No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Configuration Guide - Basic Configuration

This document describes the configurations of Basic, including CLI Overview, EasyDeploy Configuration, USB-based Deployment Configuration, Logging In to a Device for the First Time, CLI Login Configuration, Web System Login Configuration, File Management, Configuring System Startup, ISSU Configuration, BootLoad Menu Operation.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing Files When the Device Functions as an SCP Server

Managing Files When the Device Functions as an SCP Server

Pre-configuration Tasks

Before connecting to the SCP server to manage files, complete the following tasks:

  • Ensure that routes are reachable between the terminal and the device.
  • Ensure that the SSH client software supporting SCP has been installed on the terminal.

Configuration Procedure

Table 8-21 describes the procedure for managing files when the device functions as an SCP server.

Table 8-21  Managing files when the device functions as an SCP server
No. Task Description Remarks
1 Set SCP server parameters Generate a local key pair, enable the SCP server, and configure SCP server parameters, including the listening port number, key pair updating time, SSH authentication timeout duration, and number of SSH authentication retries. Tasks 1, 2, and 3 can be performed in any sequence.
2 Configure the VTY user interface for SSH users to log in to the device Configure the user authentication mode, SSH, and other basic attributes on the VTY user interface.
3 Configure SSH user information Create SSH users and set the authentication mode and service type on the SCP server.
4 Manage files when the device functions as an SCP server Upload and download files on the SCP client.

Default Parameter Settings

Table 8-22  Default parameter settings
Parameter Default Setting
SCP server function Disabled

Listening port number

22

Time for updating the key pair of the server

0, indicating the key pair of the server is never updated

SSH authentication timeout duration

60 seconds

Number of SSH authentication retries

3

SSH user

No SSH user is created.

Type of service for SSH users

No service type is supported.

Procedure

  • Set SCP server parameters.

    Table 8-23  Setting SCP server parameters
    Operation Command Description

    Enter the system view.

    system-view -

    Generate a local key pair.

    rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create.

    Perform one of the operations based on the key type.

    After the key pair is generated, run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to check the public key in the local key pair.
    NOTE:

    For increased security, you are advised to use the longest possible length for the key pairs.

    Enable the SCP server function.

    scp [ ipv4 | ipv6 ] server enable

    By default, the SCP server function is disabled.

    (Optional) Configure a key exchange algorithm list for the SSH server.

    ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    By default, an SSH server supports all key exchange algorithms.

    (Optional) Configure an encryption algorithm list for the SSH server.

    ssh server cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes256_cbc | aes256_ctr | des_cbc } *

    By default, an SSH server supports the following encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.

    (Optional) Configure an HMAC algorithm list for the SSH server.

    ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

    By default, an SSH server supports the following HMAC algorithms: MD5, MD5_96, SHA1, SHA1_96, SHA2_256, and SHA2_256_96.

    (Optional) Configure the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.

    ssh server dh-exchange min-len min-len

    By default, the minimum key length supported is 1024 bytes.

    (Optional) Specifies the public key algorithm of the SSH server.

    ssh server publickey { dsa | ecc | rsa } *

    By default, DSA, ECC, and RSA public key algorithms are enabled.

    (Optional) Configure the listening port number.

    ssh [ ipv4 | ipv6 ] server port port-number

    By default, the listening port number is 22.

    If a new port number is configured, the SSH server disconnects all SSH clients and uses the new port number to listen for connection requests. Attackers do not know the port number and cannot access the listening port of the SSH server.

    (Optional) Configure the interval for updating the key pair of the server.

    ssh server rekey-interval hours

    By default, the interval for updating the key pair is 0, which indicates that the key pair is never updated.

    After the interval is configured, the system automatically updates the key pair at the specified interval, which ensures security.

    This command takes effect only for SSH1.X. However, SSH1.X provides weak security and is not recommended.

    (Optional) Configure the SSH authentication timeout duration.

    ssh server timeout seconds

    By default, the SSH authentication timeout duration is 60 seconds.

    (Optional) Configure the source IP address of the SSH server.

    ssh server-source -i loopback interface-number

    By default, the source interface of an SSH server is not specified.

    NOTE:

    Before specifying the source interface of the SSH server, ensure that the loopback interface to be specified as the source interface has been created. If the loopback interface is not created, this command cannot be correctly executed.

    (Optional) Configure the number of SSH authentication retries.

    ssh server authentication-retries times

    By default, the number of SSH authentication retries is 3.

    (Optional) Enable compatibility with earlier versions.

    ssh server compatible-ssh1x enable

    By default, the server's compatibility with earlier versions is disabled.

    When an SSH server is upgraded, the server's compatibility with earlier versions is the same as that in the configuration file.

    (Optional) Configure an ACL.

    ssh [ ipv6 ] server acl acl-number

    By default, no ACL is configured for the SSH server.

    An ACL is configured to determine which clients can log in to the current device through SSH.

    • When the local RSA key pair is generated, two key pairs (a server key pair and a host key pair) are generated at the same time. Each key pair contains a public key and a private key. The length of the two key pairs is 2048 bits.
    • When the local DSA key pair is generated, only the host key pair is generated. The length of the host key pair can be 1024 or 2048 bits. The default length is 2048 bits.
    • When the local ECC key pair is generated, only the host key pair is generated. The length of the host key pair can be 256, 384, or 521 bits. The default length is 521 bits.

  • Configure the VTY user interface for SSH users to log in to the device.

    SSH users use the VTY user interface to log in to the device using SCP. Attributes of the VTY user interface must be configured.

    Table 8-24  Configuring the VTY user interface for SSH users to log in to the device
    Operation Command Description

    Enter the system view.

    system-view -

    Enter the VTY user interface view.

    user-interface vty first-ui-number [ last-ui-number ] -

    Set the authentication mode of the VTY user interface to AAA.

    authentication-mode aaa

    By default, no authentication mode is configured for the VTY user interface.

    The authentication mode of the VTY user interface must be set to AAA. Otherwise, you cannot configure the protocol inbound ssh command and users cannot log in to the device.

    Configure a VTY user interface that supports SSH.

    protocol inbound ssh

    By default, the VTY user interface supports SSH.

    If no VTY user interface supports SSH, users cannot log in to the device.

    Configure the user level.

    user privilege level level

    The user level must be set to 3 or higher to allow connections to be established.

    If a local user uses password authentication, you can run the local-user user-name privilege level level command to set the level of the user to 3 or higher.

    (Optional) Configure other attributes of the VTY user interface.

    -
    Other attributes of the VTY user interface are as follows:
    • Maximum number of VTY user interfaces
    • Restrictions on incoming calls and outgoing calls on the VTY user interface
    • Terminal attributes on the VTY user interface
    For details, see Configuring STelnet Login–Other commands.

  • Configure SSH user information.

    Configure SSH user information including the authentication mode. The supported authentication modes are RSA, password, password-rsa, DSA, password-dsa, ECC, password-ecc, and all.
    • The password-rsa authentication mode consists of the password and RSA authentication modes.
    • The password-dsa authentication mode consists of the password and DSA authentication modes.
    • The password-ecc authentication mode consists of the password and ECC authentication modes.
    • The all authentication mode indicates that SSH users can be authenticated by ECC, DSA, password, or RSA.
    Table 8-25  Configuring SSH user information
    Operation Command Description

    Enter the system view.

    system-view

    -

    Create SSH users.

    ssh user user-name

    -

    Configure the authentication mode for SSH users.

    ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | ecc | password-ecc | all }

    If SSH users are not created using the ssh user command, directly run the ssh authentication-type default password command to configure the default password authentication mode for users. This makes configuration simpler when a large number of users exist, because you need to configure only AAA users.

    NOTE:
    In all authentication mode, the user priority depends on the authentication mode selected.
    • If password authentication is selected, the user priority is the same as that specified on the AAA module.
    • If RSA/DSA/ECC authentication is selected, the user priority depends on the priority of the VTY window used during user access.

    If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA/DSA/ECC authentication modes. Set relevant parameters as needed.

    Set the service type to all for SSH users.

    ssh user username service-type all

    By default, the service type of SSH users is empty.

    • The password authentication mode is implemented based on AAA. To log in to the device in the password-ecc, password-dsa, password, or password-rsa authentication mode, create a local user with the same user name in the AAA view.
    • If the SSH user uses the password authentication mode, only the SSH server needs to generate the RSA, DSA, or ECC key. If the SSH user uses the RSA, DSA, or ECC authentication mode, both the SSH server and client need to generate the RSA, DSA, or ECC key and configure the public key of the peer end locally.
    Perform any of the following configurations according to authentication mode:
    • To configure password authentication for the SSH user, see Table 8-26.

    • To configure RSA, DSA, or ECC authentication for the SSH user, see Table 8-27.

    • To configure password-rsa, password-dsa, or password-ecc authentication for the SSH user, configure an AAA user and set the RSA, DSA, or ECC public key. For details, see Table 8-26 and Table 8-27.

    Table 8-26  Configuring password, password-ecc, password-dsa, or password-rsa authentication for the SSH user
    Operation Command Description

    Enter the system view.

    system-view -

    Enter the AAA view.

    aaa -

    Configure the local user name and password.

    local-user user-name password irreversible-cipher password

    -

    Configure the service type for the local user.

    local-user user-name service-type ssh -

    Configure the level for the local user.

    local-user user-name privilege level level -

    Return to the system view.

    quit -
    Table 8-27  Configuring DSA, RSA, ECC, password-dsa, password-rsa, or password-ecc authentication for the SSH user
    Operation Command Description

    Enter the system view.

    system-view -

    Display the RSA, DSA, or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    ,

    dsa peer-public-key key-name encoding-type { der | openssh | pem }

    , or

    ecc peer-public-key key-name encoding-type { der | openssh | pem }

    -

    Display the public key editing view.

    public-key-code begin -

    Edit the public key.

    hex-data
    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the client software that supports SSH. For detailed operations, see the documentation of the SSH client software.
    • You must enter the RSA, DSA, ECC public key on the device that works as the SSH server.

    Exit the public key editing view.

    public-key-code end
    • If no public key code hex-data is entered, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted in another view, the system displays a message indicating that the key does not exist and then returns to the system view directly when you run this command.

    Return to the system view from the public key view.

    peer-public-key end -

    Assign an RSA, DSA, or ECC public key to an SSH user.

    ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name -

  • Manage files when the device functions as an SCP server.

    The SSH client software supporting SCP must be installed on the terminal to ensure that the terminal can connect to the device using SCP. The following describes how to connect to the device using OpenSSH and the Windows CLI.

    • For details how to install OpenSSH, see the OpenSSH installation description.

    • To use OpenSSH to connect to the device using SFTP, run the relevant OpenSSH commands. For details about OpenSSH commands, see OpenSSH help.

    • Windows command prompt can identify commands supported by OpenSSH only when OpenSSH is installed on the terminal.

    Access the Windows CLI and run the commands supported by the OpenSSH to connect to the device using SCP. (The following information is for reference.)

    C:\Documents and Settings\Administrator> scp scpuser@10.136.23.5:flash:/vrpcfg.zip vrpcfg-backup.zip
    The authenticity of host '10.136.23.5 (10.136.23.5)' can't be established.
    DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '10.136.23.5' (DSA) to the list of known hosts.
    
    User Authentication
    Password:
    vrpcfg.zip                                    100% 1257     1.2KByte(s)/sec   00:00
    Received disconnect from 10.136.23.5: 2: The connection is closed by SSH server
    
    
    C:\Documents and Settings\Administrator>

    The user terminal uploads or downloads files while connecting to the SCP server and accesses the user local directory.

    NOTE:

    The file system limits the number of files in the root directory to 50. Creation of files in excess of this limit in the root directory may fail.

Verifying the Configuration

  • Run the display ssh user-information [ username ] command to view SSH user information on the SSH server.

  • Run the display ssh server status command to view global configuration of the SSH server.

  • Run the display ssh server session command to view session information of the SSH client on the SSH server.

Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100065643

Views: 10920

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next