No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R013C00 Configuration Guide - Basic Configuration

This document describes the configurations of Basic, including CLI Overview, EasyDeploy Configuration, USB-based Deployment Configuration, Logging In to a Device for the First Time, CLI Login Configuration, Web System Login Configuration, File Management, Configuring System Startup, ISSU Configuration, BootLoad Menu Operation.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Managing Files When the Device Functions as an SFTP Server

Managing Files When the Device Functions as an SFTP Server

Pre-configuration Tasks

Before connecting to the SFTP server to manage files, complete the following tasks:

  • Ensure that routes are reachable between the terminal and the device.
  • Ensure that the SSH client software has been installed on the terminal.

Configuration Procedure

You are advised to use SFTPv2 or FTPS because they provide increased security over SFTPv1.

Table 8-13 describes the procedure for managing files when the device functions as an SFTP server.

Table 8-13  Managing files when the device functions as an SFTP server
No. Task Description Remarks
1 Set SFTP server parameters Generate a local key pair, enable the SFTP server, and configure SFTP server parameters, including the listening port number, key pair updating time, SSH authentication timeout duration, and number of SSH authentication retries. Tasks 1, 2, and 3 can be performed in any sequence.
2 Configure the VTY user interface for SSH users to log in to the device Configure the user authentication mode, SSH, and other basic attributes on the VTY user interface.
3 Configure SSH user information Create an SSH user and set the service type, authorized directory, and authentication mode on the SFTP server.
4 Connect to the device using SFTP Connect to the device using the SSH client software on the terminal. -

Default Parameter Settings

Table 8-14  Default parameter settings
Parameter Default Setting

SFTP server function

Disabled

Listening port number

22

Time for updating the key pair of the server

0, indicating the key pair of the server is never updated

SSH authentication timeout duration

60 seconds

Number of SSH authentication retries

3

SSH user

No SSH user is created.

Type of service for SSH users

No service type is supported.

Authorized directory for SSH users

flash:

Procedure

  • Set SFTP server parameters.

    Table 8-15  Setting SFTP server parameters
    Operation Command Description

    Enter the system view.

    system-view

    -

    Generate a local key pair.

    rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create.

    Perform one of the operations based on the key type.

    After the key pair is generated, run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to check the public key in the local key pair.
    NOTE:

    For increased security, you are advised to use the longest possible length for the key pairs.

    Enable the SFTP server function.

    sftp [ ipv4 | ipv6 ] server enable

    By default, the SFTP server function is disabled.

    (Optional) Configure a key exchange algorithm list for the SSH server.

    ssh server key-exchange { dh_group_exchange_sha1 | dh_group14_sha1 | dh_group1_sha1 } *

    By default, an SSH server supports all key exchange algorithms.

    (Optional) Configure an encryption algorithm list for the SSH server.

    ssh server cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes256_cbc | aes256_ctr | des_cbc } *

    By default, an SSH server supports the following encryption algorithms: 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, and AES256_CTR.

    (Optional) Configure an HMAC algorithm list for the SSH server.

    ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *

    By default, an SSH server supports the following HMAC algorithms: MD5, MD5_96, SHA1, SHA1_96, SHA2_256, and SHA2_256_96.

    (Optional) Configure the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.

    ssh server dh-exchange min-len min-len

    By default, the minimum key length supported is 1024 bytes.

    (Optional) Specifies the public key algorithm of the SSH server.

    ssh server publickey { dsa | ecc | rsa } *

    By default, DSA, ECC, and RSA public key algorithms are enabled.

    (Optional) Configure the listening port number.

    ssh [ ipv4 | ipv6 ] server port port-number

    By default, the listening port number is 22.

    If a new port number is configured, the SSH server disconnects all SSH clients and uses the new port number to listen for connection requests. Attackers do not know the port number and cannot access the listening port of the SSH server.

    (Optional) Configure the interval for updating the key pair of the server.

    ssh server rekey-interval hours

    By default, the interval for updating the key pair is 0, which indicates that the key pair is never updated.

    After the interval is configured, the system automatically updates the key pair at the specified interval, which ensures security.

    This command takes effect only for SSH1.X. However, SSH1.X provides weak security and is not recommended.

    (Optional) Configure the SSH authentication timeout duration.

    ssh server timeout seconds

    By default, the SSH authentication timeout duration is 60 seconds.

    (Optional) Configure the number of SSH authentication retries.

    ssh server authentication-retries times

    By default, the number of SSH authentication retries is 3.

    (Optional) Enable compatibility with earlier versions.

    ssh server compatible-ssh1x enable

    By default, the server's compatibility with earlier versions is disabled.

    When an SSH server is upgraded, the server's compatibility with earlier versions is the same as that in the configuration file.

    (Optional) Configure an ACL.

    ssh [ ipv6 ] server acl acl-number

    By default, no ACL is configured for the SSH server.

    An ACL is configured to determine which clients can log in to the current device through SSH.

    (Optional) Configure the source IP address of the SSH server.

    ssh server-source -i loopback interface-number

    By default, the source interface of an SSH server is not specified.

    NOTE:

    Before specifying the source interface of the SSH server, ensure that the loopback interface to be specified as the source interface has been created. If the loopback interface is not created, this command cannot be correctly executed.

    • When the local RSA key pair is generated, two key pairs (a server key pair and a host key pair) are generated at the same time. Each key pair contains a public key and a private key. The length of the two key pairs is 2048 bits.
    • When the local DSA key pair is generated, only the host key pair is generated. The length of the host key pair can be 1024 or 2048 bits. The default length is 2048 bits.
    • When the local ECC key pair is generated, only the host key pair is generated. The length of the host key pair can be 256, 384, or 521 bits. The default length is 521 bits.

  • Configure the VTY user interface for SSH users to log in to the device.

    SSH users use the VTY user interface to log in to the device using SFTP. Attributes of the VTY user interface must be configured.

    Table 8-16  Configuring the VTY user interface for SSH users to log in to the device
    Operation Command Description

    Enter the system view.

    system-view -

    Enter the VTY user interface view.

    user-interface vty first-ui-number [ last-ui-number ] -

    Set the authentication mode of the VTY user interface to AAA.

    authentication-mode aaa

    By default, no authentication mode is configured for the VTY user interface.

    The authentication mode of the VTY user interface must be set to AAA. Otherwise, you cannot configure the protocol inbound ssh command and users cannot log in to the device.

    Configure a VTY user interface that supports SSH.

    protocol inbound ssh

    By default, the VTY user interface supports SSH.

    If no VTY user interface supports SSH, users cannot log in to the device.

    Configure the user level.

    user privilege level level

    The user level must be set to 3 or higher to allow connections to be established.

    If a local user uses password authentication, you can run the local-user user-name privilege level level command to set the level of the user to 3 or higher.

    (Optional) Configure other attributes of the VTY user interface.

    -
    Other attributes of the VTY user interface are as follows:
    • Maximum number of VTY user interfaces
    • Restrictions on incoming calls and outgoing calls on the VTY user interface
    • Terminal attributes on the VTY user interface
    For details, see Configuring STelnet Login–Other commands.

  • Configure SSH user information.

    Configure SSH user information including the authentication mode. The supported authentication modes are RSA, password, password-rsa, DSA, password-dsa, ECC, password-ecc, and all.
    • The password-rsa authentication mode consists of the password and RSA authentication modes.
    • The password-dsa authentication mode consists of the password and DSA authentication modes.
    • The password-ecc authentication mode consists of the password and ECC authentication modes.
    • The all authentication mode indicates that SSH users can be authenticated by ECC, DSA, password, or RSA.
    Table 8-17  Configuring SSH user information
    Operation Command Description

    Enter the system view.

    system-view

    -

    Create SSH users.

    ssh user user-name

    -

    Configure the authentication mode for SSH users.

    ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | ecc | password-ecc | all }

    If SSH users are not created using the ssh user command, directly run the ssh authentication-type default password command to configure the default password authentication mode for users. This makes configuration simpler when a large number of users exist, because you need to configure only AAA users.

    NOTE:
    In all authentication mode, the user priority depends on the authentication mode selected.
    • If password authentication is selected, the user priority is the same as that specified on the AAA module.
    • If RSA/DSA/ECC authentication is selected, the user priority depends on the priority of the VTY window used during user access.

    If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA/DSA/ECC authentication modes. Set relevant parameters as needed.

    Set the service type to SFTP or all for SSH users.

    ssh user username service-type { sftp | all }

    By default, the service type of SSH users is empty.

    Configure the authorized directory for SSH users.

    ssh user username sftp-directory directoryname

    The default SFTP service authorized directory is flash: for an SSH user.

    • The password authentication mode is implemented based on AAA. To log in to the device in the password-ecc, password-dsa, password, or password-rsa authentication mode, create a local user with the same user name in the AAA view.
    • If the SSH user uses the password authentication mode, only the SSH server needs to generate the RSA, DSA, or ECC key. If the SSH user uses the RSA, DSA, or ECC authentication mode, both the SSH server and client need to generate the RSA, DSA, or ECC key and configure the public key of the peer end locally.
    Perform any of the following configurations according to authentication mode:
    • To configure password authentication for the SSH user, see Table 8-18.

    • To configure RSA, DSA, or ECC authentication for the SSH user, see Table 8-19.

    • To configure password-rsa, password-dsa, or password-ecc authentication for the SSH user, configure an AAA user and set the RSA, DSA, or ECC public key. For details, see Table 8-18 and Table 8-19.

    Table 8-18  Configuring password, password-ecc, password-dsa, or password-rsa authentication for the SSH user
    Operation Command Description

    Enter the system view.

    system-view -

    Enter the AAA view.

    aaa -

    Configure the local user name and password.

    local-user user-name password irreversible-cipher password

    -

    Configure the service type for the local user.

    local-user user-name service-type ssh -

    Configure the level for the local user.

    local-user user-name privilege level level -

    Return to the system view.

    quit -
    Table 8-19  Configuring DSA, RSA, ECC, password-dsa, password-rsa, or password-ecc authentication for the SSH user
    Operation Command Description

    Enter the system view.

    system-view -

    Display the RSA, DSA, or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    ,

    dsa peer-public-key key-name encoding-type { der | openssh | pem }

    , or

    ecc peer-public-key key-name encoding-type { der | openssh | pem }

    -

    Display the public key editing view.

    public-key-code begin -

    Edit the public key.

    hex-data
    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the client software that supports SSH. For detailed operations, see the documentation of the SSH client software.
    • You must enter the RSA, DSA, ECC public key on the device that works as the SSH server.

    Exit the public key editing view.

    public-key-code end
    • If no public key code hex-data is entered, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted in another view, the system displays a message indicating that the key does not exist and then returns to the system view directly when you run this command.

    Return to the system view from the public key view.

    peer-public-key end -

    Assign an RSA, DSA, or ECC public key to an SSH user.

    ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name -

  • Connect to the device using SFTP.

    The SSH client software supporting SFTP must be installed on the terminal to ensure that the terminal can connect to the device using SFTP. The following describes how to connect to the device using OpenSSH and the Windows CLI.

    • For details how to install OpenSSH, see the OpenSSH installation description.

    • To use OpenSSH to connect to the device using SFTP, run the relevant OpenSSH commands. For details about OpenSSH commands, see OpenSSH help.

    • Windows command prompt can identify commands supported by OpenSSH only when OpenSSH is installed on the terminal.

    Access the Windows CLI and run the commands supported by OpenSSH to connect to the device using SFTP.

    The command prompt sftp> indicates that you have accessed the working directory on the SFTP server. (The following information is for reference.)

    C:\Documents and Settings\Administrator> sftp sftpuser@10.136.23.5
    Connecting to 10.136.23.5...
    The authenticity of host '10.136.23.5 (10.136.23.5)' can't be established.
    DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added '10.136.23.5' (DSA) to the list of known hosts.
    
    User Authentication
    Password:
    sftp>

  • Run SFTP commands to perform file-related operations.

    In the SFTP client view, you can perform one or more file-related operations listed in Table 8-20 in any sequence.

    NOTE:

    In the SFTP client view, the system does not support predictive command input. Therefore, you must enter commands in their full syntax.

    The file system limits the number of files in the root directory to 50. Creation of files in excess of this limit in the root directory may fail.

    Table 8-20  Running SFTP commands to perform file-related operations
    Operation Command Description
    Change the user's current working directory. cd [ remote-directory ] -
    Change the current working directory to its parent directory. cdup -
    Display the user's current working directory. pwd -
    Display the file list in a specified directory. dir/ls [ -l | -a ] [ remote-directory ] Outputs of the dir and ls commands are the same.
    Delete directories from the server. rmdir remote-directory &<1-10>

    A maximum of 10 directories can be deleted at one time.

    Before running the rmdir command to delete directories, ensure that the directories do not contain any files. Otherwise, the deletion fails.

    Create a directory on the server. mkdir remote-directory -
    Change the name of a specified file on the server. rename old-name new-name -
    Download a file from the remote server. get remote-filename [ local-filename ] -
    Upload a local file to the remote server. put local-filename [ remote-filename ] -
    Delete files from the server.

    remove remote-filename &<1-10>

    A maximum of 10 files can be deleted at one time.

    View the help about SFTP commands. help [ all | command-name ] -

    You can also use the following commands to download files from the SFTP server or upload files.

    • IPv4 address : sftp client-transfile { get | put } [ -a source-address | -i interface-type interface-number ] host-ip host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | prefer_kex prefer_key-exchange | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki aliveinterval | -kc alivecountmax ] * username user-name password password sourcefile source-file [ destination destination ]
    • IPv6 address : sftp client-transfile { get | put } ipv6 [ -a source-address ] host-ip host-ipv6 [ -oi interface-type interface-number ] [ port ] [ -vpn-instance vpn-instance-name | prefer_kex prefer_key-exchange | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki aliveinterval | -kc alivecountmax ] * username user-name password password sourcefile source-file [ destination destination ]

  • Disconnect the SFTP client from the SSH server.

    Operation Command Description
    Disconnect the SFTP client from the SSH server. quit -

Verifying the Configuration

  • Run the display ssh user-information [ username ] command to view SSH user information on the SSH server.

  • Run the display ssh server status command to view global configuration of the SSH server.

  • Run the display ssh server session command to view session information of the SSH client on the SSH server.

Translation
Download
Updated: 2019-04-08

Document ID: EDOC1100065643

Views: 10951

Downloads: 35

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next