No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Basic Configuration

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Basic configuration supported by the device.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Example for Configuring the Device as the STelnet Client to Log In to Another Device

Example for Configuring the Device as the STelnet Client to Log In to Another Device

Networking Requirements

The enterprise requires that secure data exchange should be performed between the server and client. As shown in Figure 9-26, two login users Client001 and Client002 are configured and they use the password and RSA authentication modes respectively to log in to the SSH server. A new port number is configured and the default port number is not used.

Figure 9-26  Networking diagram of logging in to another device through STelnet

NOTE:

The STelnet V1 protocol poses a security risk, and therefore the STelnet V2 mode is recommended.

Configuration Roadmap

The configuration roadmap is as follows:

  1. Generate a local key pair on the SSH server to implement secure data exchange between the server and client.

  2. Configure different authentication modes for the SSH users client001 and client002 on the SSH server.

  3. Enable the STelnet service on the SSH server.

  4. Configure the STelnet server type for the SSH users client001 and client002 on the SSH server.

  5. Set the SSH server listening port number on the SSH server to prevent attackers from accessing the SSH service standard port and ensure security.

  6. Log in to the SSH server as the client001 and client002 users through STelnet.

Procedure

  1. Generate a local key pair on the server.

    <Huawei> system-view
    [Huawei] sysname SSH Server
    [SSH Server] rsa local-key-pair create
    The key name will be: Host
    RSA keys defined for Host already exist.
    Confirm to replace them? (y/n):y
    The range of public key size is (512 ~ 2048).
    NOTES: If the key modulus is less than 2048,
           It will introduce potential security risks.
    Input the bits in the modulus[default = 2048]:2048
    Generating keys...
    ......................................................................................+++
    ....+++
    .......................................++++++++
    ..............++++++++
    

  2. Create an SSH user on the server.

    # Configure the VTY user interface.

    [SSH Server] user-interface vty 0 4
    [SSH Server-ui-vty0-4] authentication-mode aaa
    [SSH Server-ui-vty0-4] protocol inbound ssh
    [SSH Server-ui-vty0-4] quit
    • Create an SSH user named client001.

      # Create an SSH user named client001 and configure the password authentication mode for the user.

      [SSH Server] aaa
      [SSH Server-aaa] local-user client001 password irreversible-cipher Huawei@123
      [SSH Server-aaa] local-user client001 privilege level 3
      [SSH Server-aaa] local-user client001 service-type ssh
      [SSH Server-aaa] quit
      [SSH Server] ssh user client001 authentication-type password
    • Create an SSH user named client002.

      # Create an SSH user named client002 and configure the RSA authentication mode for the user.

      [SSH Server] aaa
      [SSH Server-aaa] local-user client002 password irreversible-cipher Helloworld@6789
      [SSH Server-aaa] local-user client002 privilege level 3
      [SSH Server-aaa] local-user client002 service-type ssh
      [SSH Server-aaa] quit
      [SSH Server] ssh user client002 authentication-type rsa

      # Generate a local key pair for Client002.

      <Huawei> system-view
      [Huawei] sysname client002
      [client002] rsa local-key-pair create
      The key name will be: Host
      RSA keys defined for Host already exist.
      Confirm to replace them? (y/n):y
      The range of public key size is (512 ~ 2048).
      NOTES: If the key modulus is less than 2048,
             It will introduce potential security risks.
      Input the bits in the modulus[default = 2048]:2048
      Generating keys...
      ......................................................................................+++
      ....+++
      .......................................++++++++
      ..............++++++++
      
      # Check the public key in the RSA key pair generated on the client.
      [client002] display rsa local-key-pair public
      
      =====================================================
      Time of Key pair created: 2012-08-06 17:17:37+00:00
      Key name: Host
      Key type: RSA encryption Key
      =====================================================
      Key code:
      30820109
        02820100
          CB0E88EC A1C2CFEA F97126F9 36919C08 0455127B
          A3A48594 69517096 35626F55 E4FAF0EB FDA2B9E9
          5E417B2B E09F38B0 D26FCA73 FE2E3FC4 DFBEC8CF
          4ED0C909 E8D975E6 FFC73C81 D13FE71E 759DC805
          B0F0E877 4FC9288E BE1E197C 2A7186B0 B56F5573
          3A5EA588 29C63E3B 20D56233 8E63278D F941734F
          6B359C69 BBAE5A52 EB842179 04B4204D 5DB31D72
          97F0C085 DA771F66 0AAADC28 D264CEB9 5BADA92C
          CDE9F116 D6D99C48 CEBA3A1D 868B053A 32941D85
          CCAA9796 A4B55760 0A8108ED DB45DA12 F61634C9
          59431600 341FEDEF 5379D565 A8D1953D DEA018A2
          72F99FFC 63DE04BF 2A6219BD DF13D705 27D63DEF
          83D556BC 5B44D983 8D5EA126 C1EB71CB 
        0203
          010001
      
      =====================================================
      Time of Key pair created: 2012-08-06 17:17:44+00:00
      Key name: Server
      Key type: RSA encryption Key
      =====================================================
      Key code:
      3067
        0260
          DF8AFF3C 28213B94 2292852E E98657EE 11DE5AF4
          8A176878 CDD4BD31 55E05735 3080F367 A83A9034
          47D534CA 81250C1D 35401DC3 464E9E5F A50202CF
          A7AD09CD AC3F531C A763F0A0 4C8E51B9 18755400
          76AF4A78 225C92C3 01FE0DFF 06908363
        0203
          010001 
      # Configure the RSA public key on the SSH server. (Information in bold in the display command output is the RSA public key. Copy the information to the server.)
      [SSH Server] rsa peer-public-key rsakey001
      [SSH Server-rsa-public-key] public-key-code begin
      [SSH Server-rsa-key-code] 30820109
      [SSH Server-rsa-key-code] 02820100
      [SSH Server-rsa-key-code] CB0E88EC A1C2CFEA F97126F9 36919C08 0455127B
      [SSH Server-rsa-key-code] A3A48594 69517096 35626F55 E4FAF0EB FDA2B9E9
      [SSH Server-rsa-key-code] 5E417B2B E09F38B0 D26FCA73 FE2E3FC4 DFBEC8CF
      [SSH Server-rsa-key-code] 4ED0C909 E8D975E6 FFC73C81 D13FE71E 759DC805
      [SSH Server-rsa-key-code] B0F0E877 4FC9288E BE1E197C 2A7186B0 B56F5573
      [SSH Server-rsa-key-code] 3A5EA588 29C63E3B 20D56233 8E63278D F941734F
      [SSH Server-rsa-key-code] 6B359C69 BBAE5A52 EB842179 04B4204D 5DB31D72
      [SSH Server-rsa-key-code] 97F0C085 DA771F66 0AAADC28 D264CEB9 5BADA92C
      [SSH Server-rsa-key-code] CDE9F116 D6D99C48 CEBA3A1D 868B053A 32941D85
      [SSH Server-rsa-key-code] CCAA9796 A4B55760 0A8108ED DB45DA12 F61634C9
      [SSH Server-rsa-key-code] 59431600 341FEDEF 5379D565 A8D1953D DEA018A2
      [SSH Server-rsa-key-code] 72F99FFC 63DE04BF 2A6219BD DF13D705 27D63DEF
      [SSH Server-rsa-key-code] 83D556BC 5B44D983 8D5EA126 C1EB71CB
      [SSH Server-rsa-key-code] 0203
      [SSH Server-rsa-key-code] 010001
      [SSH Server-rsa-key-code] public-key-code end
      [SSH Server-rsa-public-key] peer-public-key end

      # Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.

      [SSH Server] ssh user client002 assign rsa-key rsakey001

  3. Enable the STelnet service on the SSH server.

    # Enable the STelnet service.

    [SSH Server] stelnet server enable

  4. Configure a new listening port number on the SSH server.

    [SSH Server] ssh server port 1025

  5. Connect the STelnet client to the SSH server.

    # Enable the first authentication function on the SSH client upon the first login.

    Enable the first authentication function for Client001.

    <Huawei> system-view
    [Huawei] sysname client001
    [client001] ssh client first-time enable

    Enable the first authentication function for Client002.

    [client002] ssh client first-time enable

    # Log in to the SSH server from Client001 in password authentication mode by entering the user name and password.

    [client001] stelnet 10.1.1.1 1025
    Please input the username:client001
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Connected to 10.1.1.1 ...
    The server is not authenticated. Continue to access it?(y/n)[n]:y
    Save the server's public key?(y/n)[n]:y
    The server's public key will be saved with the name 10.1.1.1. Please wait...
    
    Enter password:   

    Enter the password. The following information indicates that you have logged in successfully:

    <SSH Server>

    # Log in to the SSH server from Client002 in RSA authentication mode.

    [client002] stelnet 10.1.1.1 1025
    Please input the username:client002
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Connected to 10.1.1.1 ...
    The server is not authenticated. Continue to access it?(y/n)[n]:y
    Save the server's public key?(y/n)[n]:y
    The server's public key will be saved with the name 10.1.1.1. Please wait...
    
    <SSH Server>

    The user enters the user view, indicating that login succeeds.

  6. Verify the configuration.

    # Attackers fail to log in to the SSH server using the default listening port number 22.

    [client002] stelnet 10.1.1.1
    Please input the username:client002
    Trying 10.1.1.1 ...
    Press CTRL+K to abort
    Error: Failed to connect to the remote host.

    # Run the display ssh server status commands. You can see that the STelnet service has been enabled. Run the display ssh user-information command. Information about the configured SSH users is displayed.

    # Check the status of the SSH server.

    [SSH Server] display ssh server status
     SSH version                         :1.99
     SSH connection timeout              :60 seconds
     SSH server key generating interval  :0 hours
     SSH Authentication retries          :3 times
     SFTP Server                         :Disable
     Stelnet server                      :Enable
     SSH server port                     :1025

    # Check information about SSH users.

    [SSH Server] display ssh user-information
    -------------------------------------------------------------------------------
     Username         Auth-type          User-public-key-name
     -------------------------------------------------------------------------------
     client001        password           null
     client002        rsa                rsakey001
     -------------------------------------------------------------------------------

Configuration Files

  • SSH server configuration file

    #
     sysname SSH Server
    #
     rsa peer-public-key rsakey001
      public-key-code begin
       30820109
         02820100
           E4653DA4 68032D8A B419276E 5B32743C 181FC72E AEDA3173 578EBE00 68606ED6
           D1A79735 90043220 2492B6B1 CB96BD4C E74A3209 96A829E4 EFD550FA 70855E0F
           CC622FD5 D76AD6D3 FF07F87D 19D77E06 0224D05E 481B639F 5CFB5E84 AE9FF40A
           CA2ABD4F F00B6316 6EFDADA4 7945CCC9 04C65675 22AE45C3 A2822708 AA764A40
           FBAC61F6 FB42F90C F55B1FA7 B51A58BB 4ACACD2E 7764FCCE E3B296FC 1380C0C0
           5E4A6BEE 92FB7793 E6D66E64 A3E4D581 8462C601 83C22BBF BFDF9B33 78840397
           99946916 356103D8 A791AE04 95C8A11C 3490E857 6363115B EF6A162C 6B8593A5
           8ECF3A3F 6C562154 D93B010C 932C3D18 1573F8CB D626EEA7 54F0C4E2 642BA909
         0203
           010001
      public-key-code end
     peer-public-key end
    #
    aaa
     local-user client001 password irreversible-cipher %^%#HW=5%Mr;:2)/RX$FnU1HLO%-TBMp4wn%;~\#%iAut}_~O%0L%^%#
     local-user client001 privilege level 3
     local-user client001 service-type ssh
     local-user client002 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%#
     local-user client002 privilege level 3
     local-user client002 service-type ssh
    #
     ssh user client002 assign rsa-key rsakey001
     ssh user client002 authentication-type rsa
     stelnet server enable
     SSH server port 1025
    #
    user-interface vty 0 4
     authentication-mode aaa
     protocol inbound ssh
    #
    return
  • Client001 configuration file

    #
     sysname client001
    #
    ssh client first-time enable
    #
    return
  • Client002 configuration file

    #
     sysname client002
    #
    ssh client first-time enable
    #
    return
Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034225

Views: 44713

Downloads: 100

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next