No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Basic Configuration

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Basic configuration supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing Files When the Device Functions as an SFTP Client

Managing Files When the Device Functions as an SFTP Client

SFTP is an SSH-based protocol that provides a secure file transfer capability. After you configure the device as an SFTP client, the remote SSH server authenticates the SFTP client and encrypts data in bidirectional mode. This ensures secure file transfer and management of directories on the SSH server.

Pre-configuration Tasks

Before connecting to a device as an SFTP client to manage files, complete the following tasks:

  • Ensure that routes are reachable between the current device and the SSH server.
  • Obtain the host name or IP address of the SSH server and SSH user information.
  • Obtain the listening port number of the SSH server if the default listening port number is not used.

Because a longer key pair provides higher security, you are advised to use key pairs of the largest length.

Configuration Process

Table 11-28 describes the procedure for managing files when the device functions as an SFTP client.

Table 11-28  Procedure for managing files when the device functions as an SFTP client
No. Task Description Remarks
1 (Optional) Configure the SFTP client source address

Configure the SFTP client source address. To ensure communication security, the source address can be set to a source IP address or source interface.

Steps 1, 2, and 3 can be performed in any sequence. Steps 4-6 need to be performed in sequence.

2 Generate a local key pair

Generate a local key pair and configure the public key on the SSH server.

Perform this step only when the device logs in to the SSH server in RSA or ECC authentication mode, not the password authentication mode.

3 Configure the initial SSH connection

To configure the initial SSH connection, enable the initial authentication function or save the public key of the SSH server on the SSH client.

4 Run SFTP commands to connect to the SSH server

-

5 Run SFTP commands to perform file-related operations

Users can perform operations on directories and files on the SSH server and view the help about SFTP commands on the SFTP client.

6 Disconnect the SFTP client from the SSH server

-

Procedure

  • (Optional) Configure the SFTP client source address.

    When you specify the source address in an ACL, use the address of an interface in stable state, for example, a loopback interface. This simplifies the ACL rule and security policy configuration. After the client source address is configured as the source or destination address in the ACL rule, IP address differences and interface status impact are shielded, and incoming and outgoing packets are filtered.

    The SFTP client source address must be set to the loopback interface IP address or loopback interface.

    Table 11-29  Configuring the SFTP client source address
    Operation Command Description
    Enter the system view. system-view -
    Configure the SFTP client source address. sftp client-source { -a source-ip-address | -i interface-type interface-number }

    The default source address is 0.0.0.0.

  • Generate a local key pair.

    NOTE:

    Perform this step only when the device logs in to the SSH server in RSA, or ECC authentication mode, not the password authentication mode.

    Table 11-30  Actions for generating a local key pair
    Action Command Description

    Enter the system view.

    system-view

    -

    Generate the local RSA or ECC key pair.

    rsa local-key-pair create or ecc local-key-pair create

    Run the display rsa local-key-pair public or display ecc local-key-pair public command to view the public key in the local RSA or ECC key pair. Configure the public key on the SSH server.

    NOTE:

    Because a longer key pair provides higher security, you are advised to use key pairs of the largest length.

  • Configure the initial SSH connection.

    By default, the client cannot connect to the SSH server because the client does not save the public key of the SSH server. Configure the initial SSH connection in either of the following ways:

    • Enable the initial authentication function on the client. With the function enabled, the client connects to the SSH server without checking the public key of the SSH server. When the initial SSH connection succeeds, the client automatically saves the public key of the SSH server for the next SSH connection. For details, see Table 11-31.
    • Save the public key of the SSH server on the client so that the client can authenticate the SSH server successfully. For details, see Table 11-32. This method ensures higher security but becomes more complex than the first method.
    Table 11-31  Actions for enabling first authentication for the SSH client
    Action Command Description

    Enter the system view.

    system-view

    -

    Enable first authentication for the SSH client.

    ssh client first-time enable

    By default, first authentication is disabled on the SSH client.
    Table 11-32  Actions for configuring the SSH client to assign the RSA or ECC public key to the SSH server
    Action Command Description

    Enter the system view.

    system-view

    -

    Enter the RSA or ECC public key view.

    rsa peer-public-key key-name or ecc peer-public-key key-name

    -

    Enter the public key editing view.

    public-key-code begin

    -

    Edit the public key.

    hex-data

    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the SSH server.
    • After entering the public key editing view, you must enter the RSA or ECC public key that is generated on the server to the client.

    Quit the public key editing view.

    public-key-code end

    • If no key public code hex-data is entered, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted, the system displays a message indicating that the key does not exist and returns to the system view directly when you run this command.

    Return to the system view.

    peer-public-key end

    -

    Bind the RSA or ECC public key to the SSH server.

    ssh client servername assign{ rsa-key | ecc-key } keyname

    If the SSH server public key saved in the SSH client does not take effect, run the undo ssh client servername assign{ rsa-key | ecc-key } command to cancel the binding between the SSH server and RSA or ECC public key, and run this command to assign a new RSA, or ECC public key to the SSH server.

  • Run SFTP commands to connect to the SSH server.

    The command for connecting an SFTP client is similar to that for connecting the STelnet client. Both the clients can carry the source address, support the keepalive function, and select a key exchange algorithm, an encryption algorithm, and an HMAC algorithm.

    Table 11-33  Running SFTP commands to connect to the SSH server
    Operation Command Description

    Enter the system view.

    system-view

    -

    IPv4 address

    sftp [ -a source-address | -i interface-type interface-number ] host-ip [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

    Run either of the commands based on the IP address type.

    In most cases, only the IP address is specified in the commands.

    NOTE:
    DES, 3DES, MD5, MD5_96, SHA1, and SHA1_96 encryption algorithm cannot ensure security. AES128, AES128-CTR, AES192-CTR or AES256-CTR encryption algorithm is recommended.

    IPv6 address

    sftp ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port ] [ [ -vpn6-instance vpn-instance-name ] | [ prefer_kex { dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_stoc_cipher { des | 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]

    Command example:
    [Huawei] sftp 10.137.217.201

    When the SSH connection succeeds, sftp-client> is displayed, indicating the SFTP client view is displayed.

  • Run SFTP commands to perform file-related operations.

    In the SFTP client view, you can perform one or more file-related operations listed in Table 11-34 in any sequence.

    NOTE:

    In the SFTP client view, the system does not support predictive command input. Therefore, you must enter commands in full name.

    Table 11-34  Running SFTP commands to perform file-related operations
    Operation Command Description
    Change the user's current working directory. cd [ remote-directory ] -
    Change the current working directory to its parent directory. cdup -
    Display the user's current working directory. pwd -
    Display the file list in a specified directory. dir/ls [ -l | -a ] [ remote-directory ] Outputs of the dir and ls commands are the same.
    Delete directories from the server. rmdir remote-directory &<1-10>

    A maximum of 10 directories can be deleted at one time.

    Before running the rmdir command to delete directories, ensure that the directories do not contain any files. Otherwise, the deletion fails.

    Create a directory on the server. mkdir remote-directory -
    Change the name of a specified file on the server. rename old-name new-name -
    Download a file from the remote server. get remote-filename [ local-filename ] -
    Upload a local file to the remote server. put local-filename [ remote-filename ] -
    Delete files from the server.

    remove remote-filename &<1-10>

    A maximum of 10 files can be deleted at one time.

    View the help about SFTP commands. help [ all | command-name ] -

  • Disconnect the SFTP client from the SSH server.

    Operation Command Description
    Disconnect the SFTP client from the SSH server. quit -

Verifying the Configuration

  • Run the display sftp-client command to check source interface of the SFTP client.
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034225

Views: 44993

Downloads: 100

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next