No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Basic Configuration

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Basic configuration supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Using STelnet to Log In to Another Device from the Local Device

(Optional) Using STelnet to Log In to Another Device from the Local Device

This section describes how to use STelnet to log in to another device from the local device.

Context

A device can function as both an STelnet server and an STelnet client. As an STelnet client, the device can log in to other devices. When a terminal lacks the necessary software or no reachable route exists between the terminal and target device, you can log in to an intermediate device and then use STelnet to log in to the target device from the intermediate device. The intermediate device functions as an STelnet client.

As shown in Figure 9-6, a PC connects to a device through network 1 and the device connects to an STelnet server through network 2. The PC cannot directly communicate with the STelnet server. In this situation, you can configure the device as an STelnet client and log in to the STelnet server from the device.
Figure 9-6  Configuring a device as an STelnet client to log in to another device

Pre-configuration Tasks

Before configuring a device as an STelnet client to log in to another device, complete the following tasks:

  • Log in to the device from a terminal.
  • Configure a reachable route between the device and STelnet server.
  • Enable the STelnet server function on the STelnet server.
  • Obtain the SSH user name and password, server keys, and port number configured on the STelnet server.

Procedure

  1. Generate a local key pair for the SSH client.

    1. Run system-view

      The system view is displayed.

    2. Run rsa local-key-pair create, or ecc local-key-pair create

      A local RSA or ECC key pair is generated. The generated key pair must be of the same type as that of the server.

      You can run the display rsa local-key-pair public or display ecc local-key-pair public command to view information about the public key in the generated RSA or ECC key pair. Configure the public key on the SSH server. For details, see Configuring an SSH User.

    3. Run quit

      Return to the user view.

  2. Configure the mode in which the device connects to the SSH server for the first time.

    When working as an SSH client to connect to an SSH server for the first time, the device cannot validate the SSH server because the public key of the SSH server has not been saved on the client. As a result, the connection fails. You can perform either of the following operations to rectify the connection failure:

    • Enable first-time authentication on the SSH client. This function allows the device to successfully connect to an SSH server for the first time without validating the SSH server's public key. If saving the SSH server's public key is selected during server authentication, the device automatically saves the SSH server's public key after connecting to the server successfully for subsequent server authentication. If saving the SSH server's public key is not selected, the system asks you whether to save the SSH server's public key the next time server authentication is performed.
      1. Run system-view

        The system view is displayed.

      2. Run ssh client first-time enable

        First-time authentication is enabled on the SSH client.

        By default, first-time authentication is disabled on an SSH client.

    • Configure the SSH client to assign a public key to the SSH server. In this mode, the public key generated on the server is directly saved on the client to ensure that the SSH server passes the validity check on the client's first login.
      1. Run system-view

        The system view is displayed.

      2. Run rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or ecc peer-public-key key-name encoding-type { der | openssh | pem }

        The RSA or ECC public key view is displayed.

      3. Run public-key-code begin

        The public key editing view is displayed.

      4. Enter the public key of the SSH server.

        The entered public key must be a hexadecimal string complying with the public key format. The string is randomly generated on the SSH server.

        After entering the public key editing view, you can enter the RSA or ECC public key generated by the server on the client.

      5. Run public-key-code end

        Exit the public key editing view.

      6. Run peer-public-key end

        Exit the public key view.

      7. Run ssh client servername assign { rsa-key| ecc-key } key-name

        The RSA or ECC public key is bound to the SSH server.

        NOTE:

        If the SSH server's public key saved on the SSH client does not take effect, run the undo ssh client servername assign { rsa-key | ecc-key } command to unbind the RSA or ECC public key from the SSH server and then run the command to assign a new RSA or ECC public key to the SSH server.

  3. Log in to another device.

    Run either of the preceding commands based on the network address type.

    • IPv4 mode:

      run the stelnet [ -a source-address ] host-ip [ port-number ] [ [ -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command to log in to another device.

    • IPv6 mode:

      run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] [ [ -vpn6-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command to log in to another device.

    When port 22 is specified as the protocol port number for the STelnet server, the STelnet client can log in with no port number specified. If another port number is specified as the protocol port number for the STelnet server, you must specify the port number used by the client to log in.

    When configuring an STelnet client to log in to an SSH server, you can specify the source IP address, select a key exchange algorithm, an encryption algorithm, and an HMAC algorithm, and enable the keepalive function on the client.

    NOTE:
    DES, 3DES, MD5, MD5_96, SHA1, and SHA1_96 encryption algorithm cannot ensure security. AES128, AES128-CTR, AES192-CTR or AES256-CTR encryption algorithm is recommended.

Verifying the Configuration

  • Run the display ssh server command to check the mapping between all SSH servers and RSA or ECC public keys on the SSH client
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034225

Views: 44680

Downloads: 100

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next