No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Network Management and Monitoring

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of Network Management and Monitoring, including SNMP, RMON, LLDP, NQA, Service Diagnosis, Mirroring, Packet Capture, sFlow, and NETCONF.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an SSH User

Configuring an SSH User

Context

NETCONF requires SSH as its transport layer protocol. Before using NETCONF to manage network devices, configure the SSH.

Procedure

  • Set SSH server parameters.

    Table 3-14 Setting SSH server parameters
    Operation Command Description

    Enter the system view.

    system-view

    -

    Generate a local key pair.

    Method 1:

    Run the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create command to generate a local RSA, DSA, or ECC key pair.

    Method 2:
    1. Run the rsa key-pair label label-name [ modulus modulus-bits ], dsa key-pair label label-name [ modulus modulus-bits ], or ecc key-pair label label-name [ modulus modulus-bits ] command to generate an RSA, a DSA, or an ECC key pair with a specific label name.

    2. Run the ssh server assign { rsa-host-key | dsa-host-key | ecc-host-key } label-name command to assign the generated RSA host key, RSA server key, DSA host key, or ECC host key to the SSH server.
    NOTE:
    • The device can generate a maximum of 20 key pairs in method 2. You can use different key pairs in different periods to ensure higher communication security. The maximum number of key pairs the device can generate is specified by the rsa key-pair maximum, dsa key-pair maximum, and ecc key-pair maximum commands.

    • You can also run the rsa key-pair label load private private-key public public-key or dsa key-pair label load private private-key public public-key command to load the local RSA or DSA key pair file to the server.

    In method 1:

    After the key pair is generated, you can run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to view the public key in the local RSA, DSA, or ECC key pair.

    In method 2:
    After the key pair is generated, you can run the display rsa key-pair [ brief | label label-name ], display dsa key-pair [ brief | label label-name ], or display ecc key-pair [ brief | label label-name ] command to view the RSA, DSA, or ECC key pair with a specific label.
    NOTE:

    Because a longer key pair provides higher security, you are advised to use key pairs of the largest length.

    (Optional) Set a key exchange algorithm list of the SSH server.

    ssh server key-exchange { dh_group14_sha1 | dh_group1_sha1 | dh_group_exchange_sha1 | dh_group_exchange_sha256 | ecdh_sha2_nistp256 | ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } *

    The default situation is as follows:
    • If a device starts without any configuration file, the key exchange algorithms supported by the SSH server are dh_group_exchange_sha1, dh_group_exchange_sha256, ecdh_sha2_nistp256, ecdh_sha2_nistp384, ecdh_sha2_nistp521, and sm2_kep.

    • If a device starts with a loaded configuration file (for example, a configuration file is loaded to the device using ZTP for initial configuration), and no key exchange algorithm list is configured on the SSH server using the ssh server key-exchange command, the SSH server supports all key exchange algorithms.

    During the negotiation process, the client and server negotiate the key exchange algorithm for packet transmission. The server compares the key exchange algorithm list sent by the client with its own key exchange algorithm list, and selects the first key exchange algorithm on the client's list that matches a key exchange algorithm on its own list as the key exchange algorithm for packet transmission. If no algorithm on the client's list matches an algorithm on the server's list, the negotiation fails.
    NOTE:

    When the public key algorithm on the server is ECC, the sm2_kep algorithm is preferred.

    (Optional) Set an encryption algorithm list for the SSH server.

    ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr | arcfour128 | arcfour256 | aes192_cbc | aes192_ctr | aes128_gcm | aes256_gcm | blowfish_cbc } *

    The default situation is as follows:
    • If a device starts without any configuration file, the encryption algorithms supported by the SSH server are AES256_CTR and AES128_CTR.

    • If a device starts with a loaded configuration file (for example, a configuration file is loaded to the device using ZTP for initial configuration), and no encryption algorithm list is configured for the SSH server in the configuration file using the ssh server cipher command, the encryption algorithms supported by the SSH server are 3DES_CBC, AES128_CBC, AES256_CBC, AES128_CTR, AES192_CTR, AES128_GCM, AES256_GCM, AES256_CTR, Arcfour128, and Arcfour256.

    (Optional) Set an HMAC authentication algorithm list for the SSH server.

    ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 } *

    The default situation is as follows:
    • If a device starts without any configuration file, the default HMAC authentication algorithms that can be configured for the SSH server are SHA2_256_96, SHA2_256, and SHA1_96.

    • If a device starts with a loaded configuration file (for example, a configuration file is loaded to the device using ZTP for initial configuration), and no HMAC authentication algorithm list is configured for the SSH server in the configuration file using the ssh server hmac command, the HMAC authentication algorithms supported by the SSH server are MD5, MD5_96, SHA1, SHA1_96, SHA2_256, SHA2_512, and SHA2_256_96.

    (Optional) Configure the listening port number.

    ssh [ ipv4 | ipv6 ] server port port-number

    By default, the listening port number is 22.

    If a new port number is configured, the SSH server disconnects from all SSH clients and uses the new port number to listen to connection requests. Attackers do not know the port number and cannot access the listening port of the SSH server.

    (Optional) Configure the time for updating the key pair of the server.

    ssh server rekey-interval hours

    By default, the time for updating the key pair is 0. The value 0 indicates that the key pair is never updated.

    When the specified time is up, the key pair of the SSH server is updated, ensuring the server security.

    (Optional) Configure the SSH authentication timeout duration.

    ssh server timeout seconds

    By default, the SSH authentication timeout duration is 60 seconds.

    (Optional) Configure the number of SSH authentication retries.

    ssh server authentication-retries times

    By default, the number of SSH authentication retries is 3.

    (Optional) Enable earlier versions to be compatible.

    ssh server compatible-ssh1x enable

    By default, the server's compatibility with earlier versions is disabled.

    To forbid clients to access the device using the SSH1.3 to SSH1.99, run the undo ssh server compatible-ssh1x enable command to disable the compatibility with SSH1.X.

    (Optional) Configure an ACL.

    ssh [ ipv6 ] server acl { acl-number | acl-name }

    By default, no ACL is configured for the SSH server.

    An ACL is configured to determine which clients can log in to the current device through SSH.

    Enable the keepalive function on the SSH server.

    undo ssh server keepalive disable

    By default, the keepalive function is enabled on the SSH server.

    After the keepalive function is enabled on the SSH server, the server responds to keepalive packets received from the SSH client. If the keepalive function is disabled on the SSH server, the client will disconnect from the SSH server when there is no data exchange, wasting server resources due to reconnections.

    (Optional) Configure the source IP address of the SSH server.

    ssh server-source -i interface-type interface-number

    By default, the source interface of an SSH server is not specified.

    Before running this command to specify the source interface, ensure that the physical interface exists on the device or the logical interface has been created successfully; otherwise, this command cannot be run successfully.

    Submit the configurations.

    commit

    -
    NOTE:
    • When the local RSA key pair is generated, two key pairs (a server key pair and a host key pair) are generated at the same time. Each key pair contains a public key and a private key. The length of the two key pairs is 2048 bits.
    • When the local DSA key pair is generated, only the host key pair is generated. The length of the host key pair is 2048 bits.
    • When the local ECC key pair is generated, only the host key pair is generated. The length of the host key pair can be 256, 384, or 521 bits. The default length is 521 bits.

  • Configure SSH user information.

    Configure SSH user information including the authentication mode. Authentication modes including RSA, DSA, ECC, password, password-rsa, password-dsa, password-ecc, and all are supported.
    • The password-rsa authentication mode consists of the password and RSA authentication modes.
    • The password-dsa authentication mode consists of the password and DSA authentication modes.
    • The password-ecc authentication mode consists of the password and ECC authentication modes.
    • The all authentication mode indicates that SSH users only need to be authenticated by DSA, ECC, password, or RSA.
    Table 3-15 Configuring SSH user information
    Operation Command Description

    Enter the system view.

    system-view

    -

    Create SSH users.

    ssh user user-name

    -

    Configure the authentication mode for SSH users.

    ssh user user-name authentication-type { password | rsa | password-rsa | all | dsa | password-dsa | ecc | password-ecc }

    If SSH users are not created using the ssh user user-name command, directly run the ssh authentication-type default password command to configure the default password authentication mode for users. This mode simplifies the configurations when a large number of users exist, because you need to configure only AAA users.

    Set the service type to snetconf or all for SSH users.

    ssh user username service-type { snetconf | all }

    By default, the service type of SSH users is empty.

    Submit the configurations.

    commit

    -
    NOTE:
    • The password authentication mode is implemented based on the AAA. To log in to the device in the password-dsa, password-ecc, password, or password-rsa authentication mode, create a local user with the same user name in the AAA view.
    • If the SSH user uses the password authentication mode, only the SSH server needs to generate the RSA, DSA, or ECC key. If the SSH user uses the RSA, DSA, or ECC authentication mode, both the SSH server and client need to generate the RSA, DSA, or ECC key and configure the public key of the peer end locally.
    Perform any of the following configurations according to authentication mode you select:
    • To configure password authentication for the SSH user, see Table 3-16.

    • To configure RSA, DSA, or ECC authentication for the SSH user, see Table 3-17.

    • To configure password-rsa, password-dsa, or password-ecc authentication for the SSH user, configure an AAA user and set the RSA, DSA, or ECC public key. See Table 3-16 and Table 3-17.

    Table 3-16 Configuring password, password-dsa, password-ecc, or password-rsa authentication for the SSH user

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Enter the AAA view.

    aaa

    -

    Configure the local user name and password.

    local-user user-name password irreversible-cipher irreversible-cipher-password

    -

    Configure the service type for the local user.

    local-user user-name service-type ssh

    -

    Configure the level for the local user.

    local-user user-name level level

    -

    Return to the system view.

    quit

    -

    Commit the configuration.

    commit

    -

    NOTE:
    • If the default authentication mode of NETCONF connections is AAA authentication, you are advised to set the user level to 3 or 15 when configuring an AAA user. If the level of the configured AAA user is lower than 3, the user cannot perform certain configurations.

    • To ensure device security, change the password periodically.

    Table 3-17 Configuring DSA, ECC, RSA, password-dsa, password-ecc, or password-rsa authentication for the SSH user

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Configure the authentication type for the SSH connection.

    ssh authorization-type default root

    By default, the authentication type for the SSH connection is AAA.

    When the authentication type is AAA, only the password authentication mode can be configured. If the public key authentication mode is used, perform either of the following operations to implement successful login of the SSH user:
    • Run this command to set the authentication type for the SSH connection to root.
    • In the AAA view, create a local user with the same name as the SSH user.

    Display the RSA, DSA, or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    or

    dsa peer-public-key key-name encoding-type { der | openssh | pem }

    or

    ecc peer-public-key key-name [ encoding-type der ]

    -

    Display the public key editing view.

    public-key-code begin

    -

    Edit the public key.

    hex-data

    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the client software that supports SSH. For detailed operations, see the SSH client software help.
    • You must enter the RSA, DSA, or ECC public key on the device that functions as the SSH server.

    Exit from the public key editing view.

    public-key-code end

    • If no valid key code hex-data is entered, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted in another view, the system displays a message indicating that the key does not exist and returns to the system view directly when you run this command.

    Return to the system view from the public key view.

    peer-public-key end

    -

    Assign an RSA, DSA, or ECC public key to an SSH user.

    ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name

    -

    Commit the configuration.

    commit

    -

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100075344

Views: 19747

Downloads: 22

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next