] 0203
[HUAWEI-dsa-key-code] 010001
[HUAWEI-dsa-key-code] public-key-code end
[HUAWEI-dsa-public-key] peer-public-key end
[HUAWEI]

public-key-code end

Function

The public-key-code end command returns to the public key view from the public key editing view and saves the configured public key.

Format

public-key-code end

Parameters

None

Views

Public key editing view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

After this command is run, editing the public key ends. Before saving the public key, the system will check the validity of the key.
  • If there are illegal characters in the public key configured by the user, the system displays an error prompt. The public key is then discarded, and the configuration fails.
  • If the public key configured is valid, it is saved in the public key chain table of the host.

Prerequisites

Before you run this command, the public-key-code begin command has been run to enter the public key edit view.

Precautions

  • Generally, in the public key view, only the public-key-code end command can be used to exit. The quit command cannot be used.
  • If no valid key coding is input, the key cannot be generated after the public-key-code end command is used. The system prompts that key generation fails.
  • If the key has been deleted in another window, when you run the public-key-code end command, the system prompts that the key does not exist and returns to the system view.

Example

# Exit the DSA public key editing view and saves the DSA key configuration.

<HUAWEI> system-view
[HUAWEI] dsa peer-public-key dsakey001 encoding-type der
[HUAWEI-dsa-public-key] public-key-code begin
[HUAWEI-dsa-key-code] 308188
[HUAWEI-dsa-key-code] 028180
[HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[HUAWEI-dsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[HUAWEI-dsa-key-code] 171896FB 1FFC38CD
[HUAWEI-dsa-key-code] 0203
[HUAWEI-dsa-key-code] 010001
[HUAWEI-dsa-key-code] public-key-code end
[HUAWEI-dsa-public-key] peer-public-key end
[HUAWEI]

rsa local-key-pair create

Function

The rsa local-key-pair create command generates the local RSA host and server key pairs.

By default, the local RSA host and server key pairs are not configured.

Format

rsa local-key-pair create

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To implement secure data exchange between the server and client, run the rsa local-key-pair create command to generate a local key pair.

Precautions

If the RSA key pair exists, the system prompts you to confirm whether to replace the original key pair. The keys in the new key pair are named device name_Server and device name_Host, for example, HUAWEI_Host and HUAWEI_Server. After being encrypted by AES256, the local RSA private key is saved to the hostkey and serverkey files in the system NOR FLASH.

After you run this command, the system prompts you to enter the number of bits in the host key. The difference between the bits in the server and host key pairs must be at least 128 bits. The length of the server or host key pair is 2048 bits.

After you run this command, the generated key pair is saved in the device and will not be lost after the device restarts.

To improve security of the device, it is recommended that you use a key pair of 2048 bits.

This command is not saved in a configuration file.

Example

# Generate the local RSA host and server key pairs.

<HUAWEI> system-view
[HUAWEI] rsa local-key-pair create
The key name will be: HUAWEI_Host
The range of public key size is (2048 ~ 2048).
NOTES: If the key modulus is greater than 512,
       it will take a few minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++

rsa local-key-pair destroy

Function

The rsa local-key-pair destroy command deletes all local RSA host and server key pairs.

Format

rsa local-key-pair destroy

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To delete the local key pairs, run rsa local-key-pair destroy command. If the host key pair and server key pair of an SSH server are deleted, run the rsa local-key-pair create command to create a new host key pair and server key pair for the SSH server.

After you run this command, verify that all local RSA keys are deleted. This command is not saved in a configuration file.

Prerequisite

The local RSA key pairs that can be deleted exist.

Example

# Delete all RSA server key pairs.

<HUAWEI> system-view
[HUAWEI] rsa local-key-pair destroy
% The name for the keys which will be destroyed is HUAWEI_Host.                                                             
% Confirm to destroy these keys? [y/n]:y
Destroying keys.............Succeeded.

rsa peer-public-key

Function

The rsa peer-public-key command configures an encoding format for an RSA public key and displays the RSA public key view.

The undo rsa peer-public-key command deletes an RSA public key.

By default, the encoding format is distinguished encoding rules (DER) for an RSA public key.

Format

rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

undo rsa peer-public-key key-name

Parameters

Parameter

Description

Value

key-name Specifies the RSA public key name. The value is a string of 1 to 30 case-insensitive characters without spaces.
NOTE:

The string can contain spaces if it is enclosed with double quotation marks (").

encoding-type Specifies the encoding format of an RSA public key. -
der

Specifies the DER format of an RSA public key.

DER encodes data in hexadecimal format.

-
openssh

Specifies the OpenSSH format of an RSA public key.

OpenSSH encodes data in base-64 format.

OpenSSH is an encoding format based on PEM.

-
pem

Specifies the PEM format of an RSA public key.

PEM encodes data in base-64 format.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When you use an RSA public key for authentication, you must specify the public key of the corresponding client for an SSH user on the server. When the client logs in to the server, the server uses the specified public key to authenticate the client. You can also save the public key generated on the server to the client. Then the client can be successfully authenticated by the server when it logs in to the server for the first time.

Huawei data communications devices support the DER, OpenSSH and PEM formats for RSA keys. If you use an RSA key in non-DER/OpenSSH/PEM format, use a third-party tool to convert the key into a key in DER, OpenSSH or PEM format.

Because a third-party tool is not released with Huawei system software, RSA usability is unsatisfactory. In addition to DER, RSA keys need to support the privacy-enhanced mail (PEM) and OpenSSH formats to improve RSA usability.

Third-party software, such as SecureCRT, PuTTY, OpenSSH, and OpenSSL, can be used to generate RSA keys in different formats. The details are as follows:
  • The SecureCRT and PuTTY generate RSA keys in PEM format.
  • The OpenSSH generates RSA keys in OpenSSH format.
  • The OpenSSL generates RSA keys in DER format.

OpenSSL is an open source software. You can download related documents at the OpenSSL official website.

After you configure an encoding format for an RSA public key, Huawei data communications device automatically generates an RSA public key in the configured encoding format and enters the RSA public key view. Then you can run the public-key-code begin command and manually copy the RSA public key generated on the peer device to the local device.

Prerequisite

The RSA public key in hexadecimal notation on the remote host has been obtained and recorded.

Follow-up Procedure

After you copy the RSA public key generated on the peer device to the local device, perform the following operations to exit the RSA public key view:
  1. Run the public-key-code end command to return to the RSA public key view.
  2. Run the peer-public-key end command to exit the RSA public key view and return to the system view.

Precautions

If an RSA public key has been assigned to an SSH client, run the undo ssh user user-name assign { rsa-key | dsa-key | ecc-key } command to release the binding between the public key and the SSH client. If you do not release the binding, the undo rsa peer-public-key command will fail to delete the RSA public key.

The peer public key supports only PKCS#1. Other PKCS versions are not supported.

Example

# Display the RSA public key view.
<HUAWEI> system-view
[HUAWEI] rsa peer-public-key rsakey001
[HUAWEI-rsa-public-key]
# Configure an encoding format for an RSA public key and enter the RSA public key view.
<HUAWEI> system-view
[HUAWEI] rsa peer-public-key RsaKey001 encoding-type openssh
[HUAWEI-rsa-public-key]

run

Function

The run command runs a user view command in the system view.

By default, a user view command cannot be run in the system view.

Format

run command-line

Parameters

Parameter Description Value
command-line

Specifies a command to be run.

-

Views

All views except the user view

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

Some commands can be run only in the user view. To run these commands, you must return to the user view first. To facilitate command execution, the device allows you to run the run command to run such commands in the other views without returning to the user view.

Precautions

  • The command specified in the run command must can be run in the user view.
  • When you run the run command, the association help function is unavailable.
  • When you check the command history on the device using the display history-command command, only the commands that you enter are recorded. The command format is run command-line.
  • When you check log information using the SHELL/5/CMDRECORD command, only the commands that are actually run are recorded in logs. The command format is run command-line.

Example

# Run the dir *.cfg command to check the .cfg file in the system view.

<HUAWEI> system-view
[HUAWEI] run dir *.cfg
Directory of cfcard:/
  Idx  Attr     Size(Byte)  Date        Time       FileName
    0  -rw-         11,970  Mar 14 2012 19:11:22   31.cfg
    1  -rw-         12,033  Apr 22 2012 17:10:30   31_new.cfg
509,256 KB total (118,784 KB free)

send

Function

The send command configures a device to send messages to all user interfaces.

Format

send { all | ui-number | ui-type ui-number1 }

Parameters

Parameter Description Value
all Specifies that the device sends messages to all user interfaces. -
ui-number Specifies the absolute number of a user interface. The minimum value is 0. The maximum value is the number of the user interfaces that the device supports minus 1.
ui-type Specifies the type of a user interface. -
ui-number1 Specifies the relative number of a user interface. -

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

After you run the send command on a device, the device prompts you to enter a message to send. After you confirm to send this message, the user who logs in to the device from a specified user interface can receive this message.

Example

# Send a message to the user interface VTY 0.

<HUAWEI> send vty 0
Enter message, end with CTRL+Z or Enter; abort with CTRL+C:
Hello, good morning!
Warning: Send the message? [Y/N]: y

# After you confirm to send the message, the user who logs in to the HUAWEI from VTY 0 can receive this message.

<HUAWEI>
Info: Receive a message from VTY2:Hello, good morning!

ssh authentication-type default password

Function

The ssh authentication-type default password command configures password authentication as the default authentication mode for SSH users.

The undo ssh authentication-type default password command cancels the default password authentication mode for SSH users.

By default, the default authentication mode of SSH users is password authentication.

Format

ssh authentication-type default password

undo ssh authentication-type default password

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When there are multiple SSH users, the default password authentication mode simplifies the configuration.

When a TACACS server is used to authenticate a user who uses SSH to log in to a device, the network administrator must specify the SSH user on the TACACS server. In most cases, the SSH server cannot obtain the user information from the TACACS server. In this situation, you can set the authentication mode to password. SSH users can then directly log in to the device without additional SSH user configurations on the device.

Precautions

To configure password authentication for a specific SSH user, you can also run the ssh user user-name authentication-type password command.

Example

# Configure password authentication as the default authentication mode for SSH users.

<HUAWEI> system-view
[HUAWEI] ssh authentication-type default password

ssh client assign

Function

The ssh client assign command specifies the host public key of an SSH server on an SSH client.

The undo ssh client assign command cancels the specified host public key of the SSH server on the SSH client.

By default, the host public key of a server is not specified on clients.

Format

ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname

undo ssh client servername assign { rsa-key | dsa-key | ecc-key }

Parameters

Parameter Description Value
servername Specifies the host name or IP address of an SSH server. The value is a string of 1 to 255 characters without spaces.
rsa-key Specifies the RSA public key. -
dsa-key Specifies the DSA public key. -
ecc-key Specifies the ECC public key. -
keyname Specifies the SSH server public key name that has been configured on an SSH client. The value is a string of 1 to 30 case-insensitive characters without spaces.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If an SSH client connects to an SSH server for the first time and first authentication is not enabled on the SSH client using the ssh client first-time enable command, the SSH client must determine whether the server is reliable. To do so, run the ssh client assign command to specify the host public key of the SSH server and the mapping between the key and SSH server on the SSH client. The client then uses the correct public key to determine whether the server is reliable based on the mapping.

Precautions

The RSA, DSA, or ECC public key to be assigned to the SSH server must have been configured on the SSH client using the rsa peer-public-key, dsa peer-public-key, or ecc peer-public-key command. If the key has not been configured, the verification for the RSA, DSA, or ECC public key of the SSH server on the SSH client fails.

Example

# Assign the DSA public key to the SSH server.
<HUAWEI> system-view
[HUAWEI] ssh client 10.164.39.120 assign dsa-key sshdsakey01
# Delete the DSA public key of the SSH server.
<HUAWEI> system-view
[HUAWEI] undo ssh client 10.164.39.120 assign dsa-key

ssh client cipher

Function

The ssh client cipher command configures an encryption algorithm list for an SSH client.

The undo ssh client cipher command restores the default encryption algorithm list of an SSH client.

By default, an SSH client supports five encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.

Format

ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr } *

undo ssh client cipher

Parameters

Parameter

Description

Value

des_cbc Specifies the CBC DES encryption algorithm. -
3des_cbc Specifies the CBC 3DES encryption algorithm. -
aes128_cbc Specifies the CBC AES128 encryption algorithm. -
aes256_cbc Specifies the CBC AES256 encryption algorithm. -
aes128_ctr Specifies the CTR AES128 encryption algorithm. -
aes256_ctr Specifies the CTR AES256 encryption algorithm. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An SSH server and a client need to negotiate an encryption algorithm for the packets exchanged between them. You can run the ssh client cipher command to configure an encryption algorithm list for the SSH client. After the SSH server receives a packet from the client, the server matches the encryption algorithm list of the client against its local list and selects the first matched encryption algorithm. If no encryption algorithm matches, the negotiation fails.

Precautions

The security levels of encryption algorithms are as follows, from high to low: aes256_ctr, aes128_ctr, aes256_cbc, aes128_cbc, 3des_cbc, and des_cbc.

aes256_cbc, aes128_cbc, 3des_cbc and des_cbc provide weak security. Therefore, they are not recommended in the encryption algorithm list.

Example

# Configure CTR encryption algorithms for an SSH client.

<HUAWEI> system-view
[HUAWEI] ssh client cipher aes128_ctr aes256_ctr
Related Topics

ssh client first-time enable

Function

The ssh client first-time enable command enables the first authentication function on an SSH client.

The undo ssh client first-time enable command disables the first authentication function on the SSH client.

By default, the first authentication function is disabled on the SSH client.

Format

ssh client first-time enable

undo ssh client first-time enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When an SSH client accesses an SSH server for the first time and the public host key of the SSH server is not configured on the SSH client, run the ssh client first-time enable command to enable the first authentication function. The SSH client then can access the SSH server and save the public host key on the SSH client. When the SSH client accesses the SSH server next time, the saved public host key is used to authenticate the SSH server.

Precautions

To log in to the SSH server successfully at the first time, you can also run the ssh client assign command to pre-assign a public host key to the SSH server.

Example

# Enable the first authentication function on the SSH client.

<HUAWEI> system-view
[HUAWEI] ssh client first-time enable
Related Topics

ssh client hmac

Function

The ssh client hmac command configures an HMAC algorithm list for an SSH client.

The undo ssh client hmac command restores the default HMAC algorithm list of an SSH client.

By default, an SSH client supports all HMAC algorithms.

Format

ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

undo ssh client hmac

Parameters

Parameter

Description

Value

md5 Specifies the HMAC MD5 algorithm. -
md5_96 Specifies the HMAC MD5_96 algorithm. -
sha1 Specifies the HMAC SHA1 algorithm. -
sha1_96 Specifies the HMAC SHA1_96 algorithm. -
sha2_256 Specifies the HMAC SHA2_256 algorithm. -
sha2_256_96 Specifies the HMAC SHA2_256_96 algorithm. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An SSH server and a client need to negotiate an HMAC algorithm for the packets exchanged between them. You can run the ssh client hmac command to configure an HMAC algorithm list for the SSH client. After the SSH server receives a packet from the client, the server matches the list of the client against its local list and selects the first matched HMAC algorithm. If no matched HMAC algorithms, the negotiation fails.

Precautions

The security levels of HMAC algorithms are as follows, from high to low: sha2_256, sha2_256_96, sha1, sha1_96, md5, and md5_96.

sha2_256_96, sha1, sha1_96, md5, and md5_96 provide weak security. Therefore, they are not recommended in the HMAC algorithm list.

Example

# Configure the HMAC SHA2_256 algorithm for an SSH client.

<HUAWEI> system-view
[HUAWEI] ssh client hmac sha2_256
Related Topics

ssh client key-exchange

Function

The ssh client key-exchange command configures a key exchange algorithm list on an SSH client.

The undo ssh client key-exchange command restores the default configuration.

By default, an SSH client supports all key exchange algorithms.

Format

ssh client key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

undo ssh client key-exchange

Parameters

Parameter Description Value
dh_group_exchange_sha1 Specifies that the Diffie-hellman-group-exchange-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH client. -
dh_group14_sha1 Specifies that the Diffie-hellman-group14-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH client. -
dh_group1_sha1 Specifies that the Diffie-hellman-group1-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH client. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The client and server negotiate the key exchange algorithm used for packet transmission. You can run the ssh client key-exchange command to configure a key exchange algorithm list on the SSH client. The SSH server compares the configured key exchange algorithm list with the counterpart sent by the client and then selects the first matched key exchange algorithm for packet transmission. If the key exchange algorithm list sent by the client does not match any algorithm in the key exchange algorithm list configured on the server, the negotiation fails.

Precautions

The security levels of key exchange algorithms are as follows, from high to low: dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. The dh_group_exchange_sha1 algorithm is recommended.

Example

# Configure key exchange algorithm lists dh_group_exchange_sha1 and dh_group14_sha1 on the SSH client.

<HUAWEI> system-view
[HUAWEI] ssh client key-exchange dh_group_exchange_sha1 dh_group14_sha1

ssh server acl

Function

The ssh server acl command configures an ACL that the SSH server uses to control the access permission of SSH clients.

The undo ssh server acl command cancels the configured ACL of the SSH server.

By default, no ACL is configured for SSH servers.

Format

ssh [ ipv6 ] server acl acl-number

undo ssh [ ipv6 ] server acl

Parameters

Parameter Description Value
acl-number Specifies an ACL number. The value is an integer that ranges from 2000 to 3999.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Configure the ACL for the following servers for access control:
  • STelnet server: controls which clients can log in to this server through STelnet.
  • SFTP server: controls which clients can log in to this server through SFTP.
  • SCP server: controls which clients can log in to this server through SCP.

Prerequisites

An ACL has been configured using the acl (system view) command in the system view, and an ACL rule has been configured using the rule (basic ACL view) or rule (advanced ACL view) command.

Precautions

A basic ACL can be configured to restrict source addresses. An advanced ACL can be configured to restrict source and destination addresses.

Example

# Configure ACL 2000 on an SSH server.

<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 10.10.10.10 0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] ssh server acl 2000

ssh server authentication-retries

Function

The ssh server authentication-retries command sets the maximum number of authentication retries for an SSH connection.

The undo ssh server authentication-retries command restores the default maximum number of authentication retries for an SSH connection.

The default maximum number of authentication retries for an SSH connection is 3.

Format

ssh server authentication-retries times

undo ssh server authentication-retries

Parameters

Parameter Description Value
times Specifies the maximum number of authentication retries for an SSH connection. The value is an integer that ranges from 1 to 5.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To configure the maximum number of authentication retries for an SSH connection, run the ssh server authentication-retries command. This prevents server overload due to numerous malicious access requests.

Precautions

The configured number of retries takes effect upon the next login.

Example

# Set the maximum number of authentication retries to 4.

<HUAWEI> system-view
[HUAWEI] ssh server authentication-retries 4
Related Topics

ssh server authentication-type keyboard-interactive enable

Function

The ssh server authentication-type keyboard-interactive enable command enables keyboard interactive authentication on an SSH server.

The undo ssh server authentication-type keyboard-interactive enable command disables keyboard interactive authentication on an SSH server.

By default, keyboard interactive authentication is enabled on SSH servers.

Format

ssh server authentication-type keyboard-interactive enable

undo ssh server authentication-type keyboard-interactive enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To log in to the SSH server in keyboard interactive authentication mode, run the ssh server authentication-type keyboard-interactive enable command.

To log in to the SSH server in password authentication mode, run the undo ssh server authentication-type keyboard-interactive enable command to disable keyboard interactive authentication.

Example

# Enable keyboard interactive authentication on an SSH server.

<HUAWEI> system-view
[HUAWEI] ssh server authentication-type keyboard-interactive enable

ssh server compatible-ssh1x enable

Function

The ssh server compatible-ssh1x enable command enables an SSH server to be compatible with earlier versions.

The undo ssh server compatible-ssh1x enable command disables an SSH server from being compatible with earlier versions.

By default, this function is disabled on unconfigured devices. After a device is upgraded, whether an SSH server is allowed to be compatible with earlier versions is determined by the configuration in the configuration file.

Format

ssh server compatible-ssh1x enable

undo ssh server compatible-ssh1x enable

Parameters

None

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The ssh server compatible-ssh1x enable command applies to scenarios where a client and a server negotiate with each other on a working version. After a TCP connection is set up between a client and a server, the client negotiates with the server on a version that both the client and server support.

The server compares its own version with that sent by the client and determines whether it can work with the client.

  • If the protocol version on the client is earlier than 1.3 or later than 2.0, version negotiation fails and the server disconnects from the client.
  • If the protocol version on the client is later than or equal to 1.3 and earlier than 1.99, the SSH1.5 server module is invoked, and the SSH1.X process is performed when the SSH1.X-compatible mode is configured. When the SSH1.X-incompatible mode is configured, version negotiation fails, and the server disconnects from the client.
  • If the protocol version on the client is 1.99 or 2.0, the SSH2.0 server module is invoked, and the SSH2.0 process is performed.

Precautions

  • If the SSH server is enabled to be compatible with earlier SSH versions, a device prompts a security risk.
  • The configuration takes effect upon the next login.

  • SSH2.0 has an extended structure and supports more authentication modes and key exchange methods than SSH1.X. SSH 2.0 can eliminate the security risks that SSH 1.X has. SSH 2.0 is more secure and therefore is recommended.

  • If a device has empty configuration, the device delivers the undo ssh server compatible-ssh1x enable command to disable the SSH server's compatibility with earlier versions. If a device is upgraded, the SSH server's compatibility with earlier versions is the same as that in the configuration file.

NOTE:
Currently, protocols support SSH versions as follows:
  • STelnet: The device supports SSH v1.99. That is SSH1 (SSH1.x) and SSH2 (SSH2.0) are supported. By default, SSH2 (SSH2.0) is supported.
  • SFTP: Only SSH2 (SSH2.0) is supported.
  • SCP: Only SSH2 (SSH2.0) is supported.

Example

# Enable an SSH server to be compatible with earlier versions.

<HUAWEI> system-view
[HUAWEI] ssh server compatible-ssh1x enable
Warning: SSHv1 is not a secure protocol, and it is recommended to use SSHv2. 
Related Topics

ssh server cipher

Function

The ssh server cipher command configures an encryption algorithm list for an SSH server.

The undo ssh server cipher command restores the default encryption algorithm list of an SSH server.

By default, an SSH server supports five encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.

Format

ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr | blowfish_cbc } *

undo ssh server cipher

Parameters

Parameter

Description

Value

des_cbc Specifies the CBC DES encryption algorithm. -
3des_cbc Specifies the CBC 3DES encryption algorithm. -
aes128_cbc Specifies the CBC AES128 encryption algorithm. -
aes256_cbc Specifies the CBC AES256 encryption algorithm. -
aes128_ctr Specifies the CTR AES128 encryption algorithm. -
aes256_ctr Specifies the CTR AES256 encryption algorithm. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An SSH server and a client need to negotiate an encryption algorithm for the packets exchanged between them. You can run the ssh server cipher command to configure an encryption algorithm list for the SSH server. After the SSH server receives a packet from the client, the server matches the encryption algorithm list of the client against its local list and selects the first matched encryption algorithm. If no matched encryption algorithms, the negotiation fails.

Precautions

The security levels of encryption algorithms are as follows, from high to low: aes256_ctr, aes128_ctr, aes256_cbc, aes128_cbc, 3des_cbc, and des_cbc.

aes256_cbc, aes128_cbc, 3des_cbc and des_cbc provide weak security. Therefore, they are not recommended in the encryption algorithm list.

Example

# Configure CTR encryption algorithms for an SSH server.

<HUAWEI> system-view
[HUAWEI] ssh server cipher aes256_ctr aes128_ctr
Related Topics

ssh server dh-exchange min-len

Function

The ssh server dh-exchange min-len command configures the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.

The undo ssh server dh-exchange min-len command restores the default minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.

By default, the minimum key length supported is 1024 bytes.

Format

ssh server dh-exchange min-len min-len

undo ssh server dh-exchange min-len

Parameters

Parameter Description Value
min-len Specifies the minimum Diffie-hellman-group-exchange key length supported on the SSH server. The value can be either 1024 or 2048, in bytes.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

The Diffie-hellman-group-exchange key of 1024 bytes poses security risks. If the SSH client supports the Diffie-hellman-group-exchange key of more than 1024 bytes, run the ssh server dh-exchange min-len command to set the minimum key length to 2048 bytes to improve security.

Precautions

Security risks exist if the minimum Diffie-hellman-group-exchange key length is less than 2048 bytes. You are advised to set the minimum key length to 2048 bytes.

Example

# Set the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client to 2048 bytes.

<HUAWEI> system-view
[HUAWEI] ssh server dh-exchange min-len 2048

ssh server hmac

Function

The ssh server hmac command configures an HMAC algorithm list for an SSH server.

The undo ssh server hmac command restores the default HMAC algorithm list of an SSH server.

By default, an SSH server supports all HMAC algorithms.

Format

ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

undo ssh server hmac

Parameters

Parameter

Description

Value

md5 Specifies the HMAC MD5 algorithm. -
md5_96 Specifies the HMAC MD5_96 algorithm. -
sha1 Specifies the HMAC SHA1 algorithm. -
sha1_96 Specifies the HMAC SHA1_96 algorithm. -
sha2_256 Specifies the HMAC SHA2_256 algorithm. -
sha2_256_96 Specifies the HMAC SHA2_256_96 algorithm. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An SSH server and a client need to negotiate an HMAC algorithm for the packets exchanged between them. You can run the ssh server hmac command to configure an HMAC algorithm list for the SSH server. After the server receives a packet from the client, the server matches the list of the client against its local list and selects the first matched HMAC algorithm. If no matched HMAC algorithms, the negotiation fails.

Precautions

The security levels of HMAC algorithms are as follows, from high to low: sha2_256, sha2_256_96, sha1, sha1_96, md5, and md5_96.

sha2_256_96, sha1, sha1_96, md5, and md5_96 provide weak security. Therefore, they are not recommended in the HMAC algorithm list.

Example

# Configure the HMAC SHA2_256 algorithm for an SSH server.

<HUAWEI> system-view
[HUAWEI] ssh server hmac sha2_256
Related Topics

ssh server key-exchange

Function

The ssh server key-exchange command configures a key exchange algorithm list on an SSH server.

The undo ssh server key-exchange command restores the default configuration.

By default, an SSH server supports Diffie-hellman-group-exchange-sha1 and Diffie-hellman-group14-sha1 key exchange algorithms.

Format

ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

undo ssh server key-exchange

Parameters

Parameter Description Value
dh_group_exchange_sha1 Specifies that the Diffie-hellman-group-exchange-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH server. -
dh_group14_sha1 Specifies that the Diffie-hellman-group14-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH server. -
dh_group1_sha1 Specifies that the Diffie-hellman-group1-sha1 algorithm is contained in the key exchange algorithm list configured on an SSH server. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

An SSH server and a client need to negotiate a key exchange algorithm for the packets exchanged between them. You can run the ssh server key-exchange command to configure a key exchange algorithm list for the SSH server. After the server receives a packet from the client, the server matches the key exchange algorithm list of the client against its local list and selects the first matched key exchange algorithm. If no matched key exchange algorithms, the negotiation fails.

Precautions

The security levels of key exchange algorithms are as follows, from high to low: dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. The dh_group_exchange_sha1 algorithm is recommended.

Example

# Configure key exchange algorithm lists dh_group_exchange_sha1 and dh_group14_sha1 on the SSH server.

<HUAWEI> system-view
[HUAWEI] ssh server key-exchange dh_group_exchange_sha1 dh_group14_sha1

ssh server port

Function

The ssh server port command configures a listening port number for an SSH server.

The undo ssh server port command restores the default listening port number of an SSH server.

The default listening port number of the SSH server is 22.

Format

ssh [ ipv4 | ipv6 ] server port port-number

undo ssh [ ipv4 | ipv6 ] server port

Parameters

Parameter Description Value
port-number Specifies the listening port number of the SSH server. The value is 22 or an integer ranging from 1025 to 55535.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To prevent attackers from attacking the standard SSH listening port number, run the ssh server port command to configure a new listening port. This improves security.

Precautions

If the server is listening on port 22, the SSH client can log in successfully with no port specified. If the server is listening on another port, the port number must be specified.

Before changing the current port number, disconnect all devices from the port. After the port number is changed, the server starts to listen on the new port.

After the ssh server port port-number command is run, the numbers of IPv4 port and IPv6 port are both changed. To change the number of IPv4 port or IPv6 port separately, run the ssh { ipv4 | ipv6 } server port port-number command.

Example

# Set the listening port number of the SSH server to 1025.

<HUAWEI> system-view
[HUAWEI] ssh server port 1025

# Set the IPv4 port number of the SSH server to 1025.

<HUAWEI> system-view
[HUAWEI] ssh ipv4 server port 1025

ssh server rekey-interval

Function

The ssh server rekey-interval command sets the interval for updating the SSH server key pair.

The undo ssh server rekey-interval command restores the default interval for updating the SSH server key pair.

The default interval for updating the SSH server key pair is 0, indicating that the key pair is never updated.

Format

ssh server rekey-interval hours

undo ssh server rekey-interval

Parameters

Parameter Description Value
hours Specifies the interval for updating the server key pair. The value is an integer that ranges from 0 to 24, in hours.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the server key pair is not updated for a long time, the key is easy to decrypt, and the server is insecure. After the interval for updating the SSH server key pair is set using the ssh server rekey-interval command, the device will automatically update the key pair at the specified interval.

Precautions

If the client is connected to the server, the server public key on the client is not updated immediately. This key is updated only when the client is reconnected to the server.

This command takes effect only for SSH1.X. However, SSH1.X provides poor security and is therefore not recommended.

Example

# Set the interval for updating the SSH server key pair to 2 hours.

<HUAWEI> system-view
[HUAWEI] ssh server rekey-interval 2
Related Topics

ssh server timeout

Function

The ssh server timeout command sets the timeout period for SSH connection authentication.

The undo ssh server timeout restores the default timeout period for SSH connection authentication.

The default timeout period for SSH connection authentication is 60 seconds.

Format

ssh server timeout seconds

undo ssh server timeout

Parameters

Parameter Description Value
seconds Specifies the timeout period for SSH connection authentication. The value is an integer ranging from 1 to 120, in seconds.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If a user has not logged in successfully before the timeout period for SSH connection authentication expires, the current connection is terminated to ensure security. To query the current timeout period, run the display ssh server command.

Precautions

The timeout period setting takes effect upon next login.

NOTE:
If a very short timeout period is configured for SSH connection authentication, user login may fail due to a connection timeout. Using the default timeout period is recommended.

Example

# Set the timeout period for SSH connection authentication to 90 seconds.

<HUAWEI> system-view
[HUAWEI] ssh server timeout 90
Related Topics

ssh server-source

Function

The ssh server-source command specifies a source interface for an SSH server.

The undo ssh server-source command restores the default setting.

By default, the source interface of an SSH server is not specified.

Format

ssh server-source -i loopback interface-number

undo ssh server-source

Parameters

Parameter Description Value
-i loopback interface-number Specifies a loopback interface as the source interface of an SSH server. The value is an integer that ranges from 0 to 1023.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, an SSH server receives connection requests from all interfaces, incurring security risks. To enhance system security, you can specify a source interface for an SSH server. Users can log in to the SSH server only from this interface.

Prerequisites

The loopback interface to be specified as the source interface exists and has an IP address configured. If the loopback interface is not created, the ssh server-source command cannot be correctly run.

Precautions

After the source interface is specified, a device only allows SSH users to log in to the SSH server through this source interface, and SSH users logging in through other interfaces are denied. Note that setting this parameter only affects SSH users who attempt to log in to the SSH server. It does not affect SSH users who have logged in to the server.

After the source interface of an SSH server is specified using this command, ensure that SSH users can access the source interface at Layer 3. Otherwise, the SSH users will fail to log in to the SSH server.

Example

# Specify loopback0 as the source interface of an SSH server.

<HUAWEI> system-view
[HUAWEI] interface loopback 0
[HUAWEI-LoopBack0] ip address 10.1.1.1 24
[HUAWEI-LoopBack0] quit
[HUAWEI] ssh server-source -i loopback 0

ssh user

Function

The ssh user command creates an SSH user.

The undo ssh user command deletes an SSH user.

By default, no SSH user is created.

Format

ssh user user-name

undo ssh user [ user-name ]

Parameters

Parameter Description Value
user-name Specifies the SSH user name.
The value is a string of 1 to 64 case-insensitive characters without spaces.
NOTE:

The string can contain spaces if it is enclosed with double quotation marks (").

Views

System view

Default Level

3: Management level

Usage Guidelines

You can create an SSH user in either of the following ways:

Example

# Create an SSH user named testuser.

<HUAWEI> system-view
[HUAWEI] ssh user testuser

ssh user assign

Function

The ssh user assign command assigns an existing public key to a user.

The undo ssh user assign command deletes the mapping between the user and public key.

By default, no public key is assigned to a user.

Format

ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name

undo ssh user user-name assign { rsa-key | dsa-key | ecc-key }

Parameters

Parameter Description Value
user-name Specifies the SSH user name.
The value is a string of 1 to 64 case-insensitive characters without spaces.
NOTE:

The string can contain spaces if it is enclosed with double quotation marks (").

rsa-key Specifies an RSA public key. -
dsa-key Specifies a DSA public key. -
ecc-key Specifies an ECC public key. -
key-name Specifies the client public key name. The value is a string of 1 to 30 characters.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When an SSH client needs to log in to the SSH server in RSA, DSA, or ECC mode, run the ssh user assign command to assign a public key to the client. If the client has been assigned keys, the latest assigned key takes effect.

Precautions

The newly configured public key takes effect upon next login.

If the user named user-name to whom a public key is assigned does not exist, the device automatically creates an SSH user named user-name and performs the configured authentication for the SSH user.

Example

# Assign key1 to the user named John.

<HUAWEI> system-view
[HUAWEI] ssh user john assign rsa-key key1

ssh user authorization-cmd aaa

Function

The ssh user authorization-cmd aaa command enables command line authorization for an SSH user.

The undo ssh user authorization-cmd aaa command restores the default authorization mode.

By default, command line authorization is disabled for an SSH user.

Format

ssh user user-name authorization-cmd aaa

undo ssh user user-name authorization-cmd aaa

Parameters

Parameter Description Value
user-name Specifies the name of a valid SSH user defined by the AAA. The value is a string of 1 to 64 case-insensitive characters without spaces.

Views

System view

Default Level

3: Management level

Usage Guidelines

The new setting for command line authorization takes effect upon next login.

This command is valid only for SSH users. The AAA configuration determines whether to configure an authorization mode for the users who log in using passwords.

Example

# Enable command line authorization for the user named John.

<HUAWEI> system-view
[HUAWEI] ssh user john authorization-cmd aaa
Info: Please make sure that the command line authorization method has been set for the user.

ssh user authentication-type

Function

The ssh user authentication-type command configures an authentication mode for an SSH user.

The undo ssh user authentication-type command restores the default authentication mode for an SSH user.

By default, no authentication mode is configured for an SSH user.

Format

ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | ecc | password-ecc | all }

undo ssh user user-name authentication-type

Parameters

Parameter

Description

Value

user-name Specifies an SSH user name.
The value is a string of 1 to 64 case-insensitive characters without spaces.
NOTE:

The string can contain spaces if it is enclosed with double quotation marks (").

password Specifies the password authentication mode. -
rsa Specifies the RSA authentication mode. -
password-rsa Specifies the password and RSA authentication modes. -
dsa Specifies the DSA authentication mode. -
password-dsa Specifies the password and DSA authentication modes. -
ecc Specifies the ECC authentication mode. -
password-ecc Specifies the password and ECC authentication modes. -
all

Specifies the password, ECC, DSA, or RSA authentication mode.

NOTE:
In all authentication mode, the user priority depends on the authentication mode that the user selected.
  • If password authentication is selected, the user priority is the same as that specified on the AAA module.
  • If RSA/DSA/ECC authentication is selected, the user priority depends on the priority of the VTY interface used during user access.

If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA, DSA, or ECC authentication modes. Set relevant parameters as needed.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When you configure an authentication mode for an SSH user, if the user does not exist, a device automatically creates an SSH user named user-name.

Table 2-51 describes the usage scenarios for different authentication modes.

Table 2-51  Usage scenarios for authentication modes

Authentication Mode

Usage Scenario

RSA

It is a public key encryption architecture and an asymmetric encryption algorithm. RSA is mainly used to transmit the keys of the symmetric encryption algorithm, which improves encryption efficiency and simplify key management. The server checks whether the SSH user, public key, and digital user signature are valid. If all of them are valid, the user is permitted to access the server. If any of them is invalid, the authentication fails, and the user is denied to access the server.

DSA

It is same as RSA authentication in implementation. The server checks whether the SSH user, public key, and digital user signature are valid. If all of them are valid, the user is permitted to access the server. If any of them is invalid, the authentication fails, and the user is denied to access the server.

Compared with RSA authentication, DSA authentication uses the digital signature algorithm for encryption and has a wider application scope.
  • Many SSH tools only support DSA authentication for servers and clients.
  • Based on the latest RFC recommendation for SSH, DSA authentication takes precedence over RSA authentication.

ECC

Like RSA authentication, the server first checks the validity of the SSH user and whether the public key and the numeric signature are valid. If all of them are consistent with those configured on the server, user authentication succeeds. If any of the three cannot pass authentication, the user access is denied. Compared with the RSA algorithm, the ECC authentication has the following advantages:
  • Provides the same security with shorter key length.
  • Features a shorter computing process and higher processing speed.
  • Requires less storage space.
  • Requires lower bandwidth.

password

On the server, the AAA module assigns each authorized user a password for login. The server has the mapping between user names and passwords. When a user requests to access the server, the server authenticates the user name and password. If either of them fails to be authenticated, the access request of the user is denied.

The account information of users who are configured with the password authentication mode can be configured on devices or remote authentication servers (for example, RADIUS servers).

password-rsa, password-dsa, and password-ecc

The SSH server authenticates a client by checking both the public key and password. The client can be authenticated only when both the public key and password meet the requirement.

all

The SSH server authenticates a client by checking the public key or password. The client can be authenticated when either the public key or password meets the requirement.

Precautions

A new SSH user cannot log in to the SSH server unless being configured with an authentication mode. The newly configured authentication mode takes effect upon next login.

Example

# Configure password authentication for the SSH user John.

<HUAWEI> system-view
[HUAWEI] ssh user john authentication-type password

ssh user service-type

Function

The ssh user service-type command configures a service type for an SSH user.

The undo ssh user service-type command restores the default service type for an SSH user.

By default, no service type is configured for an SSH user.

Format

ssh user user-name service-type { sftp | stelnet | all }

undo ssh user user-name service-type

Parameters

Parameter Description Value
user-name Specifies the SSH user name.
The value is a string of 1 to 64 case-insensitive characters without spaces.
NOTE:

The string can contain spaces if it is enclosed with double quotation marks (").

sftp Specifies the SFTP service type. -
stelnet Specifies the STelnet service type. -
all

Specifies the SFTP and STelnet service types.

-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To configure a service type for an SSH user, run the ssh user service-type command on a device. If the specified user does not exist, the device creates an SSH user who has the same name as the specified user and uses the configured service type for the SSH user.

Precautions

If the SFTP service type is configured for an SSH user, you need to run the ssh user sftp-directory command to set an authorized directory for the user. By default, the SFTP service authorized directory is cfcard: for the SSH user.

Example

# Configure the all service type for an SSH user John.

<HUAWEI> system-view
[HUAWEI] ssh user john service-type all

stelnet

Function

The stelnet command enables a user to use the STelnet protocol to log in to another device from the current device.

Format

# IPv4 address

stelnet [ -a source-address | -i interface-type interface-number ] host-ip [ port-number ] [ [ -vpn-instance vpn-instance-name ] | [ identity-key { dsa | rsa | ecc } ] | [ user-identity-key { rsa | dsa | ecc } ] | [ prefer_kex prefer_key-exchange ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] *

# IPv6 address

stelnet ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] [ [ identity-key { dsa | rsa | ecc } ] | [ user-identity-key { rsa | dsa | ecc } ] | [ prefer_kex prefer_key-exchange ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ -ki aliveinterval ] | [ -kc alivecountmax ] ] *

Parameters

Parameter

Description

Value

-a source-address Specifies the STelnet source IP address. -
-i interface-type interface-number

Specifies the STelnet source interface.

If the source interface is specified using -i interface-type interface-number, the -vpn-instance vpn-instance-name parameter is not supported.

-
host-ip Specifies the IP address or host name of the remote IPv4 STelnet server. The value is a string of 1 to 255 case-insensitive characters without spaces. If the string is enclosed within double quotation marks ("), the string can contain spaces.
host-ipv6 Specifies the IPv6 address or host name of the remote IPv6 STelnet server. The value is a string of 1 to 255 case-insensitive characters without spaces.
-oi interface-type interface-number Specifies the outbound interface on the local device. If the IPv6 address of the remote host is linked to a local address, the outbound interface must be specified.
port-number Specifies the port number that the SSH server is listening on. The value is an integer that ranges from 1 to 65535. The default value 22 is the standard port number.
identity-key Specifies the public key for server authentication. The public key algorithm includes dsa, rsa, and ecc.
NOTE:
To improve security, it is not recommended that you use RSA or DSA as the authentication algorithm.
user-identity-key Specifies the public key algorithm for the client authentication. The public key algorithm includes dsa, rsa, and ecc.
NOTE:
To improve security, it is not recommended that you use RSA or DSA as the authentication algorithm.
prefer_kex prefer_key-exchange

Indicates the preferred key exchange algorithm.

Specifies the preferred key exchange algorithm. The dh_group1, dh_exchange_group and dh_group14_sha1 algorithms are supported currently.

The default key exchange algorithm is dh_group14_sha1.

NOTE:

To enable the dh_group1 algorithm, run the ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } * and ssh client key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } * commands. By default, the dh_group1 algorithm is not supported.

The dh_exchange_group algorithm is recommended.

prefer_ctos_cipher prefer_ctos_cipher

Specifies the preferred encryption algorithm from the client to the server. The des, 3des, aes128, aes256, aes128_ctr, and aes256_ctr algorithms are supported currently.

The default algorithm is aes256_ctr.

To improve security, it is recommended that you use aes128_ctr and aes256_ctr algorithms.

NOTE:
  • If an encryption algorithm list has been configured using the ssh client cipher command for the SSH client, select an encryption algorithm from the list.
  • If no encryption algorithm list has been configured using the ssh client cipher command for the SSH client, select one from 3des, aes128, aes256, aes128_ctr, and aes256_ctr.
prefer_stoc_cipher prefer_stoc_cipher

Specifies the preferred encryption algorithm from the server to the client. The des, 3des, aes128, aes256, aes128_ctr, and aes256_ctr algorithms are supported currently.

The default algorithm is aes256_ctr.

To improve security, it is recommended that you use aes128_ctr and aes256_ctr algorithms.

NOTE:
  • If an encryption algorithm list has been configured using the ssh client cipher command for the SSH client, select an encryption algorithm from the list.
  • If no encryption algorithm list has been configured using the ssh client cipher command for the SSH client, select one from 3des, aes128, aes256, aes128_ctr, and aes256_ctr.
prefer_ctos_hmac prefer_ctos_hmac

Specifies the preferred HMAC algorithm from the client to the server. The sha1, sha1_96, md5, md5_96, sha2_256, and sha2_256_96 algorithms are supported currently.

The default algorithm is sha2_256.

To improve security, it is recommended that you use sha2_256 and sha2_256_96 algorithms.

prefer_stoc_hmac prefer_ctos_hmac

Specifies the preferred HMAC algorithm from the server to the client. The sha1, sha1_96, md5, md5_96, sha2_256, and sha2_256_96 algorithms are supported currently.

The default algorithm is sha2_256.

To improve security, it is recommended that you use sha2_256 and sha2_256_96 algorithms.

-vpn-instance vpn-instance-name Specifies the name of the VPN instance to which the server belongs. The value must be an existing VPN instance name.
-ki aliveinterval Specifies the interval for sending keepalive packets when no packet is received. The value is an integer that ranges from 1 to 3600, in seconds.
-kc alivecountmax Specifies the number of times for no reply of keepalive packets. The value is an integer that ranges from 3 to 10. The default value is 5.

Views

System view

Default Level

0: Visit level

Usage Guidelines

Usage Scenario

Logins through Telnet bring security risks because Telnet does not provide any authentication mechanism and data is transmitted using TCP in plain text. Compared with Telnet, SSH guarantees secure file transfer on a traditional insecure network by authenticating clients and encrypting data in bidirectional mode. The SSH protocol supports STelnet. You can run this command to use STelnet to log in to another device from the current device.

STelnet is a secure Telnet service. SSH users can use the STelnet service in the same way as the Telnet service.

When a fault occurs in the connection between the client and server, the client needs to detect the fault in real time and proactively release the connection. You need to set the interval for sending keepalive packets and the maximum number of times on the client that logs in to the server through STelnet.

  • Interval for sending keepalive packets: If a client does not receive any packet within the specified interval, the client sends a keepalive packet to the server.
  • Maximum number of times the server has no response: If the number of times that the server does not respond exceeds the specified value, the client proactively releases the connection.
Precautions
  • Before connecting the SSH server using the STelnet command, run the stelnet server enable command to enable the STelnet service on the SSH server.

  • If the server is listening on port 22, the SSH client can log in to the SSH server with no port specified. If the server is listening on another port, the port number must be specified upon login.

Example

# Set keepalive parameters when a client logs in to a server through STelnet.

<HUAWEI> system-view
[HUAWEI] stelnet 10.164.39.209 -ki 10 -kc 4
# Remotely connect to the STelnet server that uses an IPv6 address.
<HUAWEI> system-view
[HUAWEI] stelnet ipv6 fc00:2001:db8::1 prefer_ctos_cipher aes128

stelnet server enable

Function

The stelnet server enable command enables the STelnet service on an SSH server.

The undo stelnet server enable command disables the STelnet service on an SSH server.

By default, the STelnet service is disabled on SSH servers.

Format

stelnet [ ipv4 | ipv6 ] server enable

undo stelnet [ ipv4 | ipv6 ] server enable

Parameters

Parameter Description Value
ipv4 Configures a device as the STelnet IPv4 server. -
ipv6 Configure a device as the STelnet IPv6 server. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To connect a client to an SSH server through STelnet, you must enable the STelnet service on the SSH server.

Precautions

After you disable the STelnet service on the SSH server, all clients that have logged in through STelnet are disconnected.

After the stelnet server enable command is run, the device receives login connection requests from all interfaces by default, incurring security risks. To improve security, you are advised to run the ssh server-source command to specify a source interface for the STelnet server.

After the stelnet server enable command is run, the numbers of IPv4 port and IPv6 port are both changed. To change the number of IPv4 port or IPv6 port separately, run the stelnet { ipv4 | ipv6 } server enable command.

Example

# Enable the STelnet service.

<HUAWEI> system-view
[HUAWEI] stelnet server enable

# Enable the STelnet IPv4 service.

<HUAWEI> system-view
[HUAWEI] stelnet ipv4 server enable
Related Topics

telnet

Function

The telnet command enables a user to use the Telnet protocol to log in to another device from the current device.

Format

# Log in to another device through Telnet based on IPv4.

telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address | -i interface-type interface-number ] host-ip [ port-number ]

# Log in to another device through Telnet based on IPv6.

telnet ipv6 [ -a source-ip-address ] [ vpn6-instance vpn6-instance-name ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ]

Parameters

Parameter

Description

Value

vpn-instance vpn-instance-name

Specifies the VPN4 instance name of the device to log in through Telnet.

The value must be an existing VPN instance name.
-a source-ip-address

Specifies a source IP address through which a server communicates with the device. This improves security. If no source address is specified, a device will use the IP address of the local outbound interface to initiate a Telnet connection.

-
-i interface-type interface-number Specifies the source interface type and number on the local device. -
vpn6-instance vpn6-instance-name Specifies the name of the VPN6 instance to which the login device belongs. The value must be an existing VPN instance name.
host-ip Specifies the IPv4 address or host name of the remote device. The value is a string of 1 to 255 case-insensitive characters without spaces.
NOTE:

The string can contain spaces if it is enclosed with double quotation marks (").

host-ipv6 Specifies the IPv6 address or host name of the remote device. The value is a string of 1 to 255 case-insensitive characters without spaces.
NOTE:

The string can contain spaces if it is enclosed with double quotation marks (").

-oi interface-type interface-number Specifies the outbound interface on the local device. If the IPv6 address of the remote host is linked to a local address, the outbound interface must be specified.
port-number Specifies the number of the TCP port that is used by the remote device to provide the Telnet service. The value is an integer that ranges from 1 to 65535. The default value is 23.

Views

User view

Default Level

0: Visit level

Usage Guidelines

Usage Scenario

If multiple devices on a network need to be configured and managed, run the telnet command to log in to these devices from your terminal for remote device configuration, facilitating device management.

You can press Ctrl+K to terminate an active connection between the local and remote devices.

Precautions

  • Before you run the telnet command to connect to the Telnet server, the Telnet client and server must be able to communicate at Layer 3 and the Telnet service must be enabled on the Telnet server.

  • Logins through Telnet bring security risks because Telnet does not provide any authentication mechanism and data is transmitted using TCP in plain text. The STelnet mode is recommended for networks that have high security requirements.

Example

# Connect to a remote device through Telnet.

<HUAWEI> telnet 192.168.1.6
# Use the IPv6 address to connect to a remote device through Telnet.
<HUAWEI> telnet ipv6 fc00:0:0:11::158

telnet client-source

Function

The telnet client-source command specifies a source IP address or source interface for a Telnet client.

The undo telnet client-source command restores the default settings.

The default source IP address of a Telnet client is 0.0.0.0, and there is no default source interface.

Format

telnet client-source { -a source-ip-address | -i interface-type interface-number }

undo telnet client-source

Parameters

Parameter Description Value
-a source-ip-address Specifies the IPv4 address of the local switch. -
-i interface-type interface-number Specifies the source interface of the local switch. -

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

If the source IP address is not specified in the telnet command, the source IP address specified using the telnet client-source is used. If a source IP address is specified in the telnet command, the specified setting is used. Check the current Telnet connection on the server. The IP address displayed is the specified source IP address or the primary IP address of the specified interface.

Prerequisites

The source interface specified using the command must exist and have an IP address configured.

Example

# Set the source IP address of the Telnet client to 10.1.1.1.

<HUAWEI> system-view
[HUAWEI] telnet client-source -a 10.1.1.1

telnet server acl

Function

The telnet server acl command configures an ACL to control the access of clients to the Telnet server.

The undo telnet server acl command cancels the configuration of the ACL.

By default, no ACL is configured for Telnet servers.

Format

telnet [ ipv6 ] server acl acl-number

undo telnet [ ipv6 ] server acl

Parameters

Parameter Description Value
ipv6 Specifies a Telnet IPv6 server. -
acl-number Specifies an ACL number. The value is an integer that ranges from 2000 to 3999.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When a device functions as a Telnet server, configure an ACL on the device to control the login of the clients to the device.

Prerequisites

An ACL has been configured using the acl (system view) command in the system view, and an ACL rule has been configured using the rule (basic ACL view) or rule (advanced ACL view) command.

Precautions

None.

Example

# Configure ACL 2000 on a Telnet server.

<HUAWEI> system-view
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0
[HUAWEI-acl-basic-2000] quit
[HUAWEI] telnet server acl 2000

telnet server-source

Function

The telnet server-source command specifies a source interface for a Telnet server.

The undo telnet server-source command restores the default setting.

By default, the source interface of a Telnet server is not specified.

Format

telnet server-source -i loopback interface-number

undo telnet server-source

Parameters

Parameter Description Value
-i loopback interface-number Specifies a loopback interface as the source interface of the Telnet server. The value is an integer that ranges from 0 to 1023.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

By default, a Telnet server receives connection requests from all interfaces, incurring security risks. To enhance system security, you can specify a source interface for the Telnet server. Users are then allowed to log in to the Telnet server only through this interface.

Prerequisites

A loopback interface to be specified as the source interface exists and has an IP address configured. If the loopback interface is not created, the telnet server-source command cannot be correctly run.

Precautions

After the source interface is specified, a device allows Telnet users to log in to the Telnet server only through this source interface, and Telnet users logging in through other interfaces are denied. Note that setting this parameter only affects Telnet users who attempt to log in to the Telnet server, and it does not affect Telnet users who have logged in to the server.

After the source interface of a Telnet server is specified using this command, ensure that Telnet users can access the source interface at Layer 3. Otherwise, the Telnet users will fail to log in to the Telnet server.

Example

# Specify loopback0 as the source interface of the Telnet server.

<HUAWEI> system-view
[HUAWEI] interface loopback 0
[HUAWEI-LoopBack0] ip address 10.1.1.1 24
[HUAWEI-LoopBack0] quit
[HUAWEI] telnet server-source -i loopback 0

telnet server enable

Function

The telnet server enable command enables the Telnet service.

The undo telnet server enable command disables the Telnet service.

The telnet server disable command disables the Telnet service.

By default, the Telnet service is disabled.

Format

telnet [ ipv6 ] server enable

undo telnet [ ipv6 ] server enable

telnet [ ipv6 ] server disable

Parameters

Parameter Description Value
ipv6 Specifies a Telnet IPv6 server. -

Views

System view

Default Level

3: Management level

Usage Guidelines

You can run the telnet server enable command to enable the Telnet service. A Telnet server can be connected only when it is enabled.

If the user who logged in to the server through Telnet is online, the undo telnet [ ipv6 ] server enable command fails to be run on the server.

When a Telnet server is disabled, you can log in to the device only through the console port or SSH.

The Telnet protocol poses a security risk, and therefore using STelnet V2 is recommended.

After the telnet server enable command is run, the device receives login connection requests from all interfaces by default, incurring security risks. You are advised to run the telnet server-source command to specify a source interface for the Telnet server.

Example

# Enable the Telnet service.

<HUAWEI> system-view
[HUAWEI] telnet server enable
Info: TELNET server has been enabled.

# Disable the Telnet service.

<HUAWEI> system-view
[HUAWEI] undo telnet server enable

# Enable the IPv6 Telnet service.

<HUAWEI> system-view
[HUAWEI] telnet ipv6 server enable

telnet server port

Function

The telnet server port command configures a listening port number for a Telnet server.

The undo telnet server port command restores the default listening port of a Telnet server.

The default listening port of a Telnet server is 23.

Format

telnet server port port-number

undo telnet server port

Parameters

Parameter Description Value
port-number Specifies the listening port number of a Telnet server. The value is an integer that is 23 or ranges from 1025 to 55535. The default value 23 is the standard Telnet server port number.

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To prevent attackers from attacking the standard Telnet listening port number, run the telnet server port command to configure a new listening port. This improves security.

Precautions

If the server is listening on port 23, the Telnet client can log in successfully with no port specified. If the server is listening on another port, the port number must be specified.

Before changing the current port number, disconnect all devices from the port. After the port number is changed, the server starts to listen on the new port.

Example

# Set the listening port number to 1026.

<HUAWEI> system-view
[HUAWEI] telnet server port 1026
# Restore the listening port number to the default value.
<HUAWEI> system-view
[HUAWEI] undo telnet server port
Translation
Download
Updated: 2019-10-18

Document ID: EDOC1000178288

Views: 26665

Downloads: 109

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next