No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Basic Configuration

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Basic configuration supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Enabling the SSH Server Function

Enabling the SSH Server Function

To allow user terminals to establish an SSH connection with a device, log in to the device in another mode and enable the SSH server function on the device.

Context

A device serving as an SSH server must generate a key pair of the same type as the client's key for data encryption and server authentication on the client. The device also supports configuration of rich SSH server attributes for flexible control on SSH login.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run stelnet server enable

    The SSH server function is enabled on the device.

    By default, the SSH server function is disabled.

  3. (Optional) Run ssh server cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes192_ctr | aes256_ctr | blowfish_cbc | des_cbc }*

    An encryption algorithm list is configured for the SSH server.

    By default, algorithms except des_cbc are included in the encryption algorithm list of the SSH server.

    The server and client negotiate the algorithm for encrypting packets transmitted between them. You can run the ssh server cipher command to configure the encryption algorithm list of the SSH server. The server compares the encryption algorithm list sent from the client with its own encryption algorithm list, and selects the first matched encryption algorithm for encrypting transmitted packets. If the encryption algorithm lists of the server and client have no common encryption algorithm, the encryption algorithm negotiation fails.

    NOTE:

    You are advised not to add the following encryption algorithms to the encryption algorithm list of the SSH server because they provide low security: 3des_cbc, aes128_cbc, blowfish_cbc, and des_cbc.

  4. (Optional) Run ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 }*

    A check algorithm list is configured for the SSH server.

    By default, an SSH server supports all the check algorithms.

    The server and client negotiate the algorithm for checking packets transmitted between them. You can run the ssh server hmac command to configure the check algorithm list of the SSH server. The server compares the check algorithm list sent from the client with its own check algorithm list, and selects the first matched check algorithm for checking transmitted packets. If the check algorithm lists of the server and client have no common check algorithm, the check algorithm negotiation fails.

    NOTE:

    You are advised not to add the following HMAC check algorithms to the HMAC check algorithm list of the SSH server because they provide low security: sha2_256_96, sha1, sha1_96, md5, and md5_96.

  5. (Optional) Run ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    A key exchange algorithm list is configured for the SSH server.

    By default, an SSH server supports all key exchange algorithms.

    During the negotiation process, the client and server negotiate the key exchange algorithm for packet transmission. You can perform this step to configure a key exchange algorithm list for the SSH server. The server compares the key exchange algorithm list sent by the client with its own key exchange algorithm list, and selects the first key exchange algorithm on the client's list that matches a key exchange algorithm on its own list as the key exchange algorithm for packet transmission. If no algorithm on the client's list matches an algorithm on the server's list, the negotiation fails.

    NOTE:

    You are advised not to add dh_group1_sha1 to the key exchange algorithm of the SSH server because it provides low security.

  6. Run rsa local-key-pair create orecc local-key-pair create

    A local RSA or ECC key pair is generated.

    NOTE:

    A longer key pair indicates higher security. It is recommended that you use the maximum key pair length.

  7. (Optional) Run ssh server port port-number

    The port number of the SSH server is specified.

    By default, the port number of the SSH server is 22.

    Configuring a port number for an SSH server can prevent attackers from accessing the SSH server using the default port, improving SSH server security.

  8. (Optional) Run ssh server rekey-interval hours

    The interval for updating key pairs is set.

    The default interval is 0, indicating that the key pairs are never updated.

    An SSH server automatically updates key pairs at the configured intervals, which ensures security.

  9. (Optional) Run ssh server timeout seconds

    The timeout period is set for SSH authentication.

    The default timeout period is 60 seconds.

    If a user fails to log in within the timeout period for SSH authentication, the device disconnects the current connection to ensure system security.

  10. (Optional) Run ssh server authentication-retries times

    The maximum number of SSH authentication retries is set.

    The default maximum number of SSH authentication retries is 3.

    You can set the maximum number of SSH authentication retries to prevent unauthorized access.

  11. (Optional) Run ssh server compatible-ssh1x enable

    Compatibility with earlier SSH versions is enabled.

    By default, compatibility with earlier SSH versions is disabled on an unconfigured device. When a device is upgraded to a later version, the configuration of the compatibility function is the same as that specified in the configuration file.
    NOTE:

    If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk.

  12. (Optional) Run telnet server-source { -a [ ipv6 ] source-ip-address | -i [ ipv6 ] interface-type interface-number }

    The source interface is specified for the SSH server.

    By default, the source interface of a SSH server is not specified.

    If the source IP address is not specified for the SSH server, the device selects a source IP address according to routing entries to send packets. Specify an interface in stable state, such as a loopback interface, as the source interface. Before specifying a source interface, make sure that the SSH client has a reachable route to the source interface. Otherwise, the configuration will fail.

  13. (Optional) Run ssh server permit interface { interface-type interface-number } &<1-5>

    The physical interfaces on the SSH server to which clients can connect is specified.

    By default, clients can connect to all the physical interfaces on the SSH server.

    To prevent a client from connecting to the SSH server through an unauthorized physical interface, you can run the command to specify physical interfaces on the SSH server to which the client can connect.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034225

Views: 45078

Downloads: 100

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next