CLI Login Configuration

The system view is displayed.

The console user interface view is displayed.

The data transmission attributes configured on the terminal software must be the same as those on the device.

1. Run speed speed-value

   The transmission rate is set.

   The default transmission rate is 9600 bit/s.

2. Run databits { 7 | 8 }

   The data bit is set.

   The default data bit is 8. Data bit configuration depends on the code type used for information interchange. If standard ASCII codes are used, set the data bit to 7. If extended ASCII codes are used, set the data bit to 8.

3. Run parity { even | none | odd }

   The parity bit is set.

   The default parity bit is set to none, indicating that the parity check is not performed on the console port. Setting a parity bit improves data security. If packets on the console port fail to pass the parity check, the device discards the packets.

4. Run stopbits { 1 | 1.5 | 2 }

   The stop bit is set.

   The default stop bit is 1. The stop bit indicates the end of a packet. More stop bits indicate lower transmission efficiency.

1. Run idle-timeout minutes [ seconds ]

   A timeout period is set for a user connection.

   If a connection remains idle for the specified timeout period, the system automatically ends the connection after the timeout period expires.

   The default timeout period is 5 minutes.

   If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.

2. Run screen-length screen-length

   The number of rows displayed on a terminal screen is set.

   The default number of rows displayed on a terminal screen is 24.

   The system automatically adjusts the number of terminal screen lines.

3. Run screen-width screen-width

   The number of columns displayed on a terminal screen is set.

   The default number of columns displayed on a terminal screen is 80. Each character is a column.

4. Run history-command max-size size-value

   A buffer size is set for historical commands.

   The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

The system view is displayed.

The console user interface view is displayed.

A user level is set.

By default, the users on the console user interface are at level 15.

• If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.
• If password authentication is configured, the levels of commands accessible to a user depend on the level of the console user interface through which the user logs in.
• If AAA authentication is configured, the levels of commands accessible to a user depend on the level of the local user specified in AAA configuration. By default, the level of a local user is 0 in AAA configuration. You can run the local-user user-name privilege level level command in the AAA view to change the level of the local user in AAA configuration.

1. Click Session to establish a connection, as shown in Figure 10-2.
   Figure 10-2 Establishing a connection
   

2. Click Serial to set the connected port and communication parameters, as shown in Figure 10-3.

   Select the connected port based on actual situations. For example, you can view port information in Device Manager in the Windows operating system, and select the connected port.

   Communication parameters of the terminal emulation software must be consistent with the default attribute settings of the console user interface on the device, which are 9600 bit/s baud rate, 8 data bits, 1 stop bit, no parity check, and no flow control.

   By default, no flow control mode is configured on the device. Because RTS/CTS is selected in the software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.

   If you modify the serial port communication parameters on the device, you must make the same modifications on the PC and then create a connection again.

   Figure 10-3 Setting the connected port and communication parameters
   

Login authentication


Password:       
<Huawei>         

You can run commands to configure the device. Enter a question mark (?) whenever you need help.

The system view is displayed.

The console user interface view is displayed.

The data transmission attributes configured on the terminal software must be the same as those on the device.

1. Run speed speed-value

   The transmission rate is set.

   The default transmission rate is 9600 bit/s.

2. Run databits { 7 | 8 }

   The data bit is set.

   The default data bit is 8. Data bit configuration depends on the code type used for information interchange. If standard ASCII codes are used, set the data bit to 7. If extended ASCII codes are used, set the data bit to 8.

3. Run parity { even | none | odd }

   The parity bit is set.

   The default parity bit is set to none, indicating that the parity check is not performed on the console port. Setting a parity bit improves data security. If packets on the console port fail to pass the parity check, the device discards the packets.

4. Run stopbits { 1 | 1.5 | 2 }

   The stop bit is set.

   The default stop bit is 1. The stop bit indicates the end of a packet. More stop bits indicate lower transmission efficiency.

1. Run idle-timeout minutes [ seconds ]

   A timeout period is set for a user connection.

   If a connection remains idle for the specified timeout period, the system automatically ends the connection after the timeout period expires.

   The default timeout period is 5 minutes.

   If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.

2. Run screen-length screen-length

   The number of rows displayed on a terminal screen is set.

   The default number of rows displayed on a terminal screen is 24.

   The system automatically adjusts the number of terminal screen lines.

3. Run screen-width screen-width

   The number of columns displayed on a terminal screen is set.

   The default number of columns displayed on a terminal screen is 80. Each character is a column.

4. Run history-command max-size size-value

   A buffer size is set for historical commands.

   The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

The system view is displayed.

The console user interface view is displayed.

A user level is set.

By default, the users on the console user interface are at level 15.

• If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.
• If password authentication is configured, the levels of commands accessible to a user depend on the level of the console user interface through which the user logs in.
• If AAA authentication is configured, the levels of commands accessible to a user depend on the level of the local user specified in AAA configuration. By default, the level of a local user is 0 in AAA configuration. You can run the local-user user-name privilege level level command in the AAA view to change the level of the local user in AAA configuration.

1. Click Session to establish a connection, as shown in Figure 10-4.
   Figure 10-4 Establishing a connection
   

2. Click Serial to set the connected port and communication parameters, as shown in Figure 10-5.

   Select the connected port based on actual situations. For example, you can view port information in Device Manager in the Windows operating system, and select the connected port.

   Communication parameters of the terminal emulation software must be consistent with the default attribute settings of the console user interface on the device, which are 9600 bit/s baud rate, 8 data bits, 1 stop bit, no parity check, and no flow control.

   By default, no flow control mode is configured on the device. Because RTS/CTS is selected in the software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.

   If you modify the serial port communication parameters on the device, you must make the same modifications on the PC and then create a connection again.

   Figure 10-5 Setting the connected port and communication parameters
   

Login authentication


Password:       
<Huawei>         

You can run commands to configure the device. Enter a question mark (?) whenever you need help.

The system view is displayed.

The maximum number of VTY user interfaces is set. The value determines the number of users that can concurrently log in to the device using Telnet or STelnet.

By default, the maximum number of VTY user interfaces is 5.

• When the maximum number of VTY user interfaces is set to 0, no user (including Telnet and SSH users) can log in to the device through the VTY user interface, and web users cannot log in to the device through the web system either.
• If the configured maximum number is less than the current maximum number of online users, the system displays a configuration failure message.
• If the configured maximum number is greater than the current maximum number of online users, you need to configure an authentication mode for additional user interfaces.

The VTY user interface view is displayed.

The VTY terminal service is enabled.

By default, all VTY terminal services are enabled. If you disable the terminal service of a VTY user interface, users cannot log in through the VTY user interface.

A timeout period is set for a user connection.

If a connection remains idle for the specified timeout period, the system automatically terminates the connection after the timeout period expires, which conserves system resources.

By default, the timeout period is 5 minutes.

If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.

The number of rows displayed on a terminal screen is set.

If you specify temporary in the command, the configured value takes effect only on the current VTY user interface but does not take effect on the next login on the same user interface or login on other VTY user interfaces.

The default number of rows is 24.

The number of columns displayed on a terminal screen is set.

The default number of columns is 80. Each character is a column.

A buffer size is set for historical commands.

The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

The system view is displayed.

The VTY user interface view is displayed.

A user level is set.

By default, the users on the VTY user interface are at level 0.

• If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.
• If password authentication is configured, the levels of commands accessible to a user depend on the level of the VTY user interface through which the user logs in.
• If AAA authentication is configured, the levels of commands accessible to a user depend on the level of the local user specified in AAA configuration. By default, the level of a local user is 0 in AAA configuration. You can run the local-user user-name privilege level level command in the AAA view to change the level of the local user in AAA configuration.

The system view is displayed.

The interfaces on the Telnet server to which clients can connect are specified.

By default, clients can connect to all the interfaces on the Telnet server.

The all parameter is supported in V300R019C11SPC100 and later versions.

In V300R019C11SPC100 and later versions, this step is mandatory. If you do not perform this step, the Telnet service cannot be enabled.

The Telnet server function is enabled on the device.

By default, the Telnet server function is disabled on the device.

The protocol port number is specified for the Telnet server.

By default, the protocol port number of the Telnet server is 23.

You can configure a new protocol port number for the Telnet server to prevent attackers from accessing the server using the default port.

The source interface is specified for the Telnet server.

By default, no source interface is specified for the Telnet server.

If no source IP address is specified for the Telnet server, the Telnet server selects a source IP address according to routing entries to send packets. The source IP address to be specified must be that of a stable interface such as a loopback interface. Before specifying a source interface, make sure that the Telnet client has a reachable route to the source interface. Otherwise, the configuration will fail.

• Control access to the local device.

  1. Run acl acl-number

     An ACL is created and the ACL view is displayed.

     acl-number refers to a basic ACL numbered from 2000 to 2999.

  2. Run rule permit source source-address 0

     ACL rules are configured to prohibit devices except the device specified by source-address from accessing the local device.

  3. Run quit

     Exit the ACL view.

  4. Run user-interface vty first-ui-number [ last-ui-number ]

     The VTY user interface view is displayed.

  5. Run acl [ ipv6 ] acl-number inbound

     ACL-based Telnet access control is configured for the VTY user interface.

• Control access of the local device to other devices.
  1. Run acl acl-number

     An ACL is created and the ACL view is displayed.

     acl-number refers to an advanced ACL numbered from 3000 to 3999.

  2. Run rule deny tcp destination-port eq telnet

     ACL rules are configured to prohibit the local device from accessing other devices.

  3. Run quit

     Exit the ACL view.

  4. Run user-interface vty first-ui-number [ last-ui-number ]

     The VTY user interface view is displayed.

  5. Run acl [ ipv6 ] acl-number outbound

     ACL-based Telnet access control is configured for the VTY user interface.

Run system lock type { ip | none }

The type of a locked object is configured.

By default, the device locks a user's IP address after the user fails authentication. If you do not need to lock the IP address of a user after the user fails authentication, run the system lock type none command and delete the IP address from the blacklist as prompted. After the IP address locking function is disabled, if a user enters an incorrect user name and password when logging in to the device through Telnet, STelnet, FTP, or SFTP, the IP address of the user will not be added to the blacklist. That is, the IP address will not be locked.

If a user enters an incorrect user name or password, the device adds the IP address of the user to the blacklist and locks the user for 5 seconds upon the first login failure, 10 seconds upon the second login failure, and 20 seconds upon the third login failure. If the user enters incorrect user names or passwords for five consecutive times, the device locks the user for 300 seconds upon the sixth login failures. When a user account is locked, the user's IP address cannot be used to set up a connection in a new window because it is in the blacklist. If the user enters the correct user name and password and logs in to the device successfully after the locking duration expires, the user's IP address will be removed from the blacklist and a recovery log is generated. If the login fails again, the user account will be locked for 300 seconds. A maximum of 32 IP addresses can be locked at the same time. If more than 32 IP addresses are added to the blacklist, a new IP address will overwrite the earliest one.

C:\Documents and Settings\Administrator> telnet 10.137.217.177

Login authentication

Username:admin1234
Password:
<Telnet Server>

The system view is displayed.

The source IP address of the Telnet client is set.

The source address of the Telnet client displayed on the server is the same as that configured in this step.

Exit the system view.

• In IPv4 mode, run the telnet [ -a source-ip-address ] host-ip [ port-number ] command to log in to another device as a Telnet client.

• In IPv6 mode, run the telnet ipv6 [ -a source-ip-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] command to log in to another device as a Telnet IPv6 client.

The system view is displayed.

The maximum number of VTY user interfaces is set. The value determines the number of users that can concurrently log in to the device using Telnet or STelnet.

By default, the maximum number of VTY user interfaces is 5.

• When the maximum number of VTY user interfaces is set to 0, no user (including Telnet and SSH users) can log in to the device through the VTY user interface, and web users cannot log in to the device through the web system either.
• If the configured maximum number is less than the current maximum number of online users, the system displays a configuration failure message.
• If the configured maximum number is greater than the current maximum number of online users, you need to configure an authentication mode for additional user interfaces.

The VTY user interface view is displayed.

The VTY terminal service is enabled.

By default, all VTY terminal services are enabled. If you disable the terminal service of a VTY user interface, users cannot log in through the VTY user interface.

A timeout period is set for a user connection.

If a connection remains idle for the specified timeout period, the system automatically terminates the connection after the timeout period expires, which conserves system resources.

By default, the timeout period is 5 minutes.

If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.

The number of rows displayed on a terminal screen is set.

If you specify temporary in the command, the configured value takes effect only on the current VTY user interface but does not take effect on the next login on the same user interface or login on other VTY user interfaces.

The default number of rows is 24.

The number of columns displayed on a terminal screen is set.

The default number of columns is 80. Each character is a column.

A buffer size is set for historical commands.

The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

The system view is displayed.

The VTY user interface view is displayed.

The authentication mode is set to AAA authentication.

An authentication domain is configured.

By default, the authentication domain is default. If you want to change the currently used authentication domain for users on the VTY user interface, you can run this command.

The VTY user interface is configured to support the SSH protocol.

By default, a VTY user interface supports the SSH and Telnet protocol.

Return to the system view.

An authentication mode is set for the SSH user.

The system view is displayed.

1. Run aaa

   The AAA view is displayed.

2. Run local-user user-name password { cipher | irreversible-cipher } password

   A local user is created and a password is configured.

3. Run local-user user-name privilege level level

   A user level is set for the local user.

4. Run local-user user-name service-type ssh

   A service type is set for the local user.

5. Run quit

   Return to the system view.

The default authentication mode is configured for the SSH user.

By default, the default authentication mode of SSH users is password authentication.

V300R019C00:

Only the AR651C and AR651F-Lite support this function.

V300R019C10 and later versions:

Only the AR651K, AR651, AR651-X8, AR651C, AR651F-Lite, AR651U-A4, AR651W-X4, AR651W-8P, AR651W, AR657W, AR6120, AR6121K, AR6121E, AR6121, AR6120-VW, AR6140K-9G-2AC, AR6140E-9G-2AC, and AR6140-9G-2AC support this function.

Only the AR6120-S, AR6140-S, AR6121-S, and AR6121C-S support this function.

The system view is displayed.

The interfaces on the SSH server to which clients can connect are specified.

By default, clients can connect to all the interfaces on the SSH server.

To prevent clients from connecting to the SSH server through unauthorized interfaces, you can run this command to specify the interfaces on the SSH server to which clients can connect.

The all parameter is supported in V300R019C11SPC100 and later versions.

In V300R019C11SPC100 and later versions, this step is mandatory. If you do not perform this step, the SSH service cannot be enabled.

The SSH server function is enabled on the device.

By default, the SSH server function is disabled on the device.

An encryption algorithm list is configured for the SSH server.

By default, an SSH server supports the following encryption algorithms: aes128_ctr, aes192_ctr, and aes256_ctr.

The server and client negotiate the algorithm for encrypting packets transmitted between them. You can run the ssh server cipher command to configure an encryption algorithm list for the SSH server. The server compares the encryption algorithm list sent from the client with its own encryption algorithm list, and selects the first matched encryption algorithm for encrypting transmitted packets. If the encryption algorithm lists of the server and client have no common encryption algorithm, the encryption algorithm negotiation fails.

3des_cbc, aes128_cbc, blowfish_cbc, and des_cbc are weak encryption algorithms. Therefore, it is recommended that you not add them to the encryption algorithm list of the SSH server.

The 3des_cbc and des_cbc parameters are not supported in Only V300R019C11 version.

An HMAC algorithm list is configured for the SSH server.

By default, an SSH server supports the sha2_256 algorithm only.

The server and client negotiate the HMAC algorithm for checking packets transmitted between them. You can run the ssh server hmac command to configure an HMAC algorithm list for the SSH server. The server compares the HMAC algorithm list sent from the client with its own HMAC algorithm list, and selects the first matched HMAC algorithm for checking transmitted packets. If the HMAC algorithm lists of the server and client have no common HMAC algorithm, the HMAC algorithm negotiation fails.

You are advised not to add the following HMAC check algorithms to the HMAC check algorithm list of the SSH server because they provide low security: sha2_256_96, sha1, sha1_96, md5, and md5_96.

Only V300R019C11 version does not support the md5, md5_96, sha1_96, and sha2_256_96 parameters.

A key exchange algorithm list is configured for the SSH server.

In V300R019C00:

By default, an SSH server supports the dh_group_exchange_sha1 and dh_group1_sha1 key exchange algorithms.

In V300R019C10 and later versions:

By default, an SSH server supports the dh_group_exchange_sha1, dh_group14_sha1, and dh_group14_sha256 key exchange algorithms.

In V300R019C11SPC100 and later versions:

By default, an SSH server supports the dh_group_exchange_sha1, dh_group14_sha1, dh_group14_sha256, and dh_group15_sha512 key exchange algorithms.

The server and client negotiate the key exchange algorithm for packet transmission between them. You can run the ssh server key-exchange command to configure a key exchange algorithm list for the SSH server. The server compares the key exchange algorithm list sent by the client with its own key exchange algorithm list, and selects the first matched key exchange algorithm as the key exchange algorithm for packet transmission. If the key exchange algorithm lists of the server and client have no common key exchange algorithm, the key exchange algorithm negotiation fails.

You are advised not to add the dh_group1_sha1 algorithm to the key exchange algorithm list of the SSH server because it provides low security.

V300R019C10 and later versions support the dh_group14_sha1 and dh_group14_sha256 parameters.

Only V300R019C11 version does not support the dh_group1_sha1 parameters.

V300R019C11SPC100 and later versions support the dh_group15_sha512 parameters.

A local RSA or ECC key pair is generated.

A longer key pair indicates higher security. You are advised to use the longest possible key pairs.

The port number of the SSH server is specified.

By default, the port number of the SSH server is 22.

Configuring a port number for an SSH server can prevent attackers from accessing the SSH server using the default port, improving SSH server security.

The interval for updating key pairs is set.

By default, the interval for updating the key pair of an SSH server is 0, indicating that the key pair is never updated.

After this configuration is completed, the SSH server will automatically update the key pair at the specified interval, thereby enhancing security.

The SSH authentication timeout interval is set.

By default, the SSH authentication timeout interval is 60 seconds.

If you have not logged in successfully within the SSH authentication timeout interval, the current connection is terminated to ensure security.

The maximum number of SSH authentication retries is set.

The default maximum number of SSH authentication retries is 3.

You can set the maximum number of SSH authentication retries to prevent unauthorized access.

Compatibility with earlier SSH versions is enabled.

By default, compatibility with earlier SSH versions is disabled on an unconfigured device. When a device is upgraded to a later version, the configuration of the compatibility function is the same as that specified in the configuration file.

If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk.

The source interface is specified for the SSH server.

By default, no source interface is specified for the SSH server.

If no source IP address is specified for the SSH server, the SSH server selects a source IP address according to routing entries to send packets. The source IP address to be specified must be that of a stable interface such as a loopback interface. Before specifying a source interface for an SSH server, make sure that the SSH client has a reachable route to the source interface. Otherwise, the configuration will fail.

Run system lock type { ip | none }

The type of a locked object is configured.

By default, the device locks a user's IP address after the user fails authentication. If you do not need to lock the IP address of a user after the user fails authentication, run the system lock type none command and delete the IP address from the blacklist as prompted. After the IP address locking function is disabled, if a user enters an incorrect user name and password when logging in to the device through Telnet, STelnet, FTP, or SFTP, the IP address of the user will not be added to the blacklist. That is, the IP address will not be locked.

If a user enters an incorrect user name or password, the device adds the IP address of the user to the blacklist and locks the user for 5 seconds upon the first login failure, 10 seconds upon the second login failure, and 20 seconds upon the third login failure. If the user enters incorrect user names or passwords for five consecutive times, the device locks the user for 300 seconds upon the sixth login failures. When a user account is locked, the user's IP address cannot be used to set up a connection in a new window because it is in the blacklist. If the user enters the correct user name and password and logs in to the device successfully after the locking duration expires, the user's IP address will be removed from the blacklist and a recovery log is generated. If the login fails again, the user account will be locked for 300 seconds. A maximum of 32 IP addresses can be locked at the same time. If more than 32 IP addresses are added to the blacklist, a new IP address will overwrite the earliest one.

login as: client001      //Enter the SSH user name.
Sent username "client001"

client001@10.137.217.203's password:           //Enter the password configured through AAA.

<SSH Server>

1. Run system-view

   The system view is displayed.

2. Run rsa local-key-pair create, or ecc local-key-pair create

   A local RSA or ECC key pair is generated. The generated key pair must be of the same type as that of the server.

   You can run the display rsa local-key-pair public or display ecc local-key-pair public command to view information about the public key in the generated RSA or ECC key pair. Configure the public key on the SSH server. For details, see Configuring an SSH User.

3. Run quit

   Return to the user view.

Run either of the preceding commands based on the network address type.

• IPv4 mode:

  run the stelnet [ -a source-address ] host-ip [ port-number ] [ [ -vpn-instance vpn-instance-name ] | [ identity-key { rsa | ecc } ] | [ user-identity-key { rsa | ecc } ] | [ prefer_kex { dh_group15_sha512 | dh_group14_sha256 | dh_group14_sha1 | dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_stoc_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] ] ^* [ -ki aliveinterval [ -kc alivecountmax ] ] command to log in to another device.

• IPv6 mode:

  run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] [ [ -vpn6-instance vpn-instance-name ] | [ identity-key { rsa | ecc } ] | [ user-identity-key { rsa | ecc } ] | [ prefer_kex { dh_group15_sha512 | dh_group14_sha256 | dh_group14_sha1 | dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_stoc_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] ] ^* [ -ki aliveinterval [ -kc alivecountmax ] ] command to log in to another device.

When port 22 is specified as the protocol port number for the STelnet server, the STelnet client can log in with no port number specified. If another port number is specified as the protocol port number for the STelnet server, you must specify the port number used by the client to log in.

When configuring an STelnet client to log in to an SSH server, you can specify the source IP address, select a key exchange algorithm, an encryption algorithm, and an HMAC algorithm, and enable the keepalive function on the client.

DES, 3DES, MD5, MD5_96, SHA1, and SHA1_96 encryption algorithm cannot ensure security. AES128, AES128-CTR, AES192-CTR or AES256-CTR encryption algorithm is recommended.

• Only V300R019C11 version does not support the 3des, sha1_96, md5, md5_96, and sha2_256_96 parameters.
• V300R019C11 and later versions: The device support the dh_group14_sha256 and dh_group14_sha1 parameters.
• V300R019C11SPC100 and later versions: The device support the dh_group15_sha512 parameters.

1. Run system-view

   The system view is displayed.

2. Run interface async interface-number

   The asynchronous interface view is displayed.

3. Run async mode flow

   The asynchronous serial interface is configured to work in flow mode.

   By default, an asynchronous serial interface works in protocol mode.

4. Run quit

   Exit from the asynchronous serial interface view.

5. Run:user-interface console 0

   The console user interface view is displayed.

   Or run:

   user-interface tty tty-number

   The TTY user interface view is displayed.

   When configuring the TTY user interface, pay attention to the following points:

   • After an 8AS interface card registers successfully, the device generates random numbers for TTY user interfaces. To view the TTY user interface number mapped to an asynchronous serial port, run the display user-interface command.

   • If the modem function is enabled on a TTY user interface, the redirection function does not take effect on the TTY user interface.

6. (Optional) Run authentication-mode { password | aaa }

   A user authentication mode is specified.

   For details on configuration of the authentication mode, see Configuring an Authentication Mode for the Console or TTY User Interface.

7. Run redirect [ ssh ] enable

   The redirection function is enabled.

   By default, the redirection function is disabled.

8. (Optional) Run transparent-mode enable

   The transparent transmission mode for redirection on the serial port is enabled.

   By default, the transparent transmission mode for redirection on a serial port is disabled.

   The device checks data redirected by a serial port and discards unidentifiable data, damaging the original data. You can run this command to ensure the original data integrity. The device will transparently transmit data without checking it.

9. Run undo shell

   The terminal service is disabled on the user interface.

   By default, the terminal service is disabled on a TTY user interface.

10. (Optional) Run redirect binding vpn-instance vpn-instance-name

    The redirection function is associated with a VPN instance.

    By default, the redirection function is not associated with any VPN instance, and all users on public and private networks can use the redirection function to log in to remote devices.

11. (Optional) Run redirect [ ssh ] listen-port port-number

    A port number is specified for setting up connections through the redirection function.

    By default, the port number that the local device uses to set up a connection with a remote device is 2000 plus tty-number. When the default port number is used by another service, perform this step to set a new port number.

    Port 2000 is used on the console user interface view.

• Telnet mode

  Log in to a device from a terminal through redirection in Telnet mode. The Windows command line is used as an example.

  1. Open the command line window.

  2. Run the telnet host-name port-number command to log in to the device through redirection.

     In the command, host-name is the IP address or host name of the router with the redirection function enabled, and port-number is the default listening port number (2000 plus tty-number) or the port number configured using the redirect listen-port command. (The following information is only for reference.)

     C:\Documents and Settings\Administrator> telnet 10.1.1.1 2042
     Press CTRL_] to quit telnet mode
       Trying 10.1.1.1...
       Connected to 10.1.1.1...
     Login authentication
     
     
     Password:
      <Router>

• STelnet mode

  Log in to a device from a terminal through redirection in STelnet mode. The third-party software PuTTY is used as an example.

  # Log in to the device using PuTTY. Set the protocol type to SSH, Host Name to the IP address or host name of the redirection-enabled router, and Port to the default port number (2000 plus TTY number) or the port number specified using the redirect ssh listen-port command. (The following information is only for reference.)

  Figure 10-11 Using Putty to redirect to a device in STelnet mode
  
  

  # Click Open. Enter the user name and password at the prompt, and press Enter. You have logged in to the device. (The following information is only for reference.)

  login as: client001
  client001@10.1.1.1's password:
  
  <Router>

The system view is displayed.

The asynchronous serial interface view is displayed.

The asynchronous serial interface is configured to work in flow mode.

By default, an asynchronous serial interface works in protocol mode.

Exit from the asynchronous serial interface view.

The TTY user interface view is displayed.

After a 1SA or 2SA interface card is registered successfully, the device generates random numbers for TTY user interfaces. To view the TTY user interface number mapped to an asynchronous serial port, run the display user-interface command.

If the modem function is enabled on a TTY user interface, the reverse Telnet function does not take effect on the TTY user interface.

The terminal service is disabled on the user interface.

By default, the terminal service is disabled on a TTY user interface.

Configure connection parameters on the router to enable the dumb terminal to set up a connection with the remote server through the router.

By default, a dumb terminal cannot set up a connection with a remote server.

The router is enabled to add line breakers in output information.

By default, the function of adding a line break is disabled.

To configure the calling end to add line break \n when sending carriage return line break \r\n so that the calling and called ends have the same data, perform this step to enable the function of adding a line break.

The system view is displayed.

The console user interface view is displayed.

The dumb terminal is configured to set up a connection with the remote server through the router.

By default, a dumb terminal cannot set up a connection with a remote server.

The function of adding a line break is enabled.

By default, the function of adding a line break is disabled.

To configure the calling end to add line break \n when sending carriage return line break \r\n so that the calling and called ends have the same data, perform this step to enable the function of adding a line break.

The terminal service is disabled on the console user interface.

By default, the terminal service is enabled on the console user interface.

For the device with the Config button, you can also press and hold down the config button for less than 5s, the terminal service on the console user interface will be switched between shell and undo shell once.

1. Click Session to establish a connection, as shown in Figure 10-16.
   Figure 10-16 Establishing a connection
   

2. Click Serial to set the connected port and communication parameters, as shown in Figure 10-17.

   Select the connected port based on actual situations. For example, you can view port information in Device Manager in the Windows operating system, and select the connected port.

   Communication parameters of the terminal emulation software must be consistent with the default attribute settings of the console user interface on the device, which are 9600 bit/s baud rate, 8 data bits, 1 stop bit, no parity check, and no flow control.

   By default, no flow control mode is configured on the device. Because RTS/CTS is selected in the software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.

   If you modify the serial port communication parameters on the device, you must make the same modifications on the PC and then create a connection again.

   Figure 10-17 Setting the connected port and communication parameters
   

Login authentication


Password:       
<Huawei>         

You can run commands to configure the device. Enter a question mark (?) whenever you need help.

<Huawei> system-view
<Huawei> sysname Router
[Router] user-interface console 0
[Router-ui-console0] authentication-mode aaa
[Router-ui-console0] user privilege level 15
[Router-ui-console0] quit
[Router] aaa
[Router-aaa] local-user admin1234 password irreversible-cipher YsHsjx_202206
[Router-aaa] local-user admin1234 privilege level 3
[Router-aaa] local-user admin1234 service-type terminal

After the preceding operations, you can re-log in to the device on the console user interface only by entering the user name admin1234 and password YsHsjx_202206.

<Huawei> system-view
[Huawei] sysname Telnet Server
[Telnet Server] telnet server permit interface all //Specify the interfaces on the Telnet server to which clients can connect in V300R019C11SPC100 or a later version. If no interface is specified, the Telnet service cannot be enabled.
[Telnet Server] telnet server enable
[Telnet Server] telnet server port 1025

# Set the maximum number of VTY user interfaces.

[Telnet Server] user-interface maximum-vty 8

# Set the IP address of the device to which the user is allowed to log in.

[Telnet Server] acl 2001
[Telnet Server-acl-basic-2001] rule permit source 10.1.1.1 0
[Telnet Server-acl-basic-2001] quit
[Telnet Server] user-interface vty 0 7
[Telnet Server-ui-vty0-7] acl 2001 inbound

# Configure the terminal attributes of the VTY user interface.

[Telnet Server-ui-vty0-7] shell
[Telnet Server-ui-vty0-7] idle-timeout 20
[Telnet Server-ui-vty0-7] screen-length 30
[Telnet Server-ui-vty0-7] history-command max-size 20

# Configure the user authentication mode of the VTY user interface.

[Telnet Server-ui-vty0-7] authentication-mode aaa
[Telnet Server-ui-vty0-7] quit

# Configure the login authentication mode.

[Telnet Server] aaa
[Telnet Server-aaa] local-user admin1234 password irreversible-cipher YsHsjx_202206
[Telnet Server-aaa] local-user admin1234 service-type telnet
[Telnet Server-aaa] local-user admin1234 privilege level 3
[Telnet Server-aaa] quit

Run commands on the Windows command prompt of the PC to log in to the device using Telnet.

C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025

Press Enter, and enter the user name and password in the login window. If the authentication is successful, the command line prompt of the user view is displayed. The user view configuration environment is displayed.

Login authentication

Username:admin1234
Password:
<Telnet Server>

In versions earlier than V300R019C11: The server key pair length and host key pair length range from 512 to 2048, in bits. The default key pair length is 2048 bits.

In V300R019C11 and later versions: The minimum length of the server key pair and host key pair is 2048 bits, and the maximum length is 4096 bits. The default key pair length is 2048 bits.

<Huawei> system-view
[Huawei] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Host                                                      
RSA keys defined for Host already exist.                                        
Warning: Confirm to replace them! Continue? [Y/N]Y                                    
The range of public key size is (2048 ~ 4096).                                  
NOTES: If the key modulus is less than 2048,                                    
       It will introduce potential security risks.                              
Input the bits in the modulus[default = 2048]:2048                              
Generating keys...                                                              
..............................................................+++               
.....+++                                                                        
............................++++                                                
.....................++++   

# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit

• Create an SSH user named client001.

  # Create an SSH user named client001 and configure the password authentication mode for the user.

  [SSH Server] aaa
  [SSH Server-aaa] local-user client001 password irreversible-cipher YsHsjx_202206
  [SSH Server-aaa] local-user client001 privilege level 3
  [SSH Server-aaa] local-user client001 service-type ssh
  [SSH Server-aaa] quit
  [SSH Server] ssh user client001 authentication-type password

• Create an SSH user named client002.

  # Create an SSH user named client002 and configure the RSA authentication mode for the user.

  [SSH Server] aaa
  [SSH Server-aaa] local-user client002 password irreversible-cipher YsHsjx_202206
  [SSH Server-aaa] local-user client002 privilege level 3
  [SSH Server-aaa] local-user client002 service-type ssh
  [SSH Server-aaa] quit
  [SSH Server] ssh user client002 authentication-type rsa

  # Generate a local key pair of the client on PC2.

  1. Run puttygen.exe on the client. It is used to generate the public and private key files.

     Select SSH2 RSA and click Generate. By moving the cursor in the blank area to generate the key.

     Figure 10-20 PuTTY Key Generate page (1)
     
     
  2. After the key is generated, click Save public key to save the key in the key.pub file.
     Figure 10-21 PuTTY Key Generate page (2)
     
     
  3. Click Save private key. The PuTTYgen Warning dialog box is displayed. Click Yes. The private key is saved in the private.ppk file.
     Figure 10-22 PuTTY Key Generate page (3)
     
     

  # Enter the RSA public key generated on PC2 to the SSH server.

  [SSH Server] rsa peer-public-key rsakey001
  [SSH Server-rsa-public-key] public-key-code begin  //Copy the public key of the client. The public key must be a hexadecimal character string. If the public key is not a hexadecimal string, convert it in advance.
  [SSH Server-rsa-key-code] 30820108 02820101 00DD8904 1A5E30AA 976F384B 5DB366A7
  [SSH Server-rsa-key-code] 048C0E79 06EC6B08 8BB9567D 75914B5B 4EA7B2E5 1938D118
  [SSH Server-rsa-key-code] 4B863A38 BA7E0F0D BE5C5AE4 CA55B192 B531AC48 B07D21E3
  [SSH Server-rsa-key-code] 62E3F2A5 8C04C443 CF51CF51 136B5B9E 812AB1B7 1250EB24
  [SSH Server-rsa-key-code] A4AE5083 A1DB18EC E2395C9B B806E8F0 0BE24FB5 16958784
  [SSH Server-rsa-key-code] 403B617F 8AAAB1F8 C6DE8C3C F09E4D23 7D1C17BF 4AAF09C4
  [SSH Server-rsa-key-code] 74C083AF 17CD3075 3396B322 32C57FF0 B1991971 02F1033B
  [SSH Server-rsa-key-code] 81AA6D47 44520F23 685FAF72 04BA4B6E 615EF224 14E64E2A
  [SSH Server-rsa-key-code] 331EEB7F 188D9805 96DBFD30 0C947A5A BA879DC4 F848B769
  [SSH Server-rsa-key-code] 513C35CD B52B2917 02B77693 F79910EE 5287F252 977F985E
  [SSH Server-rsa-key-code] 5F186C94 93F26780 4E7F5F9D 5287350A 0A4F4988 1BF6AB7C
  [SSH Server-rsa-key-code] 1B020125
  [SSH Server-rsa-key-code] public-key-code end
  [SSH Server-rsa-public-key] peer-public-key end

  # Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.

  [SSH Server] ssh user client002 assign rsa-key rsakey001

# Enable the STelnet service.

[SSH Server] ssh server permit interface all // Specify the interfaces on the SSH server to which clients can connect in V300R019C11SPC100 and later versions. If no interface is specified, the STelnet service cannot be enabled.
[SSH Server] stelnet server enable

[SSH Server] acl 2001
[SSH Server-acl-basic-2001] rule permit source 10.137.217.10 0
[SSH Server-acl-basic-2001] rule permit source 10.137.217.20 0
[SSH Server-acl-basic-2001] rule deny source 10.137.217.30 0
[SSH Server-acl-basic-2001] quit
[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] acl 2001 inbound
[SSH Server-ui-vty0-4] quit

• Log in to the SSH server as the client001 user from PC1 using the password authentication mode.

  # Use the PuTTY software to log in to the device, enter the device IP address, and select the SSH protocol type.

  Figure 10-23 PuTTY Configuration page - password authentication mode
  
  
  # Click Open. Enter the user name and password at the prompt, and press Enter. You have logged in to the SSH server.

  login as: client001
  Sent username "client001"
  
  client001@10.137.217.203's password:
  
  <SSH Server>

• Log in to the SSH server as the client002 user from PC2 using the RSA authentication mode.

  # Use the PuTTY software to log in to the device, enter the device IP address, and select the SSH protocol type.

  Figure 10-24 PuTTY Configuration page - RSA authentication mode (1)
  
  

  # Choose Connection > SSH in the navigation tree on the left. The page shown in Figure 10-25 is displayed. Select 2 for Preferred SSH protocol version.

  Figure 10-25 PuTTY Configuration page - RSA authentication mode (2)
  
  

  # Choose Connection > SSH > Auth in the navigation tree on the left. The page shown in Figure 10-26 is displayed. Select the private.ppk file corresponding to the public key configured on the server.

  Figure 10-26 PuTTY Configuration page - RSA authentication mode (3)
  
  
  # Click Open. Enter the user name at the prompt, and press Enter. You have logged in to the SSH server. The following information is for reference only.

  login as: client002
  Authenticating with public key "rsa-key"
  
  <SSH Server>

<Huawei> system-view

[Huawei] sysname Router2

[Router2] telnet server permit interface all  //Specify the interfaces on the SSH server to which clients can connect in V300R019C11SPC100 and later versions. If no interface is specified, the Telnet service cannot be enabled.

[Router2] telnet server enable

[Router2] user-interface vty 0 4

[Router2-ui-vty0-4] user privilege level 3

[Router2-ui-vty0-4] authentication-mode aaa

[Router2-ui-vty0-4] quit

[Router2] aaa

[Router2-aaa] local-user admin1234 password irreversible-cipher YsHsjx_202206

[Router2-aaa] local-user admin1234 service-type telnet

[Router2-aaa] local-user admin1234 privilege level 3

[Router2-aaa] quit

[Router2] acl 2000

[Router2-acl-basic-2000] rule permit source 10.1.1.1 0

[Router2-acl-basic-2000] quit

[Router2] user-interface vty 0 4

[Router2-ui-vty0-4] acl 2000 inbound

[Router2-ui-vty0-4] quit

The ACL configuration is optional for the Telnet service.

# After the preceding configurations are complete, you can log in to Router2 from Router1 through Telnet, and cannot log in to Router2 from other devices. The following information is for reference only.

<Huawei> system-view

[Huawei] sysname Router1

[Router1] quit

<Router1> telnet 10.2.1.1

Login authentication

Username:admin1234
Password:

<Router2>

In versions earlier than V300R019C11: The server key pair length and host key pair length range from 512 to 2048, in bits. The default key pair length is 2048 bits.

In V300R019C11 and later versions: The minimum length of the server key pair and host key pair is 2048 bits, and the maximum length is 4096 bits. The default key pair length is 2048 bits.

<Huawei> system-view

[Huawei] sysname SSH Server

[SSH Server] rsa local-key-pair create

The key name will be: Host                                                      
RSA keys defined for Host already exist.                                        
Warning: Confirm to replace them! Continue? [Y/N]Y                                    
The range of public key size is (2048 ~ 4096).                                  
NOTES: If the key modulus is less than 2048,                                    
       It will introduce potential security risks.                              
Input the bits in the modulus[default = 2048]:2048                              
Generating keys...                                                              
..............................................................+++               
.....+++                                                                        
............................++++                                                
.....................++++   

# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4

[SSH Server-ui-vty0-4] authentication-mode aaa

[SSH Server-ui-vty0-4] protocol inbound ssh

[SSH Server-ui-vty0-4] quit

• Create an SSH user named client001.

  # Create an SSH user named client001 and configure the password authentication mode for the user.

  [SSH Server] aaa

  [SSH Server-aaa] local-user client001 password irreversible-cipher YsHsjx_202206

  [SSH Server-aaa] local-user client001 privilege level 3

  [SSH Server-aaa] local-user client001 service-type ssh

  [SSH Server-aaa] quit

  [SSH Server] ssh user client001 authentication-type password

• Create an SSH user named client002.

  # Create an SSH user named client002 and configure the RSA authentication mode for the user.

  [SSH Server] aaa

  [SSH Server-aaa] local-user client002 password irreversible-cipher YsHsjx_202206

  [SSH Server-aaa] local-user client002 privilege level 3

  [SSH Server-aaa] local-user client002 service-type ssh

  [SSH Server-aaa] quit

  [SSH Server] ssh user client002 authentication-type rsa

  # Generate a local key pair for client002.

  <Huawei> system-view

  [Huawei] sysname client002

  [client002] rsa local-key-pair create

  The key name will be: Host
  RSA keys defined for Host already exist.
  Confirm to replace them? (y/n):y
  The range of public key size is (512 ~ 2048).
  NOTES: If the key modulus is less than 2048,
         It will introduce potential security risks.
  Input the bits in the modulus[default = 2048]:2048
  Generating keys...
  ......................................................................................+++
  ....+++
  .......................................++++++++
  ..............++++++++
  

  # Check the public key in the RSA key pair generated on the client.

  [client002] display rsa local-key-pair public

  =====================================================
  Time of Key pair created: 2012-08-06 17:17:37+00:00
  Key name: Host
  Key type: RSA encryption Key
  =====================================================
  Key code:
  30820109
    02820100
      CB0E88EC A1C2CFEA F97126F9 36919C08 0455127B
      A3A48594 69517096 35626F55 E4FAF0EB FDA2B9E9
      5E417B2B E09F38B0 D26FCA73 FE2E3FC4 DFBEC8CF
      4ED0C909 E8D975E6 FFC73C81 D13FE71E 759DC805
      B0F0E877 4FC9288E BE1E197C 2A7186B0 B56F5573
      3A5EA588 29C63E3B 20D56233 8E63278D F941734F
      6B359C69 BBAE5A52 EB842179 04B4204D 5DB31D72
      97F0C085 DA771F66 0AAADC28 D264CEB9 5BADA92C
      CDE9F116 D6D99C48 CEBA3A1D 868B053A 32941D85
      CCAA9796 A4B55760 0A8108ED DB45DA12 F61634C9
      59431600 341FEDEF 5379D565 A8D1953D DEA018A2
      72F99FFC 63DE04BF 2A6219BD DF13D705 27D63DEF
      83D556BC 5B44D983 8D5EA126 C1EB71CB 
    0203
      010001
  
  =====================================================
  Time of Key pair created: 2012-08-06 17:17:44+00:00
  Key name: Server
  Key type: RSA encryption Key
  =====================================================
  Key code:
  3067
    0260
      DF8AFF3C 28213B94 2292852E E98657EE 11DE5AF4
      8A176878 CDD4BD31 55E05735 3080F367 A83A9034
      47D534CA 81250C1D 35401DC3 464E9E5F A50202CF
      A7AD09CD AC3F531C A763F0A0 4C8E51B9 18755400
      76AF4A78 225C92C3 01FE0DFF 06908363
    0203
      010001 

  # Copy the RSA public key (the information in bold in the display command output) generated on the client to the server.

  [SSH Server] rsa peer-public-key rsakey001
  [SSH Server-rsa-public-key] public-key-code begin
  [SSH Server-rsa-key-code] 30820109
  [SSH Server-rsa-key-code] 02820100
  [SSH Server-rsa-key-code] CB0E88EC A1C2CFEA F97126F9 36919C08 0455127B
  [SSH Server-rsa-key-code] A3A48594 69517096 35626F55 E4FAF0EB FDA2B9E9
  [SSH Server-rsa-key-code] 5E417B2B E09F38B0 D26FCA73 FE2E3FC4 DFBEC8CF
  [SSH Server-rsa-key-code] 4ED0C909 E8D975E6 FFC73C81 D13FE71E 759DC805
  [SSH Server-rsa-key-code] B0F0E877 4FC9288E BE1E197C 2A7186B0 B56F5573
  [SSH Server-rsa-key-code] 3A5EA588 29C63E3B 20D56233 8E63278D F941734F
  [SSH Server-rsa-key-code] 6B359C69 BBAE5A52 EB842179 04B4204D 5DB31D72
  [SSH Server-rsa-key-code] 97F0C085 DA771F66 0AAADC28 D264CEB9 5BADA92C
  [SSH Server-rsa-key-code] CDE9F116 D6D99C48 CEBA3A1D 868B053A 32941D85
  [SSH Server-rsa-key-code] CCAA9796 A4B55760 0A8108ED DB45DA12 F61634C9
  [SSH Server-rsa-key-code] 59431600 341FEDEF 5379D565 A8D1953D DEA018A2
  [SSH Server-rsa-key-code] 72F99FFC 63DE04BF 2A6219BD DF13D705 27D63DEF
  [SSH Server-rsa-key-code] 83D556BC 5B44D983 8D5EA126 C1EB71CB
  [SSH Server-rsa-key-code] 0203
  [SSH Server-rsa-key-code] 010001
  [SSH Server-rsa-key-code] public-key-code end
  [SSH Server-rsa-public-key] peer-public-key end

  # Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.

  [SSH Server] ssh user client002 assign rsa-key rsakey001

# Enable the STelnet service.

[SSH Server] ssh server permit interface all // Specify the interfaces on the SSH server to which clients can connect in V300R019C11SPC100 and later versions. If no interface is specified, the STelnet service cannot be enabled.
[SSH Server] stelnet server enable

[SSH Server] ssh server port 1025

# Enable the first authentication function on the SSH client upon the first login.

Enable the first authentication function for client001.

<Huawei> system-view

[Huawei] sysname client001

[client001] ssh client first-time enable

Enable the first authentication function for client002.

[client002] ssh client first-time enable

# Log in to the SSH server from client001 in password authentication mode by entering the user name and password.

[client001] stelnet 10.1.1.1 1025

Please input the username:client001
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
The server is not authenticated. Continue to access it?(y/n)[n]:y
Save the server's public key?(y/n)[n]:y
The server's public key will be saved with the name 10.1.1.1. Please wait...

Enter password:   

Enter the password. The following information indicates that you have logged in successfully:

<SSH Server>

# Log in to the SSH server from client002 in RSA authentication mode.

[client002] stelnet 10.1.1.1 1025

Please input the username:client002
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
The server is not authenticated. Continue to access it?(y/n)[n]:y
Save the server's public key?(y/n)[n]:y
The server's public key will be saved with the name 10.1.1.1. Please wait...

<SSH Server>

The user enters the user view, indicating that login succeeds.

# Attackers fail to log in to the SSH server using the default listening port number 22.

[client002] stelnet 10.1.1.1

Please input the username:client002
Trying 10.1.1.1 ...
Press CTRL+K to abort
Error: Failed to connect to the remote host.

# Run the display ssh server status command on the SSH server. The command output shows that the STelnet service has been enabled. Run the display ssh user-information command. Information about the configured SSH users is displayed.

# Check the status of the SSH server.

[SSH Server] display ssh server status

 SSH version                         :1.99
 SSH connection timeout              :60 seconds
 SSH server key generating interval  :0 hours
 SSH Authentication retries          :3 times
 SFTP Server                         :Disable
 Stelnet server                      :Enable
 
 SSH server port                     :1025

# Check information about SSH users.

[SSH Server] display ssh user-information

-------------------------------------------------------------------------------
 Username         Auth-type          User-public-key-name
 -------------------------------------------------------------------------------
 client001        password           null
 client002        rsa                rsakey001
 -------------------------------------------------------------------------------

<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface async 2/0/1
[RouterA-Async2/0/1] async mode flow

[RouterA] display user-interface 
  Idx  Type     Tx/Rx      Modem Privi ActualPrivi Auth  Int                    
  0    CON 0    9600       -     15    -           N     -                      
  41   TTY 41   9600       inout 0     -           N     2/0/0                  
  42   TTY 42   9600       -     0     -           N     2/0/1                  
  43   TTY 43   9600       -     0     -           N     2/0/2                  
  44   TTY 44   9600       -     0     -           N     2/0/3                  
  45   TTY 45   9600       -     0     -           N     2/0/4                  
  46   TTY 46   9600       -     0     -           N     2/0/5                  
  47   TTY 47   9600       -     0     -           N     2/0/6                  
  48   TTY 48   9600       -     0     -           N     2/0/7                  
+ 129  VTY 0               -     15    4           N     -                      
  130  VTY 1               -     15    -           N     -                      
  131  VTY 2               -     15    -           N     -                      
  132  VTY 3               -     15    -           N     -                      
  133  VTY 4               -     15    -           N     -                      
  145  VTY 16              -     0     -           P     -                      
  146  VTY 17              -     0     -           P     -                      
  147  VTY 18              -     0     -           P     -                      
  148  VTY 19              -     0     -           P     -                      
  149  VTY 20              -     0     -           P     -                      

[RouterA] ip vpn-instance vpna
[RouterA-vpn-instance-vpna] route-distinguisher 1:1
[RouterA-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity
[RouterA-vpn-instance-vpna-af-ipv4] vpn-target 111:1 import-extcommunity
[RouterA-vpn-instance-vpna-af-ipv4] quit
[RouterA-vpn-instance-vpna] quit
[RouterA] interface gigabitethernet 0/0/1
[RouterA-GigabitEthernet0/0/1] ip binding vpn-instance vpna 
[RouterA-GigabitEthernet0/0/1] ip address 10.1.1.1 255.255.255.0
[RouterA-GigabitEthernet0/0/1] quit

[RouterA] user-interface tty 42
[RouterA-ui-tty42] undo shell
[RouterA-ui-tty42] redirect enable
[RouterA-ui-tty42] redirect listen-port 2042
[RouterA-ui-tty42] redirect binding vpn-instance vpna
[RouterA-ui-tty42] authentication-mode password
[RouterA-ui-tty42] set authentication password cipher
Enter Password(<8-128>):
Confirm password:
[RouterA-ui-tty42] quit
[RouterA] quit

If the redirection function is not associated with the VPN instance to which the private users belong, all users on public and private networks can log in to RouterB.

<RouterA> display tcp status
TCPCB    Tid/Soid Local Add:port        Foreign Add:port      VPNID  State      
19fde824 9  /2    0.0.0.0:22            0.0.0.0:0             23553  Listening  
19fde6c0 9  /1    0.0.0.0:23            0.0.0.0:0             23553  Listening  
19fde130 109/1    0.0.0.0:80            0.0.0.0:0             23553  Listening  
19fdef18 9  /4    0.0.0.0:2042         0.0.0.0:0             23553  Listening  
19fde55c 7  /1    0.0.0.0:7547          0.0.0.0:0             0      Listening  
19fdf07c 9  /9    10.137.217.211:23     10.138.77.61:2567     0      Established
19fdf344 9  /10   10.137.217.211:23     10.138.77.69:2824     0      Time_Wait 

# Run the telnet 10.1.1.1 2042 command on the PC client to log in to RouterA through a specified port (the default port number is 2000 plus the TTY user interface number), and then press Enter to log in to RouterB.

C:\Documents and Settings\Administrator> telnet 10.1.1.1 2042
Press CTRL_] to quit telnet mode      
  Trying 10.1.1.1...                     
  Connected to 10.1.1.1...        
Login authentication


Password:
 <RouterA>
 [RouterB]

<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ip vpn-instance vrf1
[RouterA-vpn-instance-vrf1] ipv4-family
[RouterA-vpn-instance-vrf1-af-ipv4] route-distinguisher 22:1
[RouterA-vpn-instance-vrf1-af-ipv4] vpn-target 111:1 both
[RouterA-vpn-instance-vrf1-af-ipv4] quit
[RouterA-vpn-instance-vrf1] quit

[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip binding vpn-instance vrf1
[RouterA-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ip binding vpn-instance vrf1
[RouterA-GigabitEthernet2/0/0] ip address 10.2.1.2 255.255.255.0
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] interface gigabitethernet 3/0/0
[RouterA-GigabitEthernet3/0/0] ip binding vpn-instance vrf1
[RouterA-GigabitEthernet3/0/0] ip address 10.3.1.1 255.255.255.0
[RouterA-GigabitEthernet3/0/0] quit

[RouterA] set net-manager vpn-instance vrf1

The VPN configured using this command affects the following service modules on the device: TFTP client, FTP client, SFTP client, SCP client, Info Center, SNMP, PM, IP FPM, and TACACS. To access the public network, you must set the public-net parameter.

# Enable the HWTACACS function and configure an HWTACACS server template named ht.

[RouterA] hwtacacs enable
[RouterA] hwtacacs-server template ht

# Configure an IP address for the HWTACACS authentication and authorization server and bind the VPN instance.

[RouterA-hwtacacs-ht] hwtacacs-server authentication 10.2.1.1 vpn-instance vrf1
[RouterA-hwtacacs-ht] hwtacacs-server authorization 10.2.1.1 vpn-instance vrf1

# Configure a key for the HWTACACS server.

[RouterA-hwtacacs-ht] hwtacacs-server shared-key cipher it-is-my-secret123
[RouterA-hwtacacs-ht] quit

# Enter the AAA view.

[RouterA] aaa

# Configure authentication scheme scheme1 and set the authentication mode to HWTACACS.

[RouterA-aaa] authentication-scheme scheme1
[RouterA-aaa-authen-scheme1] authentication-mode hwtacacs
[RouterA-aaa-authen-scheme1] quit

# Configure authorization scheme scheme2 and set the authorization mode to HWTACACS.

[RouterA-aaa] authorization-mode scheme2
[RouterA-aaa-authen-scheme2] authorization-mode hwtacacs
[RouterA-aaa-authen-scheme2] quit

# Configure the domain huawei. Use the HWTACACS authentication scheme scheme1, HWTACACS authorization scheme scheme2, and HWTACACS template ht in the domain.

[RouterA-aaa] domain huawei
[RouterA-aaa-domain-huawei] authentication-scheme scheme1
[RouterA-aaa-domain-huawei] authorization-mode scheme2
[RouterA-aaa-domain-huawei] hwtacacs-server ht
[RouterA-aaa-domain-huawei] quit

# Configure a local user named sshuser001 in the domain huawei. After the configuration is complete, the sshuser001 user uses the authentication and authorization modes in the domain huawei.

[RouterA-aaa] local-user sshuser001@huawei password
Please configure the password (8-128)
Enter Password:                                                                 
Confirm Password:
[RouterA-aaa] local-user sshuser001@huawei service-type ssh
[RouterA-aaa] quit

[RouterA] ssh user sshuser001 authentication-type password

[RouterA] ssh server permit interface all //Specify the interfaces on the SSH server to which clients can connect in V300R019C11SPC100 and later versions. If no interface is specified, the STelnet service cannot be enabled.
[RouterA] stelnet server enable

# Enable the SNMP agent function.

[RouterA] snmp-agent

# Set the SNMP version to SNMPv3.

[RouterA] snmp-agent sys-info version v3

# Configure a MIB view.

[RouterA] snmp-agent mib-view iso include iso

# Configure a user group and users in the group, and authenticate and encrypt user data.

[RouterA] snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
[RouterA] snmp-agent usm-user v3 nms-admin group admin
[RouterA] snmp-agent usm-user v3 nms-admin authentication-mode sha
Please configure the authentication password (10-255)
Enter Password:
Confirm Password: 
[RouterA] snmp-agent usm-user v3 nms2-admin privacy-mode aes128
Please configure the privacy password (10-255)
Enter Password:
Confirm Password:

# Configure the alarm function.

[RouterA] snmp-agent target-host trap-hostname aaa address 10.1.1.1 trap-paramsnam abc
[RouterA] snmp-agent trap enable

[RouterA] ssh client first-time enable
[RouterA] sftp 10.1.1.1
[RouterA] put aaa.cfg

After completing the configuration, perform the following operations to check whether the configuration takes effect.

# Check the SNMP version.

[RouterA] display snmp-agent sys-info version
   SNMP version running in the system:
           SNMPv3

# Check local user information.

[RouterA] display snmp-agent usm-user
   User name: nms-admin,
   Engine ID: 800007DB0300259E0370C3 active
   Group-name: admin
   Authentication mode: sha
   Privacy mode: aes128
   User state: Active

Check whether a correct serial port is connected. Some PCs provide multiple serial ports with corresponding numbers. When connecting a serial port, ensure that the correct serial port number is selected.

Check that the serial port settings on the PC are the same as the console port settings on the device, as shown in Figure 10-31. The default console port settings are as follows:

• Baud rate: 9600
• Data bits: 8
• Stop bits: 1
• Parity: None
• Flow control: None

Figure 10-31 Setting the connected port and communication parameters

Log in to the device through the console port and run the display users command to check whether all VTY user interfaces are in use. By default, the maximum number of VTY user interfaces is 5. You can run the display user-interface maximum-vty command to check the maximum number of login users allowed by the device.

If the number of login users reaches the upper limit, run the user-interface maximum-vty 15 command to increase the maximum number of login users to 15.

Run the user-interface vty command on the Telnet server to enter the user interface view and then run the display this command to check whether an ACL is configured in the VTY user interface view. If so, record the ACL number.

Run the display acl acl-number command on the Telnet server to check whether the IP address of the Telnet client is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule and then run the corresponding command to modify the ACL and permit the IP address of the client.

Run the user-interface vty command on the Telnet server to enter the user interface view and then run the display this command to check whether protocol inbound is set to telnet or all. By default, the system supports the SSH and Telnet protocol. If not, run the protocol inbound { telnet | all } command to allow Telnet users to connect to the device.

• If password authentication is configured using the authentication-mode password command, you must enter the password upon login.

• If AAA authentication is configured using the authentication-mode aaa command, you must run the local-user command to create a local AAA user.

Log in to the SSH server through the console port or using Telnet and run the display ssh server status command to check the SSH server configuration.

If the STelnet service is disabled, run the stelnet server enable command to enable the STelnet service on the SSH server.

Run the user-interface vty command on the SSH server to enter the user interface view and then run the display this command to check whether protocol inbound is set to ssh or all. If not, run the protocol inbound { ssh | all } command to allow STelnet users to log in to the device.

A local key pair must be configured when the device works as the SSH server.

Run the display rsa local-key-pair public command on the SSH server to check the current key pair. If no information is displayed, no key pair is configured on the server. Run the rsa local-key-pair create command to create a key pair.

To ensure high security, it is recommended that the RSA authentication mode be not used.

Run the display ssh user-information command to view the SSH user configuration. If no configuration is available, run the ssh user authentication-type commands in the system view to create an SSH user and set an authentication mode for the SSH user.

Log in to the device through the console port and run the display users command to check whether all VTY user interfaces are in use. By default, the maximum number of VTY user interfaces is 5. You can run the display user-interface maximum-vty command to check the maximum number of login users allowed by the device.

If the number of login users reaches the upper limit, run the user-interface maximum-vty 15 command to increase the maximum number of login users to 15.

Run the user-interface vty command on the SSH server to enter the user interface view and then run the display this command to check whether an ACL is configured on the VTY user interface. If so, record the ACL number.

Run the display acl acl-number command on the SSH server to check whether the IP address of the STelnet client is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule and then run the corresponding command to modify the ACL and permit the IP address of the client.

Run the display ssh server status command on the SSH server to check the SSH version.

If the version is SSHv1, run the ssh server compatible-ssh1x enable command to configure the version compatibility function on the server.

Run the display this command in the system view on the SSH client to check whether first-time authentication is enabled on the SSH client.

If not, the initial login of the SSH client fails because validity check on the public key of the SSH server fails. Run the ssh client first-time enable command to enable first-time authentication on the SSH client.