Managing Files When the Device Functions as an SCP Client

Procedure

• (Optional) Configure the SCP client source address.
  Table 7-48 (Optional) Configuring the SCP client source address

  Operation	Command	Description
  Enter the system view.	system-view	-
  Configure the SCP client source address.	scp client-source { -a source-ip-address | -i interface-type interface-number }	By default, no source IP address is configured on the SCP client.

• Generate a local key pair.

  Perform this step only if the device logs in to the SSH server in RSA, DSA, or ECC authentication mode. This step is not required if the password authentication mode is used.

  Table 7-49 Generating a local key pair

  Operation	Command	Description
  Enter the system view.	system-view	-
  Generate the local key pair.	rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create.	Run one of the commands according to the type of key configured on the remote end. Run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to view the public key in the local RSA, DSA, or ECC key pair. Configure the public key on the SSH server.

• Configure the initial SSH connection.

  Before the client has saved the public key of the SSH server, the client cannot connect to the SSH server. Configure the initial SSH connection in either of the following ways:

  • Enable the initial authentication function on the SSH client. This function allows the client to successfully connect to an SSH server for the first time without validating the SSH server's public key. When the initial SSH connection succeeds, the client automatically saves the public key of the SSH server for subsequent SSH connections. For details, see Table 7-43. This configuration method is simple.
  • Save the public key of the SSH server on the client so that the client can authenticate the SSH server successfully. For details, see Table 7-44. This method ensures higher security but becomes more complex than the first method.
  Table 7-50 Enabling first authentication for the SSH client

  Operation	Command	Description
  Enter the system view.	system-view	-
  Enable first authentication for the SSH client.	ssh client first-time enable	By default, first authentication is disabled on the SSH client.

  Table 7-51 Configuring the SSH client to assign the RSA, DSA, or ECC public key to the SSH server

  Operation	Command	Description
  Enter the system view.	system-view	-
  Enter the RSA, DSA, or ECC public key view.	rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] , dsa peer-public-key key-name encoding-type { der | openssh | pem } Or ecc peer-public-key key-name encoding-type { der | openssh | pem }	Perform one of the operations based on the key type.
  Enter the public key editing view.	public-key-code begin	-
  Edit the public key.	hex-data	The public key must be a hexadecimal character string in the public key encoding format, and generated by the SSH server. After entering the public key editing view, you must enter the RSA, DSA, or ECC public key that is generated on the server to the client.
  Exit from the public key editing view.	public-key-code end	If the public key hex-data is invalid, the public key cannot be generated after you run this command. If the specified key key-name has been deleted, the system displays a message indicating that the key does not exist and then returns to the system view after you run this command.
  Return to the system view.	peer-public-key end	-
  Bind the RSA, DSA, or ECC public key to the SSH server.	ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname	If the SSH server public key saved in the SSH client does not take effect, run the undo ssh client servername assign { rsa-key | dsa-key | ecc-key } command to cancel the binding between the SSH server and RSA, DSA, or ECC public key. Then run this command to assign a new RSA, DSA, or ECC public key to the SSH server.

• Run SCP commands to connect to the SSH server.

  Different from the SFTP mode, after the SCP connection is established, the client can directly upload files to or download files from the server.

  Table 7-52 Running SCP commands to connect to the SSH server

  Operation	Command	Description
  Enter the system view.	system-view	-
  (Optional) Configure a key exchange algorithm list for the SSH client.	ssh client key-exchange { dh_group14_sha256 | dh_group15_sha512 | dh_group16_sha512 | dh_group_exchange_sha256 }*	By default, an SSH client supports all key exchange algorithms. The system software does not support the dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1 parameters. To use the dh_group_exchange_sha1, dh_group14_sha1, or dh_group1_sha1 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to use other parameters. You can search for Plug-in Usage Guide at the Huawei technical support website (Enterprise Network or Carrier), and choose the desired plug-in usage guide based on the switch model and software version. If you do not have permission to access the website, contact technical support personnel.
  (Optional) Configure an encryption algorithm list for the SSH client.	ssh client cipher { aes128_ctr | aes256_ctr } *	By default, an SSH client supports all encryption algorithms. The system software does not support the aes256_cbc, aes128_cbc, 3des_cbc, and des_cbc parameters. To use these parameters, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify the aes256_ctr or aes128_ctr parameter. You can search for Plug-in Usage Guide at the Huawei technical support website (Enterprise Network or Carrier), and choose the desired plug-in usage guide based on the switch model and software version. If you do not have permission to access the website, contact technical support personnel.
  (Optional) Configure an HMAC algorithm list for the SSH client.	ssh client hmac sha2_256	By default, the WEAKEA plug-in is not installed, an SSH server supports only the sha2_256 algorithm. When the WEAKEA plug-in is installed, an SSH server also supports the sha2_256_96, sha1, sha1_96, md5 and md5_96 algorithms. The system software does not support the sha2_256_96, sha1, sha1_96, md5, and md5_96 parameters. To use the sha2_256_96, sha1, sha1_96, md5, or md5_96 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify the sha2_256 parameter. You can search for Plug-in Usage Guide at the Huawei technical support website (Enterprise Network or Carrier), and choose the desired plug-in usage guide based on the switch model and software version. If you do not have permission to access the website, contact technical support personnel.
  Connect the SCP client to the SCP server based on IPv4.	scp [ -port port-number | { public-net | vpn-instance vpn-instance-name } | identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } | { -a source-address | -i interface-type interface-number } | -r | -cipher -cipher | -c ] * sourcefile destinationfile	Run either of the commands based on the IP address type. NOTE: The aes128 or aes256 algorithm is recommended to improve data transmission security.
  Connect the SCP client to the SCP server based on IPv6.	scp ipv6 [ -port port-number | { public-net | vpn-instance vpn-instance-name } | identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } | -a source-address | -r | -cipher -cipher | -c ] * sourcefile destinationfile [ -oi interface-type interface-number ]

  The file system limits the number of files in the root directory to 50. Creation of files in excess of this limit in the root directory may fail.