No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Configuration Guide - Basic Configuration

This document describes the configurations of Basic, including CLI Overview, EasyDeploy Configuration, USB-based Deployment Configuration, Logging In to a Device for the First Time, CLI Login Configuration, Web System Login Configuration, File Management, Configuring System Startup, ISSU Configuration, BootLoad Menu Operation.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring STelnet Login

Configuring STelnet Login

STelnet is recommended because Telnet may pose security risks. Before configuring STelnet login, ensure that the PC and the switch are routable to each other.

The STelnet V1 protocol poses security risks, and therefore STelnet V2 is recommended.

Common Configurations for STelnet Login

By default, the STelnet function is not configured on a switch. To use this function, you need to perform the following steps to configure the STelnet service and user information:

  1. Set a protocol type, an authentication mode, and a user level for the VTY user interface.

  2. Enable the STelnet server function and create an SSH user.

  3. Set an authentication mode for the SSH user.

  4. Generate a local key pair on the SSH server to implement secure data exchange between the server and client.

Procedure

  1. Set a protocol type, an authentication mode, and a user level for the VTY user interface.

    [HUAWEI] user-interface vty 0 4
    [HUAWEI-ui-vty0-4] authentication-mode aaa    //Set the authentication mode for the VTY user interface to AAA.
    [HUAWEI-ui-vty0-4] protocol inbound ssh    //Configure the VTY user interface to support SSH. By default, VTY user interfaces support SSH.
    [HUAWEI-ui-vty0-4] user privilege level 15    //Set the level of the VTY user interface to 15.
    [HUAWEI-ui-vty0-4] quit
    
    NOTE:

    STelnet login requires VTY user interfaces to support SSH. Therefore, the VTY user interfaces must use AAA authentication.

  2. Enable the STelnet server function and create an SSH user.

    [HUAWEI] stelnet server enable    //Enable the STelnet server function.
    [HUAWEI] ssh user admin123    //Create an SSH user named admin123.
    [HUAWEI] ssh user admin123 service-type stelnet    //Set the service type of the SSH user to STelnet.
    

  3. Set an authentication mode for the SSH user.

    • Set the authentication mode for the SSH user to password.

      To use password authentication, you need to create a local user with the same name as the SSH user in the AAA view.

      [HUAWEI] ssh user admin123 authentication-type password    //Set the authentication mode for the SSH user to password authentication.
      [HUAWEI] aaa
      [HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123    //Create a local user with the same name as the SSH user and set the login password of the user.
      [HUAWEI-aaa] local-user admin123 privilege level 15    //Set the level of the local user to 15.
      [HUAWEI-aaa] local-user admin123 service-type ssh    //Set the service type of the local user to SSH.
      [HUAWEI-aaa] quit
    • Set the authentication mode for the SSH user to RSA, DSA, or ECC. (The following uses ECC authentication as an example. Steps for configuring RSA and DSA authentication are similar to those for configuring ECC authentication.)

      To use RSA, DSA, or ECC authentication, you need to copy the public key in the RSA key pair generated on the SSH client to the SSH server. When the SSH client logs in to the SSH server, the SSH client passes the authentication if the private key of the client matches the copied public key. For details about public key on the client, see the help document of the SSH client software.

      [HUAWEI] ssh user admin123 authentication-type ecc    //Set the authentication mode for the SSH user to ECC.
      [HUAWEI] ecc peer-public-key key01 encoding-type pem    //Configure the encoding type of an ECC public key and enter the ECC public key view. key01 is the public key name.
      Enter "ECC public key" view, return system view with "peer-public-key end".
      [HUAWEIecc-public-key] public-key-code begin    //Enter the public key editing view.
      Enter "ECC key code" view, return last view with "public-key-code end".
      [HUAWEI-dsa-key-code] 308188    //Copy the public key generated on the client. The public key is a hexadecimal character string.
      [HUAWEI-dsa-key-code] 028180
      [HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
      [HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
      [HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
      [HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
      [HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
      [HUAWEI-ecc-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
      [HUAWEI-ecc-key-code] 171896FB 1FFC38CD
      [HUAWEI-ecc-key-code] 0203
      [HUAWEI-ecc-key-code] 010001
      [HUAWEI-ecc-key-code] public-key-code end    //Return to the public key view.
      [HUAWEI-ecc-public-key] peer-public-key end    //Return to the system view.
      [HUAWEI] ssh user admin123 assign ecc-key key01    //Assign the public key key01 to the admin123 user.
      
      NOTE:
      • To use Password-RSA, Password-DSA, or Password-ECC authentication, configure AAA user information and enter the public key generated on the SSH client.

      • If all authentication is used, configure AAA user information or enter the public key generated on the client or perform the two operations together.

      • For device security purposes, change the password periodically.

  4. Generate a local key pair on the server.

    <HUAWEI> system-view
    [HUAWEI] ecc local-key-pair create
    Info: The key name will be: HUAWEI_Host_ECC.
    Info: The key modulus can be any one of the following: 256, 384, 521.
    Info: If the key modulus is greater than 512, it may take a few minutes.
    Please input the modulus [default=521]:521
    Info: Generating keys..........
    Info: Succeeded in creating the ECC host keys.

  5. Log in to the switch through STelnet.

    On the PC, connect to the SSH server through password authentication.

    Log in to the switch using PuTTY, enter the switch's IP address, and select the SSH protocol.
    Figure 6-1  Logging in to the SSH server using PuTTY in password authentication mode

    Click Open. Enter the user name and password as prompted and press Enter to log in to the SSH server. (The following information is only for reference.)

    login as: admin123
    Sent username "admin123"
    
    admin123@10.10.10.20's password:
    
    Info: The max number of VTY users is 8, and the number
          of current VTY users on line is 5.
          The current login time is 2018-12-22 09:35:28+00:00.
    

Related Commands

Table 6-9  Common commands

Function

Command

Description

Generate a local host key pair.

rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create

By default, no host key pair is configured.

Enable the STelnet server function.

stelnet server enable

By default, the STelnet server function is disabled.

Set an authentication mode for accessing a VTY user interface.

authentication-mode { aaa }

By default, none authentication is used.

If AAA authentication is selected, you need to configure information about the local AAA user.

Set a protocol for a VTY user interface.

protocol inbound { all | ssh }

By default, VTY user interfaces support SSH.

The configuration takes effect at the next login.

Set the level of users who are allowed to access a VTY user interface.

user privilege level level

The default value is 0.

When RSA, DSA, or ECC authentication is used, the user level is determined by the level of the VTY user interface to which the user logs in.

If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.

Create an SSH user.

ssh user user-name

By default, no SSH user is created.

Set a service type for an SSH user.

ssh user user-name service-type { stelnet | all }

By default, no service type is configured for an SSH user.

Set an authentication mode for an SSH user.

ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | ecc | password-ecc | all }
  • When password authentication is configured for an SSH user, create a local user with the same name as the SSH user, login password, service type, and user level in the AAA view.
  • When RSA, DSA, or ECC authentication is configured for an SSH user, enter the public key generated by the SSH client on the SSH server.
  • When Password-RSA, Password-DSA, or Password-ECC authentication is configured for an SSH user, configure AAA user information and enter the public key generated by the SSH client.
  • When all authentication is configured for an SSH user, configure AAA user information or enter the public key generated by the SSH client. Alternatively, you can perform the two operations together.
  • When password authentication is configured for an SSH user, you need to create a local user with the same name as the SSH user, login password, service type, and user level in the AAA view.
    • Run the local-user user-name { password { cipher | irreversible-cipher } password command to create a local user and set the password of the user.
    • Run the local-user user-name { privilege level level } command to set the level of the local user.
    • Run the local-user user-name service-type { http | ssh | telnet | terminal } * command to set the access type of the local user.
  • When RSA, DSA, or ECC authentication is configured for an SSH user, you need to copy the public key in the RSA key pair generated on the SSH client to the SSH server.
  • When Password-RSA, Password-DSA, or Password-ECC authentication is configured for an SSH user, you need to configure AAA user information and enter the public key generated on the SSH client.
  • When all authentication is configured for an SSH user, configure AAA user information or enter the public key generated on the client or perform the two operations together.
Table 6-10  Other commands

Function

Command

Description

Enable terminal services on a VTY user interface.

shell

By default, terminal services are enabled on all VTY user interfaces.

Set the maximum number of VTY user interfaces.

user-interface maximum-vty number

By default, the maximum number of VTY user interfaces is 15.

Set the VTY inactivity timeout.

idle-timeout minutes [ seconds ]

The default timeout value is 10 minutes.

Set the number of lines displayed on a terminal screen.

screen-length screen-length

The default number of lines displayed on a terminal screen is 24.

Set the number of columns displayed on a terminal screen.

screen-width screen-width

The default number of columns displayed on a terminal screen is 80.

Set the size of the historical command buffer on a VTY user interface.

history-command max-size size-value

By default, a maximum of 10 historical commands can be saved in the buffer.

Set a key exchange algorithm list for an SSH server.

ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

By default, an SSH server supports all key exchange algorithms.

Set an encryption algorithm list for an SSH server.

ssh server cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes256_cbc | aes256_ctr | des_cbc } *

By default, an SSH server supports the following encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.

The DES_CBC and 3DES_CBC algorithms are less secure and are not recommended in the encryption algorithm list.

Set an HMAC algorithm list for an SSH server.

ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

By default, an SSH server supports all HMAC algorithms.

The md5, sha1, md5_96, sha1_96, and sha2_256_96 algorithms are less secure and are not recommended in the HMAC algorithm list.

Set a port number for an SSH server.

ssh [ ipv4 | ipv6 ] server port port-number

By default, the port number of an SSH server is 22.

Configuring a new port number for an SSH server prevents attackers from accessing the SSH server using the default port, improving SSH server security.

Set a public key algorithm for an SSH server.

ssh server publickey { dsa | ecc | rsa } *

By default, DSA, ECC, and RSA algorithms are enabled.

A public key algorithm can be specified for login to an SSH server. Login using other public key algorithms is rejected, improving device security. The ECC algorithm is recommended.

Set the source interface of an SSH server.

ssh server-source -i loopback interface-number

By default, the source interface of an SSH server is not specified.

You can configure a source interface for an SSH server to prevent exposure of the device's management IP address, improving device security.

Set the interval at which the key pair of an SSH server is updated.

ssh server rekey-interval hours

The default interval is 0, indicating that the key pair is never updated.

Set the SSH session inactivity timeout.

ssh server timeout seconds

The default timeout value is 60 seconds.

Set the maximum number of authentication retries for an SSH connection.

ssh server authentication-retries times

The default value is 3.

Enable an SSH server to be compatible with earlier versions.

ssh server compatible-ssh1x enable

By default, this function is disabled.

Set an ACL used by an SSH server to control the access of SSH clients.

ssh [ ipv6 ] server acl acl-number

By default, no ACL is configured for an SSH server.

When a switch functions as an SSH server, you can configure an ACL on the switch to allow only the specified SSH clients to log in to the switch through STelnet.

Set an ACL to control the login permission of users on a VTY user interface.

acl [ ipv6 ] { acl-number | acl-name } { inbound | outbound }

By default, the login permission of users on a VTY user interface is not controlled.

You can use this command to control the permission for logging in to a VTY user interface, with the control action set to permit or deny.

Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100065643

Views: 10724

Downloads: 33

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next