No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S9300, S9300E, and S9300X V200R011C10

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing Files When the Device Functions as an SCP Client

Managing Files When the Device Functions as an SCP Client

Pre-configuration Tasks

Before connecting to a device as an SCP client to manage files, complete the following tasks:

  • Ensure that routes are reachable between the current device and the SSH server.
  • Obtain the host name or IP address of the SSH server and SSH user information.
  • Obtain the listening port number of the SSH server if the default listening port number is not used.

Configuration Procedure

Table 7-48 describes the procedure for managing files when the device functions as an SCP client.

Table 7-48  Procedure for managing files when the device functions as an SCP client
No. Task Description Remarks
1 (Optional) Configure the SCP client source address

Configure the SCP client source address. The source address can be set to a source IP address or source interface information, ensuring communication security.

Steps 1, 2, and 3 can be performed in any sequence.
2 Generate a local key pair

Generate a local key pair and configure the public key on the SSH server.

Perform this step only when the device logs in to the SSH server in RSA, DSA, or ECC authentication mode, not the password authentication mode.

3 Configure the initial SSH connection

To configure the initial SSH connection, enable the initial authentication function or save the public key of the SSH server on the SSH client.

4 Run SCP commands to connect to the SSH server

-

Procedure

  • (Optional) Configure the SCP client source address.

    Table 7-49  (Optional) Configuring the SCP client source address
    Operation Command Description
    Enter the system view. system-view -
    Configure the SCP client source address.

    scp client-source { -a source-ip-address | -i interface-type interface-number }

    By default, no source IP address is configured on the SCP client.

  • Generate a local key pair

    NOTE:

    Perform this step only when the device logs in to the SSH server in RSA, DSA, or ECC authentication mode, not the password authentication mode.

    Table 7-50  Generating a local key pair
    Action Command Description

    Enter the system view.

    system-view

    -

    Generate the local key pair.

    rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create.

    Select one from the following based on the type of key configured on the remote end.

    Run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to view the public key in the local RSA, DSA, or ECC key pair. Configure the public key on the SSH server.

  • Configure the initial SSH connection.

    By default, the client cannot connect to the SSH server because the client does not save the public key of the SSH server. Configure the initial SSH connection in either of the following ways:

    • Enable the initial authentication function on the client. With the function enabled, the client connects to the SSH server without checking the public key of the SSH server. When the initial SSH connection succeeds, the client automatically saves the public key of the SSH server for the next SSH connection. For details, see Table 7-51.
    • Save the public key of the SSH server on the client so that the client can authenticate the SSH server successfully. For details, see Table 7-52. This method ensures higher security but becomes more complex than the first method.
    Table 7-51  Enabling first authentication for the SSH client
    Action Command Description

    Enter the system view.

    system-view

    -

    Enable first authentication for the SSH client.

    ssh client first-time enable

    By default, first authentication is disabled on the SSH client.
    Table 7-52  Configuring the SSH client to assign the RSA, DSA, or ECC public key to the SSH server
    Action Command Description

    Enter the system view.

    system-view

    -

    Enter the RSA, DSA, or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    ,

    dsa peer-public-key key-name encoding-type { der | openssh | pem }

    , or

    ecc peer-public-key key-name encoding-type { der | openssh | pem }

    Perform one of the operations based on the key type.

    Enter the public key editing view.

    public-key-code begin

    -

    Edit the public key.

    hex-data

    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the SSH server.
    • After entering the public key editing view, you must enter the RSA, DSA, or ECC public key that is generated on the server to the client.

    Exit from the public key editing view.

    public-key-code end

    • If the key public hex-data is invalid, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted, the system displays a message indicating that the key does not exist and returns to the system view directly when you run this command.

    Return to the system view.

    peer-public-key end

    -

    Bind the RSA, DSA, or ECC public key to the SSH server.

    ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname

    If the SSH server public key saved in the SSH client does not take effect, run the undo ssh client servername assign { rsa-key | dsa-key | ecc-key } command to cancel the binding between the SSH server and RSA, DSA, or ECC public key, and run this command to assign a new RSA, DSA, or ECC public key to the SSH server.

  • Run SCP commands to connect to the SSH server.

    Different from the SFTP mode, after the SCP connection is established, the client can directly upload files to or download files from the server.

    Table 7-53  Running SCP commands to connect to the SSH server
    Operation Command Description

    Enter the system view.

    system-view

    -

    (Optional) Configure a key exchange algorithm list for the SSH client.

    ssh client key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    By default, an SSH client supports all key exchange algorithms.

    (Optional) Configure an encryption algorithm list for the SSH client.

    ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr } *

    By default, an SSH client supports the following encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.

    (Optional) Configure an HMAC algorithm list for the SSH client.

    ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

    By default, an SSH client supports the following HMAC algorithms: MD5, MD5_96, SHA1, SHA1_96, SHA2_256, and SHA2_256_96.

    IPv4 address

    scp [ -port port-number | { public-net | vpn-instance vpn-instance-name } | identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } | { -a source-address | -i interface-type interface-number } | -r | -cipher -cipher | -c ] * sourcefile destinationfile

    Run either of the commands based on the IP address type.

    NOTE:

    The aes128 or aes256 algorithm is recommended to improve data transmission security.

    IPv6 address

    scp ipv6 [ -port port-number | { public-net | vpn-instance vpn-instance-name } | identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } | -a source-address | -r | -cipher -cipher | -c ] * sourcefile destinationfile [ -oi interface-type interface-number ]

    NOTE:

    The file system has a restriction on the number of files in the root directory. Therefore, if more than 50 files exist in the root directory, creating new files in this directory may fail.

Verifying the Configuration

  • Run the display scp-client command to check source configurations on the SCP client.
  • Run the display ssh server-info command to check the mappings between the SSH server and the public key.
Translation
Download
Updated: 2019-04-17

Document ID: EDOC1000178413

Views: 71828

Downloads: 110

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next