No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Basic Configuration

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Basic configuration supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing Files When the Device Functions as an SFTP Server

Managing Files When the Device Functions as an SFTP Server

SFTP allows a terminal to connect to the remote device using SSH and ensures the data transmission security.

Pre-configuration Tasks

Before connecting to the SFTP server to manage files, complete the following tasks:

  • Ensure that routes are reachable between the terminal and the device.
  • Ensure that the SSH client software has been installed on the terminal.

Configuration Process

The SFTPv1 protocol will bring risk to device security. The SFTPv2 mode is recommended.

Table 10-14 describes the procedure for managing files when the device functions as an SFTP server.

Table 10-14  Managing files when the device functions as an SFTP server
No. Task Description Remarks
1 Set SFTP server parameters
  • Generate a local key pair.
  • Enable the SFTP server function.
  • Configure the following server parameters:Key exchange algorithm;Encryption algorithm;HMAC algorithm;Port number;Interval for updating the key pair;SSH authentication timeout duration;Number of SSH authentication retries;Physical interfaces on the SSH server to which clients can connect.
  • configure the SSH server to be compatible with earlier SSH versions.
The three steps can be performed in any sequence.
2 Configuring the VTY user interface for SSH users to log in to the device Configure the user authentication mode, SSH, and other basic attributes on the VTY user interface.
3 Configure SSH user information Create an SSH user and set the authentication mode on the SFTP server.
4 Connect to the device using SFTP Connect to the device using the SSH client software on the terminal. -

Default Parameter Settings

Table 10-15  Default parameter settings
Parameter Default Value

SFTP server function

Disabled.

Key exchange algorithm

dh_group14_sha256

Encryption algorithm

aes128_ctr, aes192_ctr, and aes256_ctr

HMAC algorithm

sha2_256

Listening port number

22.

Time for updating the key pair of the server

0, indicating the key pair of the server is never updated.

SSH authentication timeout duration

60 seconds.

Number of SSH authentication retries

3.

SSH user

No SSH user is created.

Procedure

  • Set SFTP server parameters.

    Table 10-16  Setting SFTP server parameters
    Operation Command Description

    Enter the system view.

    system-view

    -

    Generate the local RSA or ECC key pair.

    rsa local-key-pair create or ecc local-key-pair create

    Run the display rsa local-key-pair public or display ecc local-key-pair public command to view the public key in the local RSA key pair. Configure the public key on the SSH server.

    NOTE:

    Because a longer key pair provides higher security, you are advised to use key pairs of the largest length.

    Enable the SFTP server function.

    sftp server enable

    By default, the SFTP server function is disabled.

    (Optional) Configure a key exchange algorithm list for the SSH server.

    ssh server key-exchange { dh_group_exchange_sha1 | dh_group1_sha1 | dh_group14_sha1 | dh_group14_sha256 } *

    By default, an SSH server supports dh_group14_sha256 key exchange algorithm.

    During the negotiation process, the client and server negotiate the key exchange algorithm for packet transmission. You can perform this step to configure a key exchange algorithm list for the SSH server. The server compares the key exchange algorithm list sent by the client with its own key exchange algorithm list, and selects the first key exchange algorithm on the client's list that matches a key exchange algorithm on its own list as the key exchange algorithm for packet transmission. If no algorithm on the client's list matches an algorithm on the server's list, the negotiation fails.

    (Optional) Configure an encryption algorithm list for the SSH server.

    ssh server cipher{ 3des_cbc | aes128_cbc | aes128_ctr | aes192_ctr | aes256_ctr | blowfish_cbc | des_cbc } *

    By default, an SSH server supports aes128_ctr, aes192_ctr, and aes256_ctr encryption algorithms.

    During the negotiation process, the client and server negotiate the encryption algorithm for packet transmission. You can perform this step to configure an encryption algorithm list for the SSH server. The server compares the encryption algorithm list sent by the client with its own encryption algorithm list, and selects the first encryption algorithm on the client's list that matches an encryption algorithm on its own list as the encryption algorithm for packet transmission. If no algorithm on the client's list matches an algorithm on the server's list, the negotiation fails.

    (Optional) Configure an HMAC algorithm list for the SSH server.

    ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

    By default, an SSH server supports sha2_256 algorithms.

    During the negotiation process, the client and server negotiate the HMAC algorithm for packet transmission. You can perform this step to configure an HMAC algorithm list for the SSH server. The server compares the HMAC algorithm list sent by the client with its own HMAC algorithm list, and selects the first HMAC algorithm on the client's list that matches an HMAC algorithm on its own list as the HMAC algorithm for packet transmission. If no algorithm on the client's list matches an algorithm on the server's list, the negotiation fails.

    (Optional) Configure the listening port number.

    ssh server port port-number

    By default, the listening port number is 22.

    If a new port number is configured, the SSH server disconnects from all SSH clients and uses the new port number to listen to connection requests. Attackers do not know the port number and cannot access the listening port of the SSH server.

    (Optional) Configure the interval for updating the key pair of the server.

    ssh server rekey-interval hours

    By default, the interval for updating the key pair is 0. The value 0 indicates that the key pair is never updated.

    After the interval for updating the SSH server key pair is set using this command, the system will automatically update the key pair at intervals, which ensures security.

    (Optional) Configure the SSH authentication timeout duration.

    ssh server timeout seconds

    By default, the SSH authentication timeout duration is 60 seconds.

    (Optional) Configure the number of SSH authentication retries.

    ssh server authentication-retries times

    By default, the number of SSH authentication retries is 3.

    (Optional) Enable earlier versions to be compatible.

    ssh server compatible-ssh1x enable

    By default, the server's compatibility with earlier versions is disabled.

    (Optional) Specify physical interfaces on the SSH server to which clients can connect.

    ssh server permit interface { interface-type interface-number } &<1-5>

    By default, clients can connect to all the physical interfaces on the SSH server.

    • When the local RSA or ECC key pair is generated, two key pairs (a server key pair and a host key pair) are generated at the same time. Each key pair contains a public key and a private key. The length of the two key pairs ranges from 512 bits to 2048 bits. The default length is 2048 bits.

  • Configure the VTY user interface for SSH users to log in to the device.

    SSH users use the VTY user interface to log in to the device using SFTP. Attributes of the VTY user interface must be configured.

    Table 10-17  Configuring the VTY user interface for SSH users to log in to the device
    Operation Command Description

    Enter the system view.

    system-view -

    Enter the VTY user interface view.

    user-interface vty first-ui-number [ last-ui-number ] -

    Set the authentication mode of the VTY user interface to AAA.

    authentication-mode aaa

    By default, no authentication mode is configured for the VTY user interface.

    The authentication mode of the VTY user interface must be set to AAA. Otherwise, you cannot configure the protocol inbound ssh command and users cannot log in to the device.

    Configure a VTY user interface that supports SSH.

    protocol inbound ssh

    By default, the VTY user interface supports SSH.

    If no VTY user interface supports SSH, users cannot log in to the device.

    Configure the user level.

    user privilege level level

    The user level must be set to 3 or higher to ensure successful connection establishment.

    If a local user uses password authentication, you can run the local-user user-name privilege level level command to set the level of the user to 3 or higher.

    (Optional) Configure other attributes of the VTY user interface.

    -
    Other attributes of the VTY user interface are as follows:
    • Maximum number of VTY user interfaces
    • Restrictions on incoming calls and outgoing calls on the VTY user interface
    • Terminal attributes on the VTY user interface
    For details, see (Optional) Configuring Attributes for a VTY User Interface.

  • Configure SSH user information.

    Configure SSH user information including the authentication mode. Authentication modes including RSA, ECC, password, password-rsa, password-ecc, and all are supported.
    • The password-rsa authentication mode consists of the password and RSA authentication modes.
    • The password-ecc authentication mode consists of the password and ECC authentication modes.
    • The all authentication mode indicates that SSH users only need to authenticated by ECC, password, or RSA.
    • If the SSH user uses the password authentication mode, only the SSH server needs to generate the RSA, or ECC key. If the SSH user uses the RSA authentication mode, both the SSH server and client need to generate the RSA, or ECC key and configure the public key of the peer end locally.
    Table 10-18  Configuring SSH user information
    Operation Command Description

    Enter the system view.

    system-view

    -

    Enter the AAA view.

    aaa

    -

    Create SSH users.

    local-user user-name password irreversible-cipher password

    -

    Configure the SSH user level.

    local-user user-name privilege level level

    The local user level must be set to 3 or higher. This operation cannot be performed if the user level in the VTY interface view has been set to 3 or higher using the user privilege level level command.

    Configure the service type for SSH users.

    local-user user-name service-type ssh

    -

    Configure the authorized directory for SSH users.

    local-user user-name ftp-directory directory

    By default, the authorized directory for an SSH user is the root directory of the default storage medium.

    Return to the system view.

    quit

    -

    Configure the authentication mode for SSH users.

    ssh user user-name authentication-type { password | rsa | ecc | password-rsa | password-ecc | all }

    -
    If any one of the following authentication modes is configured for SSH users:
    • rsa
    • ecc
    • password-rsa
    • password-ecc

    Enter the RSA or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or ecc peer-public-key key-name encoding-type { der | openssh | pem }

    -

    Enter the public key editing view.

    public-key-code begin

    -

    Edit the public key.

    hex-data

    • The public key must be a hexadecimal character string in the public key format generated by the SSH client software. For details, see SSH client software help.
    • Copy and paste the RSA public key to the device that functions as the SSH server.

    Exit the public key editing view.

    public-key-code end

    -

    Return to the system view.

    peer-public-key end

    -

    Assign an RSA or ECC public key to an SSH user.

    ssh user user-name assign rsa-key | ecc-key } key-name

    -

  • Connect to the device using SFTP.

    The SSH client software supporting SFTP must be installed on the terminal to ensure that the terminal can connect to the device using SFTP to manage files. The following describes how to connect to the device using the OpenSSH and the Windows CLI.

    • For details how to install the OpenSSH, see the OpenSSH installation description.

    • To use the OpenSSH to connect to the device using SFTP, run the OpenSSH commands. For details about OpenSSH commands, see OpenSSH help.

    • Windows command prompt can identify commands supported by the OpenSSH only when the OpenSSH is installed on the terminal.

    Access the Windows CLI and run the commands supported by the OpenSSH to connect to the device using SFTP to manage files.

    If command prompt sftp> is displayed in the SFTP client view, the user accesses the working directory on the SFTP server. (The following information is only for reference.)

    C:\Documents and Settings\Administrator> sftp client001@192.168.200.161
    Connecting to 192.168.200.161...
    The authenticity of host '192.168.200.161 (192.168.200.161)' can't be established.
    RSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '192.168.200.161' (RSA) to the list of known hosts.
    
    client001@192.168.200.161's password:
    sftp>

  • Run SFTP commands to perform file-related operations.

    In the SFTP client view, you can perform one or more file-related operations listed in Table 10-19 in any sequence.

    NOTE:

    In the SFTP client view, the system does not support predictive command input. Therefore, you must enter commands in full name.

    Table 10-19  Running SFTP commands to perform file-related operations
    Operation Command Description
    Change the user's current working directory. cd [ remote-directory ] -
    Change the current working directory to its parent directory. cdup -
    Display the user's current working directory. pwd -
    Display the file list in a specified directory. dir/ls [ -l | -a ] [ remote-directory ] Outputs of the dir and ls commands are the same.
    Delete directories from the server. rmdir remote-directory &<1-10>

    A maximum of 10 directories can be deleted at one time.

    Before running the rmdir command to delete directories, ensure that the directories do not contain any files. Otherwise, the deletion fails.

    Create a directory on the server. mkdir remote-directory -
    Change the name of a specified file on the server. rename old-name new-name -
    Download a file from the remote server. get remote-filename [ local-filename ] -
    Upload a local file to the remote server. put local-filename [ remote-filename ] -
    Delete files from the server.

    remove remote-filename &<1-10>

    A maximum of 10 files can be deleted at one time.

    View the help about SFTP commands. help [ all | command-name ] -

  • Disconnect the SFTP client from the SSH server.

    Operation Command Description
    Disconnect the SFTP client from the SSH server. quit -

Verifying the Configuration

  • Run the display ssh user-information [ username ] command to view SSH user information on the SSH server.

  • Run the display ssh server status command to view global configuration of the SSH server.

  • Run the display ssh server session command to view session information of the SSH client on the SSH server.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1100034225

Views: 46336

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next