NetEngine AR600, AR6100, AR6200, and AR6300 V300R021 Command Reference
User Login Configuration Commands
- Support for User Login
- connect
- config lock
- config unlock interval
- display config lock
- display ecc local-key-pair public
- display ecc peer-public-key
- display rsa local-key-pair public
- display rsa peer-public-key
- display ssh server
- display ssh user-information
- display telnet server status
- display telnet-client
- ecc local-key-pair
- ecc peer-public-key
- exline-breaker
- language character-set
- lock
- matched upper-view
- peer-public-key end
- public-key-code begin
- public-key-code end
- redirect binding vpn-instance
- redirect enable
- redirect listen-port
- rsa local-key-pair create
- rsa local-key-pair destroy
- rsa peer-public-key
- send
- set insecure-protocol enable
- ssh client assign
- ssh client first-time enable
- ssh server authentication-retries
- ssh server compatible-ssh1x enable
- ssh server cipher
- ssh server hmac
- ssh server key-exchange
- ssh server permit interface
- ssh server port
- ssh server rekey-interval
- ssh server timeout
- ssh server-source
- ssh user assign
- ssh user authentication-type
- ssh user default-authentication-type
- stelnet
- stelnet server enable
- super
- super password
- telnet
- telnet client-source
- telnet server-source
- telnet server permit interface
- telnet server enable
- telnet server port
- transparent-mode enable
- system lock type
Support for User Login
Hardware Requirements
This section is applicable to all models. For details about differences for specific models, see the description in the corresponding section.
connect
Function
The connect command establishes a control connection between a dumb terminal and a remote server.
The undo connect command closes a control connection between a dumb terminal and a remote server.
By default, a dumb terminal and a remote server do not establish a control connection.
Format
connect host [ port-number ] [ -a source-ip-address | -i interface-type interface-number ] [ -t interval ]
undo connect
Parameters
| Parameter | Description | Value |
|---|---|---|
host |
Specifies the IP address or host name of the remote server. |
The value is a string of 1 to 255 case-insensitive characters without spaces. |
port-number |
Specifies the port number of a remote server. |
The value is an integer that ranges from 1 to 55535. The default value 23 is the standard Telnet server port number. |
-a source-ip-address |
Specifies the source IP address of the local router. |
The value is in dotted decimal notation. |
-i interface-type interface-number |
Specifies the outbound interface of the local router. |
- |
-t interval |
Specifies the interval at which the local router automatically establishes a connection to the remote server. |
The value is an integer that ranges from 5 to 60, in seconds. |
Usage Guidelines
Usage Scenario
If a dumb terminal that has no IP address configured initiates a control connection setup request to a remote server through the router, run the connect command on the router to establish a control connection between the dumb terminal and remote server.
Precautions
The dumb terminal must connect to the asynchronous serial interface of the router.
If -t interval is not specified, the local router does not automatically establish a control connection to the remoter server.
config lock
Function
The config lock command locks the system configuration.
The undo config lock command unlocks the system configuration.
By default, the system configuration is unlocked.
Usage Guidelines
Usage Scenario
To prevent other users from modifying or deleting configured data, you can run the config lock command to lock the configuration management plane before data configuration. After completing data configuration, run the undo config lock command to unlock the configuration management plan so that other users can perform data configuration.
Precautions
The locked system configuration can be unlocked by only the user who locks it, the super administrator (run the user privilege command to set the user level to 15), or the network management system (NMS) user.
Example
# Lock the system configuration.
<Huawei> system-view Enter system view, return user view with Ctrl+Z. [Huawei] config lock Info: The system config is locked
# Unlock the system configuration.
<Huawei> system-view Enter system view, return user view with Ctrl+Z. [Huawei] undo config lock Info: The system config is unlocked
config unlock interval
Function
The config unlock interval command configures the interval for unlocking a device.
The default interval is 5 minutes.
Parameters
| Parameter | Description | Value |
|---|---|---|
time |
Specifies the interval for unlocking a device. |
The value is an integer ranging from 1 to 255, in minutes. |
Usage Guidelines
Usage Scenario
If the device configuration is clocked by the config lock command, other users cannot modify the configuration. In this case, the config unlock interval command can be used to configure the unlock interval, after which the device configuration is unlocked automatically.
Precautions
This command can be used by only the super administrator (run the user privilege command to set the user level to 15) and NMS user.
If you run the command multiple times, only the latest configuration takes effect.
The unlocking interval starts from the last time the current user configures the system.
display config lock
Usage Guidelines
If you cannot configure the device after logging in to it, you can run this command. After this command is executed successfully, the system displays the configured lock information, such as the lockout duration and whether the lock is enabled. If the current system configuration is locked, the command output includes the type, name, and IP address of the user who locks the configuration. If the IP address does not exist, no information is displayed.
If the current system configuration is locked by a user of a certain privilege level, only the user of the same or higher privilege level can query information about the user that locks the configuration. The user of a lower privilege level cannot query the information. If the user of a lower privilege level queries the information, the system displays a message indicating that the system configuration is locked by a user of a higher privilege level.
Example
# Display lock information about the system configuration (when configuration is not locked).
<Huawei> display config lock
------------------------------------------------------------------------------
automatically unlocked interval(minute): 5
locked state: unlocked
------------------------------------------------------------------------------
Item |
Description |
|---|---|
automatically unlocked interval(minute) |
Interval after which the system automatically unlocks the configuration, in minutes. |
locked state |
Whether the current system configuration is locked. The value is of the enumerated type:
|
# Display lock information about the system configuration (when configuration is locked).
<Huawei> display config lock
------------------------------------------------------------------------------
automatically unlocked interval(minute): 5
locked state: locked
locked user type: telnet
locked user name: huawei
locked user IP address: 192.168.0.1
------------------------------------------------------------------------------
Item |
Description |
|---|---|
automatically unlocked interval(minute) |
Interval after which the system automatically unlocks the configuration, in minutes. |
locked state |
Whether the current system configuration is locked. The value is of the enumerated type:
|
locked user type |
Type of the user who locks the system configuration. The user can be any of the following types:
|
locked user name |
Name of the user who locks the system configuration. |
locked user IP address |
IP address of the user who locks the system configuration. If the IP address does not exist, no information is displayed. |
display ecc local-key-pair public
Function
The display ecc local-key-pair public command displays information about the public key in the local Elliptic Curves Cryptography (ECC) key pair.
Usage Guidelines
Usage Scenario
You can run the display ecc local-key-pair public command to check information about the public key in the local ECC key pair on a client and then copy the public key to the server. The public key enables a server to authenticate users and ensures the login of authorized users.
Pre-configuration Tasks
You must run the ecc local-key-pair create command to generate a local ECC host key pair before using the command.
Example
# Display information about the public key in the local ECC key pair on a client.
<Huawei> display ecc local-key-pair public
===================================================== Time of Key pair created:2016-06-10 04:45:43+00:00 Key name : localhost_Host_ECC Key modulus : 256 Key type : ECC encryption Key Key fingerprint: ===================================================== Key code: 04B8EC97 382591C6 BE764727 0B06F673 4E3FF3C9 C10F98F9 4D7D9B09 593DF604 D1465979 107F638D 59771BD1 C1C2D325 B7C3A331 9646B76F A9BACA98 4C0F19D2 BC Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---- AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLjslzglkca+ dkcnCwb2c04/88nBD5j5TX2bCVk99gTRRll5EH9jjVl3G9HBwtMlt8OjMZZGt2+p usqYTA8Z0rw= ---- END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file : ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLjslzglkca+dkcnCwb2c04/88nBD5j5TX2bCVk99gTRRll5EH9jjVl3G9HB wtMlt8OjMZZGt2+pusqYTA8Z0rw= ecdsa-key
Item |
Description |
|---|---|
Time of Key pair created |
Time when the public key in the local ECC key pair is generated, in the format of YYYY-MM-DD HH:MM:SS. |
Key Name |
Name of the public key in the local ECC key pair. |
Key modulus |
Length of the public key in the local ECC key pair. |
Key Type |
Type of the public key in the local ECC key pair. |
Key Code |
Code of the public key in the local ECC key pair configured using the ecc local-key-pair command. |
Host public key for PEM format code |
PEM code of the public key in the local ECC key pair. |
Public key code for pasting into OpenSSH authorized_keys file |
Public key in the local ECC key pair used for OpenSSH authentication. Copy the public key to the authorized_keys file of OpenSSH to make the key effective. |
display ecc peer-public-key
Function
The display ecc peer-public-key command displays information about the ECC public key configured on the remote end.
Parameters
| Parameter | Description | Value |
|---|---|---|
brief |
Displays brief information about the ECC public key configured on the remote end. |
- |
name key-name |
Displays the ECC public key with the specified name. |
The value is a string of 1 to 30 case-sensitive characters without spaces. |
Usage Guidelines
Usage Scenario
You can run the display ecc peer-public-key command on a client to check information about the public key configured on the remote end. The public key enables a server to authenticate users and ensures the login of authorized users.
Example
# Display brief information about all the ECC public keys.
<Huawei> display ecc peer-public-key brief
------------------------------------------
Bits Name
------------------------------------------
256 testecc
------------------------------------------
# Display detailed information about the ECC public key named testecc.
<Huawei> display ecc peer-public-key name testecc
=====================================
Key name: testecc
Encoding type: OPENSSH
=====================================
Key Code:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYuJAsMAHPFT53pXNlXAE1YjXvjhdultLzcDcrzJLqvPxhKALn1WXGPaNfQ
sAFQnsHzUYgICcBz/Cpxb5atVeg= ecdsa-key
Item |
Description |
|---|---|
Bits |
Length of the ECC public key configured on the remote end. |
Name |
Name of the ECC public key configured on the remote end. |
Key name |
Name of the ECC public key configured on the remote end. |
Encoding type |
Encoding format of the ECC public key configured on the remote end.
|
Key Code |
Code of the public key in the local ECC key pair configured using the ecc local-key-pair command. |
display rsa local-key-pair public
Function
The display rsa local-key-pair public command displays the public key in the local key pair.
Usage Guidelines
You can run this command on the client and configure the client public key in the command output to the SSH server, which ensures that the SSH client validity check by the SSH server is successful and enables the secure data exchange between the SSH server and client.
Example
# Display the public key in the local key pair.
<Huawei> display rsa local-key-pair public
=====================================================
Time of Key pair created: 2011-10-06 16:26:37+00:00
Key name: Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
D538B7FC 3AFE1F5B F6C921F9 3D8C5322 905F623A
F0123161 3DA61EEB F5E897CF DC126060 546CC84E
B2AB7424 3EFF5D71 D84C5FE2 3E2BF5B3 D82DD979
A22E4AA1
0203
010001
=====================================================
Time of Key pair created: 2011-10-06 16:26:53+00:00
Key name: Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
C51C2C01 56B06E6C EBF9055C F7AD9781 46B41A31
5FC87282 E53CFE30 8E6321D3 AC74E948 0A010339
E67C290E 2E0E8E40 BF5E1C97 F9C856EF 568DC159
1A6D28ED AFFB474B 43EFB632 CFB0875F 85420EEA
1919095B A5BC38D0 5FFF169E 0BDB3DC3
0203
010001
Item |
Description |
|---|---|
Time of Key pair created |
Time and date when the public key is created. |
Key Name |
The value can be the host or server public key. The server public key is saved only when the key type is RSA. |
Key Type |
Type of the public key. |
Key Code |
Code of the public key. |
display rsa peer-public-key
Function
The display rsa peer-public-key command displays the peer public key saved on the local host. If no parameter is specified, the command displays detailed information about all peer public keys.
Parameters
| Parameter | Description | Value |
|---|---|---|
brief |
Displays the brief information about all peer public keys. |
- |
name key-name |
Specifies the key name. |
The value is a string of 1 to 30 case-insensitive characters without spaces. |
Usage Guidelines
Usage Scenario
You can run this command to check detailed information about the RSA public key and whether the local and peer public keys are the same.
Precautions
You must complete the RSA public key configuration before running this command.
Example
# Display the brief information about all RSA public keys.
<Huawei> display rsa peer-public-key brief
Name Bits ------------------------------------- rsakey001 780
Item |
Description |
|---|---|
Bits |
Bits in the public key. |
Name |
Name of the public key. |
# Display the detailed information about the RSA public key named rsakey001.
<Huawei> display rsa peer-public-key name rsakey001
=====================================
Key name: rsakey001
=====================================
Key Code:
3067
0260
A3158E6C F252C039 135FFC45 F1E4BA9B 4AED2D88 D99B2463 3E42E13A 92A95A37
45CDF037 1AF1A910 AAE3601C 2EB70589 91AF1BB5 BD66E31A A9150911 859CAB0E
1E10548C D70D000C 55A1A217 F4EA2F06 E44BD438 DA472F14 3FB7087B 45E77C05
0203
010001
Item |
Description |
|---|---|
Key name |
Name of the public key. |
Key Code |
Code of the public key. |
display ssh server
Parameters
| Parameter | Description | Value |
|---|---|---|
status |
Displays the global configuration on the SSH server. |
- |
session |
Displays the current session connection information on the SSH server. |
- |
Usage Guidelines
After configuring the SSH attributes, you can run this command to view the configuration or session connection information on the SSH server to verify that the SSH connection has been established.
Example
# Display the global configuration on the SSH server.
<Huawei> display ssh server status
SSH version :1.99 SSH connection timeout :120 seconds SSH server key generating interval :0 hours SSH Authentication retries :3 times SFTP Server :Enable Stelnet server :Enable Scp server :Disable SSH server ciper :aes128-ctr aes192-ctr aes256-ctr SSH server mac :hmac-sha2-256 SSH server key :diffie-hellman-group14-sha1 diffie-hellman-group14-sha256 diffie-hellman-group-exchange-sha1
Item |
Description |
|---|---|
SSH version |
SSH protocol version. The value can be 1.99 or 2.0. |
SSH connection timeout |
SSH connection timeout interval. The value ranges from 60 to 120, in seconds. The default value is 60. Run the ssh server timeout command to set this item. |
SSH server key generating interval |
Key updating period of the SSH server. The default value is 0, in hours. Run the ssh server rekey-interval command to set this item. |
SSH authentication retries |
Number of times for retrying SSH authentication. The default value is 3. Run the ssh server authentication-retries command to set this item. |
SFTP Server |
Status of the SFTP server. By default, it is disabled. Run the sftp server enable command to set this item. |
Stelnet server |
Status of the STelnet server. By default, it is disabled. Run the stelnet server enable command to set this item. |
Scp server |
Status of the SCP server. By default, it is disabled. Run the scp server enable command to set this item. NOTE:
This field is supported in V300R021C10 and later versions. |
SSH server ciper |
Encryption algorithm supported by the SSH server. The default encryption algorithm is aes128-ctr aes192-ctr aes256-ctr. Run the ssh server cipher command to set this item. |
SSH server mac |
HMAC algorithm supported by the SSH server. The default HMAC algorithm is hmac-sha2-256. Run the ssh server hmac command to set this item. |
SSH server key |
Key exchange algorithm supported by the SSH server. The default key exchange algorithm is dh_group_exchange_sha1, dh_group14_sha1, dh_group14_sha256, and dh_group15_sha512. Run the ssh server key-exchange command to set this item. |
# Display the current session connection information on the SSH server.
<Huawei> display ssh server session
-------------------------------------------------------------------- Conn Ver Encry State Auth-type Username -------------------------------------------------------------------- VTY 0 2 AES run password john --------------------------------------------------------------------
Item |
Description |
|---|---|
Conn |
VTY connection. |
Ver |
Version number. |
Encry |
Encryption mode. |
State |
Session status on the SSH server. |
Auth-type |
Authentication mode for an SSH user. The options are as follows:
Run the ssh user authentication-type command to set this item. |
Username |
User name for SSH server authentication. |
display ssh user-information
Parameters
| Parameter | Description | Value |
|---|---|---|
username |
Displays the SSH user name. |
The value is a string of 1 to 64 case-insensitive characters without spaces. |
Usage Guidelines
This command displays the SSH user name, bound RSA public key name, and service type.
Example
# Display the configuration of all SSH users.
<Huawei> display ssh user-information
------------------------------------------------------------------------------- Username Auth-type User-public-key-name ------------------------------------------------------------------------------- a password null -------------------------------------------------------------------------------
Item |
Description |
|---|---|
Username |
SSH user name. |
Auth-type |
Authentication mode for an SSH user. The options are as follows:
Run the ssh user authentication-type command to set this item. |
User-public-key-name |
Peer RSA public key assigned to an SSH user. Run the rsa peer-public-key command to set this item. |
display telnet server status
Function
The display telnet server status command displays the status and configuration of the Telnet server.
Usage Guidelines
- You can run this command to check whether the device functions as a Telnet server.
- You can run this command to check the listening port number of the Telnet server if you have set the port number by running the telnet server port port-number command.
Example
<Huawei> display telnet server status
TELNET IPv4 server :Enable TELNET IPv6 server :Enable TELNET server port :23
Item |
Description |
|---|---|
TELNET IPv4 server |
IPv4 Telnet server. |
TELNET IPv6 server |
IPv6 Telnet server. |
TELNET server port |
Listening port number of the Telnet server. |
display telnet-client
Function
The display telnet-client command displays the source parameters when the device works as a Telnet client.
Usage Guidelines
After setting source parameters of the Telnet client, you can run this command to check the setting result. If you have not set telnet client-source, the default source IP address is 0.0.0.0.
Example
# Display the source parameters for the device that works as a Telnet client.
<Huawei> display telnet-client
The source address of telnet client is 10.1.1.1
Item |
Description |
|---|---|
The source address of telnet client is 10.1.1.1 |
The source IP address of the Telnet client is 10.1.1.1. |
ecc local-key-pair
Function
The ecc local-key-pair create command generates a local ECC host key pair.
The ecc local-key-pair destroy command deletes the local ECC key pair.
Usage Guidelines
Usage Scenario
A local key pair is a prerequisite to a successful SSH login. Compared with the RSA algorithm used by the rsa local-key-pair create command, the ECC algorithm shortens the key length, accelerates the encryption, and improves security. The length of the ECC host key pair can be 256 bits, 384 bits and 521 bits. By default, the length of the ECC host key pair is 256 bits.
If you no longer need the local ECC key pair, run the ecc local-key-pair destroy command to delete it.
Configuration Impact
The ecc local-key-pair destroy command deletes the local ECC host key pair, from the files on the master and slave main control boards. Exercise caution when you run this command.
The generated ECC host key pair is named in the format of hostkey_ECC.
The ecc local-key-pair create and ecc local-key-pair destroy commands are not saved in the configuration file. They only need to be run once and take effect even after the Router restarts.
Do not delete the ECC key file from the Router. If the ECC key file is deleted, the ECC key pair cannot be restored after the Router is restarted.
Example
# Generate a local ECC host key pair
<Huawei> system-view
[Huawei] ecc local-key-pair create
Info: The key name will be: hostkey_ECC. Info: The ECC host key named hostkey_ECC already exists. Warning: Do you want to replace it ? [Y/N]: Y Info: The key modulus can be any one of the following : 256, 384, 521. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=256]:256 Info: Generating keys... Info: Succeeded in creating the ECC host keys.
# Delete the local ECC host key pair.
<Huawei> system-view
[Huawei] ecc local-key-pair destroy
Info: The name of the key which will be destroyed is hostkey_ECC. Warning: These keys will be destroyed. Continue? [Y/N]:Y Info: Succeeded in destroying the ECC host keys.
ecc peer-public-key
Function
The ecc peer-public-key command generates an ECC public key and enters the ECC public key view.
The undo ecc peer-public-key command deletes the ECC public key.
By default, no ECC public key is generated.
Format
ecc peer-public-key key-name encoding-type { der | openssh | pem }
undo ecc peer-public-key key-name
Parameters
| Parameter | Description | Value |
|---|---|---|
key-name |
Specifies the ECC public key name. |
The value is a string of 1 to 30 case-sensitive characters without spaces. |
encoding-type |
Specifies the encoding format of the ECC public key. |
- |
der |
Sets the encoding format of the ECC public key to DER. DER uses hexadecimal notation to encode data. |
- |
openssh |
Sets the encoding format of the ECC public key to OpenSSH. OpenSSH uses base64 notation to encode data. OpenSSH is revised from PEM. |
- |
pem |
Sets the encoding format of the ECC public key to PEM. PEM uses base64 notation to encode data. |
- |
Usage Guidelines
Usage Scenario
When you use an ECC public key for authentication, specify the public key on the server for the client of SSH users. When the client logs in to the server, the server uses the specified public key to authenticate the client.
After you enter the ECC public key view, run the public-key-code begin command, and copy the ECC public key to the server.
The public key on the client is randomly generated by the client software.
If an ECC public key has been assigned to an SSH user, delete the mapping between the ECC public key and the SSH user. If you do not delete the mapping, the undo ecc peer-public-key command cannot delete the ECC public key.
Follow-up Procedure
- Run the public-key-code end command to return to the ECC public key view.
- Run the peer-public-key end command to exit the ECC public key view and return to the system view.
Precautions
A maximum of 20 ECC public keys can be configured.
The peer public key supports only PKCS#1. Other PKCS versions are not supported.
Example
# Create an ECC public key and enter the ECC public key view.
<Huawei> system-view
[Huawei] ecc peer-public-key ecc-peer-key encoding-type pem
Info: Enter "ECC public key" view, return system view with "peer-public-key end".
[Huawei-ecc-public-key] public-key-code begin
Info: Enter "ECC key code" view, return the last view with "public-key-code end".
[Huawei-ecc-key-code] ---- BEGIN SSH2 PUBLIC KEY ---- [Huawei-ecc-key-code] AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACDBL5J4v3pqi5S [Huawei-ecc-key-code] ALI9lvLw4cdvtpD2AC6sEJXg9GDCD5vGBnkXlKmnOy6d1TyrXx57ZPNnrSdqVkHC [Huawei-ecc-key-code] sMBa63vSwg1XsVW2qZgx8H57+FJiTPY61b1Vfst9GUif1ymfpB7XrbdYZDownoh0 [Huawei-ecc-key-code] FZNadZtIf2CRc0OeiKXbCSPP25dfoT/DTcc= [Huawei-ecc-key-code] ---- END SSH2 PUBLIC KEY ---- [Huawei-ecc-key-code] public-key-code end [Huawei-ecc-public-key] peer-public-key end
# Delete an ECC public key.
<Huawei> system-view
[Huawei] undo ecc peer-public-key ecc-peer-key
exline-breaker
Function
The exline-breaker enable command enables the function of adding a line break.
The exline-breaker disable command disables the function of adding a line break.
By default, the function of adding a line break is disabled.
Parameters
| Parameter | Description | Value |
|---|---|---|
enable |
Enables the function of adding a line break. |
- |
disable |
Disables the function of adding a line break. |
- |
Usage Guidelines
The device functions as a calling end to send a line break \r\n. When receiving the line break, the called end discards \n in the line break. As a result, data of the calling end differs from that of the called end. In this case, you can run the exline-breaker enable command to enable the function of adding a line break. After the function is enabled, the calling end adds a line break \n to \r\n when sending it. When the called end receives the data, it removes only one \n from the line break.
language character-set
Function
The language character-set command configures the character set in the system.
The default character set in the system is ISO8859-1, that is, the system only supports English input.
Parameters
| Parameter | Description | Value |
|---|---|---|
character |
Specifies the character set in the system. |
Currently, the system supports the following character sets: GBK, UTF-8, and ISO8859-1. |
Usage Guidelines
Usage Scenario
You can configure the character set so that the system just supports Chinese or supports Chinese and English input. The character set facilitates device identification and management, for example, Chinese interface description can be configured.
Currently, the system supports the following character sets: GBK, UTF-8, and ISO8859-1. GBK and UTF-8 support both English and Chinese input, whereas ISO8859-1 supports only English input. GBK is a Chinese character set and UTF-8 is an international character set. To enter Chinese characters on the device, configure GBK or UTF-8 according to the character set supported on the terminal login software.
Precaution
The character set supported by the terminal login software affects the display of Chinese characters. If the character sets in the system and on the terminal login software are different, Chinese characters may be displayed as garbled characters.
After the character set function is configured, the device cannot work together with eSight or iManager U2000. The web system only displays the UTF-8 character set and does not support Chinese input.
lock
Function
The lock command locks the current user interface to prevent unauthorized users from operating the interface.
By default, the system does not automatically lock the current user interface.
Usage Guidelines
Usage Scenario
Lock the current user interface using this command to prevent other users from operating the interface. The user interfaces consist of console ports, and Virtual Type Terminals (VTYs).
After using the lock command, you are prompted to input the password twice. If you input the correct password for twice, the user interface is locked.
Precautions
- The passwords must meet the following requirements:
- The password is a string of 8 to 128 case-sensitive characters.
![]()
After user run the set password min-length command, the minimum length of the password is the password length set using the set password min-length command.
The password must contain at least two of the following characters: upper-case character, lower-case character, digit, and special character.
The special characters include spaces and the following:
`~!@#$%^&*()-_=+\|[{}];:'",<.>/?
Password entered in interactive mode is not displayed on the screen.
When you run the lock command to lock the user interface and set a locking password, you can press CTRL_C to cancel the operation.
To unlock the user interface, press Enter, and then input the correct password as prompted by the system.
Example
# Lock the current user interface after logging in through the console port.
<Huawei> lock
Enter Password(<8-128>):
Confirm Password:
Info: The terminal is locked.
# To log in to the system after the system is locked, you must press Enter. The following information is displayed:
Enter Password:
# Enter the correct password and return to the user view.
<Huawei>
matched upper-view
Function
The matched upper-view command allows the system to search for the undo command in the upper view, and returns to the upper view.
The undo matched upper-view command prohibits the system from searching for the undo command in the upper view.
By default, the system does not search for the undo command in the upper view.
Usage Guidelines
When you run the undo command in a view, which is not registered in the current view, the system searches for the command in the upper view if the system is allowed to search for the undo command in the upper view. If the system finds the same undo command, the system executes this command in the upper view. If the system does not find the same undo command in the upper view, the system continues to search for this command in other upper views till the system view.
Running this command brings security risks. For example, if you run the undo ftp server command in the interface view, while this command is not registered in the interface view, the system automatically searches for it in the upper view, that is, the system view. In this manner, the system disables the FTP function.
The matched upper-view command is valid only for current login users who run this command.
Example
# Allow the undo command to be searched for in the upper view.
<Huawei> system-view
[] matched upper-view
[] interface gigabitethernet1/0/1
[-GigabitEthernet1/0/1] undo ftp server
Info: Succeeded in closing the FTP server.
[]
# Prohibit the undo command from being searched for in the upper view.
<Huawei> system-view [Huawei] undo matched upper-view [Huawei] interface gigabitethernet1/0/1 [Huawei-GigabitEthernet1/0/1] undo ftp server ^ Error: Unrecognized command found at '^' position. [Huawei-GigabitEthernet1/0/1]
peer-public-key end
Function
The peer-public-key end command returns to the system view from the public key view and saves the configured public keys.
Usage Guidelines
Usage Scenario
You must save the public key generated on the remote host to the local host, which ensures that the validity check on the remote end is successful. After editing a public key in the public key view, you can run this command to return to the system view.
Prerequisites
Before you run this command, the rsa peer-public-key command has been run to enter the RSA public key view or the ecc peer-public-key command has been run to enter the ECC public key view.
Example
# Return to the system view from the public key view.
<Huawei> system-view [Huawei] rsa peer-public-key rsakey001 [Huawei-rsa-public-key] public-key-code begin [Huawei-rsa-key-code] 308188 [Huawei-rsa-key-code] 028180 [Huawei-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB [Huawei-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F [Huawei-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B [Huawei-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 [Huawei-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931 [Huawei-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 [Huawei-rsa-key-code] 171896FB 1FFC38CD [Huawei-rsa-key-code] 0203 [Huawei-rsa-key-code] 010001 [Huawei-rsa-key-code] public-key-code end [Huawei-rsa-public-key] peer-public-key end [Huawei]
public-key-code begin
Usage Guidelines
Usage Scenario
You must save the public key generated on the remote host to the local host, which ensures that the validity check on the remote end is successful. Run the public-key-code begin command to display the public key editing view, and enter the key data. The key characters can contain spaces. You can press Enter to enter data in another line.
Prerequisite
A key name has been specified by running the rsa peer-public-key, or ecc peer-public-key command.
Precautions
- The public keys displayed by running the display rsa local-key-pair public, or display ecc local-key-pair public command can be used as the key data to enter.
- You can successfully edit the public key in a public key pair by entering the public key in the server key pair or client key pair. In SSH application, only the public key in the client key pair can be entered as key data. If you enter the public key in the server key pair, authentication fails during SSH login.
- When entering the private key data that exceeds 225 characters in a single line, you need to press Enter to continue entering the extra part of the data.
Example
# Display the public key editing view and enter the key data.
<Huawei> system-view [Huawei] rsa peer-public-key rsakey001 [Huawei-rsa-public-key] public-key-code begin [Huawei-rsa-key-code] 308188 [Huawei-rsa-key-code] 028180 [Huawei-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB [Huawei-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F [Huawei-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B [Huawei-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 [Huawei-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931 [Huawei-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 [Huawei-rsa-key-code] 171896FB 1FFC38CD [Huawei-rsa-key-code] 0203 [Huawei-rsa-key-code] 010001 [Huawei-rsa-key-code] public-key-code end [Huawei-rsa-public-key] peer-public-key end [Huawei]
public-key-code end
Function
The public-key-code end command returns to the public key view from the public key editing view and saves the configured public keys.
Usage Guidelines
Usage Scenario
- If there are illegal characters in the public key character string configured by the user, the system will display a relevant error prompt. The public key previously configured by the user is discarded, thus the configuration fails.
- If the public key configured is valid, it is saved in the public key chain table of the client.
Prerequisites
Before you run this command, the public-key-code begin command has been run to enter the public key edit view.
Precautions
- Generally, in the public key view, only the public-key-code end command can be used to exit. Thus, in this instance the quit command cannot be used.
- If the legal key coding is not input, the key cannot be generated after the public-key-code end command is used. The system prompts that generating the incorrect key fails.
- If the key is deleted in another window, the system prompts that the key does not exist and returns to the system view directly after you run the public-key-code end command.
Example
# Exit from the RSA public key editing view and saves the RSA key configuration.
<Huawei> system-view [Huawei] rsa peer-public-key rsakey001 [Huawei-rsa-public-key] public-key-code begin [Huawei-rsa-key-code] 308188 [Huawei-rsa-key-code] 028180 [Huawei-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB [Huawei-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F [Huawei-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B [Huawei-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 [Huawei-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931 [Huawei-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 [Huawei-rsa-key-code] 171896FB 1FFC38CD [Huawei-rsa-key-code] 0203 [Huawei-rsa-key-code] 010001 [Huawei-rsa-key-code] public-key-code end [Huawei-rsa-public-key] peer-public-key end [Huawei]
redirect binding vpn-instance
Function
The redirect binding vpn-instance command associates the redirection function with a VPN instance.
The undo redirect binding vpn-instance command cancels the association between the redirection function and a VPN instance.
By default, the redirection function is not associated with any VPN instance.
Parameters
Parameter |
Description |
Value |
|---|---|---|
vpn-instance-name |
Specifies the name of a VPN instance. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Guidelines
Usage Scenario
By default, all users on public and private networks can log in to remote devices after the redirection function is enabled. To allow only users in a VPN to log in to a remote device, associate the redirection function with the VPN instance on the device.
Prerequisite
A VPN instance has been created on the router, and the user-side interface of the router has been bound to the VPN instance.
The redirection function has been enabled by using the redirect enable command.
Precautions
After the redirection function is associated with a VPN instance, only users in the VPN instance can use the redirection function to log in to the device remotely. Users on the public network or other private networks connected to the router are prevented from logging in to the device remotely.
redirect enable
Function
The redirect enable command enables the redirection function on a TTY user interface.
The undo redirect enable command disables the redirection function on a TTY user interface.
By default, the redirection function is disabled.
Parameters
| Parameter | Description | Value |
|---|---|---|
ssh |
Enables the SSH-based redirection function on a serial port. |
- |
Usage Guidelines
Usage Scenario
The redirection function is used in the following scenarios:
- An electricity system or finance system usually uses serial port terminals to collect data. These terminals are connected to asynchronous serial ports of a device. The device receives data flows from the terminals and encapsulates received data into Ethernet frames to transmit the data on an Ethernet network. With the redirection function, users can manage and maintain the terminals remotely.
- Some devices can be managed only through their console ports. In this scenario, connect their console ports to asynchronous serial ports of a device. The device can function as a serial port server to manage these devices.
- There are reachable routes between the operation terminal and the device that provides the redirection function.
- The 8AS board on the device has registered successfully and asynchronous serial port corresponding to the TTY user interface on the board is in Up state.
- The asynchronous serial port corresponding to the TTY user interface has been configured to work in flow mode using the async mode flow command.
Precautions
If the modem function is enabled on a TTY user interface, the redirection function does not take effect.
redirect listen-port
Function
The redirect listen-port command sets a port number for the redirection function on a TTY user interface.
The undo redirect listen-port command restores the default port number for the redirection function.
By default, the port number for the redirection function is 2000 plus the TTY user interface number.
Parameters
Parameter |
Description |
Value |
|---|---|---|
ssh |
Enables the SSH-based redirection function on a serial port. |
- |
port-number |
Specifies the port number for the redirection function. |
The value is an integer that ranges from 2129 to 3999. |
rsa local-key-pair create
Function
The rsa local-key-pair create command generates the local RSA host and server key pairs.
By default, the local RSA host and server key pairs are not configured.
Usage Guidelines
Usage Scenario
To implement secure data exchange between the server and client, run this command to generate a local key pair.
Precautions
If the RSA key pair exists, the system prompts you to confirm whether to replace the original key pair.
After you run this command, the system prompts you to enter the number of bits in the host key. The difference between the bits in the server and host key pairs must be at least 128 bits.
Because a longer key pair provides higher security, you are advised to use key pairs of the largest length.
After you run this command, the generated key pair is saved in the device and will not be lost after the device restarts.
This command is not saved in a configuration file.
Example
# Generate the local RSA host and server key pairs.
<Huawei> system-view [Huawei] rsa local-key-pair create The key name will be: Host RSA keys defined for Host already exist. Warning: Confirm to replace them! Continue? [Y/N]Y The range of public key size is (2048 ~ 4096). NOTES: If the key modulus is less than 2048, It will introduce potential security risks. Input the bits in the modulus[default = 2048]:2048 Generating keys... ..............................................................+++ .....+++ ............................++++ .....................++++
rsa local-key-pair destroy
Usage Guidelines
Usage Scenario
To delete the local key pair, run rsa local-key-pair destroy command. If the host key pair and the service key pair of an SSH server are deleted, run the rsa local-key-pair create command to create the new host key pair and service key pair for the SSH server.
After you run this command, verify that all local RSA keys are deleted. This command is not saved in a configuration file.
Prerequisite
The local RSA keys that can be deleted exist.
rsa peer-public-key
Function
The rsa peer-public-key command configures an encoding format for an RSA public key and displays the RSA public key view.
The undo rsa peer-public-key command deletes a public key.
By default, the encoding format is distinguished encoding rules (DER) for an RSA public key.
Format
rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]
undo rsa peer-public-key key-name
Parameters
| Parameter | Description | Value |
|---|---|---|
key-name |
Specifies the rsa public key name. |
The value is a string of 1 to 30 case-insensitive characters without spaces. NOTE:
When double quotation marks are used around the string, spaces are allowed in the string. |
encoding-type |
Specifies an encoding format for an RSA public key. |
- |
der |
Specifies the DER format for an RSA public key. DER encodes data in hexadecimal format. |
- |
openssh |
Specifies the OpenSSH format for an RSA public key. OpenSSH encodes data in base-64 format. OpenSSH is an encoding format based on PEM. |
- |
pem |
Specifies the PEM format for an RSA public key. PEM encodes data in base-64 format. |
- |
Usage Guidelines
Usage Scenario
When you use an RSA public key for authentication, you must specify the public key of the corresponding client for an SSH user on the server. When the client logs in to the server, the server uses the specified public key to authenticate the client. You can also save the public key generated on the server to the client. Then the client can be successfully authenticated by the server when it logs in to the server for the first time.
Huawei data communications devices support the DER, OpenSSH and PEM formats for RSA keys. If you use an RSA key in non-DER/OpenSSH/PEM format, use a third-party tool to convert the key into a key in DER, OpenSSH or PEM format.
Because a third-party tool is not released with Huawei system software, RSA usability is unsatisfactory. In addition to DER, RSA keys need to support the privacy-enhanced mail (PEM) and OpenSSH formats to improve RSA usability.
- The PuTTY generates RSA keys in PEM format.
- The OpenSSH generates RSA keys in OpenSSH format.
- The OpenSSL generates RSA keys in DER format.
OpenSSL is an open source software. You can download related documents at http://www.openssl.org/.
After you configure an encoding format for an RSA public key, Huawei data communications device automatically generates an RSA public key in the configured encoding format and enters the RSA public key view. Then you can run the public-key-code begin command and manually copy the RSA public key generated on the peer device to the local device.
Prerequisite
The public key on the remote host has been obtained and recorded.
Follow-up Procedure
- Run the public-key-code end command to return to the RSA public key view.
- Run the peer-public-key end command to exit the RSA public key view and return to the system view.
Precautions
The public key on the client is randomly generated by the client software.
If an RSA public key has assigned to an SSH client, release the binding relationship between the public key and the SSH client. If you do not release the binding relationship between them, the undo rsa peer-public-key command will fail to delete the RSA public key.
The peer public key supports only PKCS#1. Other PKCS versions are not supported.
Example
<Huawei> system-view [Huawei] rsa peer-public-key rsakey001 Enter "RSA public key" view, return system view with "peer-public-key end". NOTE: The number of the bits of public key must be between 769 and 2048. [Huawei-rsa-public-key]
send
Parameters
| Parameter | Description | Value |
|---|---|---|
all |
Specifies that the system sends messages to all user interfaces. |
- |
ui-number |
Specifies the absolute number of the user interface. |
The minimum value is 0. The maximum value is smaller by 1 than the number of the user interfaces that the system supports. |
ui-type |
Specifies the type of the user interface. |
- |
ui-number1 |
Specifies the relative number of the user interface. |
- |
Usage Guidelines
After you run the send command, the system prompts you to enter the message to send. After you confirm to send this message, the user who logs in to the system from the specified user interface can receive this message.
Example
# Send a message to the user interface VTY 0.
<Huawei> send vty 0
Enter message, end with CTRL+Z or Enter; abort with CTRL+C:Hello, good morning!^Z
Warning: Send the message? [Y/N]: y
# After you confirm to send the message, the user who logs in to the Huawei from VTY 0 can receive this message.
<Huawei> Info: Receive a message from VTY2:Hello, good morning!
set insecure-protocol enable
Function
The set insecure-protocol enable command allows the usage of insecure management protocols HTTP and Telnet.
The set insecure-protocol disable command forbids the usage of insecure management protocols HTTP and Telnet.
By default, insecure management protocols HTTP and Telnet can be used.
Only the AR651K, AR651, AR651-X8, AR651C, AR651F-Lite, AR651U-A4, AR651W-X4, AR651W-8P, AR651W, AR657W, AR6120, AR6121K, AR6121E, AR6121, AR6120-VW, AR6140K-9G-2AC, AR6140E-9G-2AC, and AR6140-9G-2AC support this function.
Only the AR6120-S, AR6140E-S, AR6140-S, AR6121-S, AR6121E-S, AR6121EC-S, and AR6121C-S support this function.
Only the AR-10 supports this function.
Usage Guidelines
Usage Scenario
You can log in to a device using HTTPS, Telnet, and STelnet, and HTTP and Telnet belong to insecure management protocols. For security purposes, you can run the set insecure-protocol disable command to forbid the usage of insecure management protocols HTTP and Telnet.
Precautions
Before running the set insecure-protocol disable command, you need to check whether the Telnet and HTTP service functions are enabled using the display telnet server status and display http server commands, respectively. If the Telnet and HTTP service functions are enabled, run the undo telnet server enable and undo http server enable commands to disable the two functions. The set insecure-protocol disable command then can be successfully run. If the Telnet and HTTP service functions are disabled, directly run the set insecure-protocol disable command to forbid the usage of insecure management protocols HTTP and Telnet.
After the set insecure-protocol disable command is run, you can only run the set insecure-protocol enable command to allow the usage of insecure management protocols HTTP and Telnet.
Example
# Forbid the usage of insecure management protocols HTTP and Telnet.
<Huawei> system-view [Huawei] display telnet server status TELNET IPV4 server :Disable TELNET IPV6 server :Disable TELNET server port :23 Error: insecure-protocol is disabled. [Huawei] display http server HTTP server status : Disabled (default: disable) HTTP server port : 80 (default: 80) HTTP timeout interval : 10 (default: 10 minutes) Current online users : 0 Maximum users allowed : 5 HTTPS server status : Enabled (default: disable) HTTPS server port : 443 (default: 443) HTTPS server manager port : HTTPS SSL Policy : [Huawei] set insecure-protocol disable
ssh client assign
Function
The ssh client assign command specifies the host public key of the SSH server to connect on the SSH client.
The undo ssh client assign command cancels the specified host public key of the SSH server to connect on the SSH client.
By default, the host public key of the server to connect is not specified on the client.
Format
ssh client servername assign { rsa-key | ecc-key } keyname
undo ssh client servername assign { rsa-key | ecc-key }
Parameters
| Parameter | Description | Value |
|---|---|---|
servername |
Specifies the host name or IP address of the SSH server. |
The value is a string of 1 to 64 characters without spaces. |
rsa-key |
Specifies the RSA public key. |
- |
ecc-key |
Specifies the ECC public key. |
- |
keyname |
Specifies the SSH server public key name that has been configured on the SSH client. |
The value is a string of 1 to 64 case-insensitive characters without spaces. |
Usage Guidelines
Usage Scenario
If the SSH client connects to the SSH server for the first time and the first authentication is not enabled on the SSH client using the ssh client first-time enable command, the SSH client rejects the access from unauthorized SSH servers. You need to specify the host public key of the SSH server and the mapping between the key and SSH server on the SSH client. After that, the client will determine whether the server is reliable using the correct public key based on the mapping.
Precautions
The RSA or ECC public key to be assigned to the SSH server must have been configured on the SSH client using the rsa peer-public-key or ecc peer-public-key command. If the key has not been configured, the verification for the RSA or ECC public key of the SSH server on the SSH client fails.
ssh client first-time enable
Function
The ssh client first-time enable command enables the first authentication on the SSH client.
The undo ssh client first-time enable command disables the first authentication on the SSH client.
By default, first authentication is disabled on the SSH client.
Usage Guidelines
Usage Scenario
When the SSH client accesses the SSH server for the first time and the public key of the SSH server is not configured on the SSH client, you can enable the first authentication for the SSH client to access the SSH server and save the public key on the SSH client. When the SSH client accesses the SSH server next time, the saved public key is used to authenticate the SSH server.
Precautions
You can run the ssh client assign command to pre-assign a public key to the SSH server. In this manner, you can log in to the SSH server successfully at the first time.
ssh server authentication-retries
Function
The ssh server authentication-retries command sets the maximum number of authentication retries for an SSH connection.
The undo ssh server authentication-retries command restores the default maximum number of authentication retries for an SSH connection.
The default maximum number of authentication retries for an SSH connection is 3.
Parameters
| Parameter | Description | Value |
|---|---|---|
times |
Specifies the maximum number of authentication retries for an SSH connection. |
The value is an integer that ranges from 1 to 5. |
Usage Guidelines
Usage Scenario
You can run this command to configure the maximum number of authentication retries for an SSH connection, which prevents server overload due to malicious access.
Precautions
The configured number of retries takes effect upon the next login.
The total number of RSA and password authentication retries on the SSH client cannot exceed the maximum number that is set using this command.
ssh server compatible-ssh1x enable
Function
The ssh server compatible-ssh1x enable command enables the SSH server's compatibility with earlier versions.
The undo ssh server compatible-ssh1x enable command disables the SSH server's compatibility with earlier versions.
By default, the SSH server's compatibility with earlier versions is disabled.
This function is not supported in V300R021C10SPC100 and later versions.
Usage Guidelines
Usage Scenario
The SSH server's compatibility with earlier versions applies to the protocol version negotiation between the client and server. After a TCP connection is set up between the client and server, the client negotiates with the server on a version that both the client and server support.
The server compares its own version with that sent by the client and determines whether it can work with the client.
- If the protocol version on the client is earlier than 1.3 or later than 2.0, version negotiation fails and the server disconnects from the client.
- If the protocol version on the client is equal to or later than 1.3 and earlier than 1.99, the SSH1.5 server module is invoked and the SSH1.X process is performed when the SSH1.X-compatible mode is configured. When the SSH1.X-incompatible mode is configured, version negotiation fails and the server disconnects from the client.
- If the protocol version on the client is 1.99 or 2.0, the SSH2.0 server module is invoked and the SSH2.0 process is performed.
Precautions
- The configuration takes effect upon the next login.
SSH2.0 has an extended structure and supports more authentication modes and key exchange methods than SSH1.X. SSH 2.0 can eliminate the security risks that SSH 1.X has. SSH 2.0 is more secure and therefore is recommended.
ssh server cipher
Function
The ssh server cipher command configures an encryption algorithm list for an SSH server.
The undo ssh server cipher command restores the default encryption algorithm.
By default, an SSH server supports the following encryption algorithms: aes128_ctr, aes192_ctr, and aes256_ctr.
Format
ssh server cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes192_ctr | aes256_ctr | blowfish_cbc | des_cbc } *
undo ssh server cipher
Parameters
| Parameter | Description | Value |
|---|---|---|
3des_cbc |
Adds the 3DES-CBC encryption algorithm to an encryption algorithm list on an SSH server. |
- |
aes128_cbc |
Adds the AES128-CBC encryption algorithm to an encryption algorithm list on an SSH server. |
- |
aes128_ctr |
Adds the AES128-CTR encryption algorithm to an encryption algorithm list on an SSH server. |
- |
aes192_ctr |
Adds the AES192-CTR encryption algorithm to an encryption algorithm list on an SSH server. |
- |
aes256_ctr |
Adds the AES256-CTR encryption algorithm to an encryption algorithm list on an SSH server. |
- |
blowfish_cbc |
Adds the BLOWFISH-CBC encryption algorithm to an encryption algorithm list on an SSH server. NOTE:
This parameter is not supported in V300R021C10SPC100 and later versions. |
- |
des_cbc |
Adds the DES-CBC encryption algorithm to an encryption algorithm list on an SSH server. |
- |
Usage Guidelines
Usage Scenario
An SSH server and a client need to negotiate an encryption algorithm for the packets transmitted between them. You can run the ssh server cipher command to configure an encryption algorithm list for the SSH server. The server compares the encryption algorithm list sent by the client with its own encryption algorithm list, and selects the first encryption algorithm on the client's list that matches an encryption algorithm on its own list as the encryption algorithm for packet transmission. If no algorithm on the client's list matches an algorithm on the server's list, the negotiation fails.
For example, for security purposes, you can run the ssh server cipher { aes256_ctr | aes192_ctr | aes128_ctr } * command to configure an encryption algorithm list containing aes256_ctr, aes192_ctr, and aes128_ctr encryption algorithms with high security for an SSH server.
Precautions
3des_cbc, aes128_cbc, blowfish_cbc, and des_cbc are weak encryption algorithms. Therefore, it is recommended that you not add them to the encryption algorithm list of the SSH server.
ssh server hmac
Function
The ssh server hmac command configures the check algorithm list of the SSH server.
The undo ssh server hmac command restores default check algorithms of the SSH server.
By default, an SSH server supports the sha2-256 encryption algorithms only.
Format
ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 } *
undo ssh server hmac
Parameters
| Parameter | Description | Value |
|---|---|---|
md5 |
Adds the MD5 check algorithm to the HMAC check algorithm list of the SSH server. |
- |
md5_96 |
Adds the MD5_96 check algorithm to the HMAC check algorithm list of the SSH server. |
- |
sha1 |
Adds the SHA1 check algorithm to the HMAC check algorithm list of the SSH server. |
- |
sha1_96 |
Adds the SHA1_96 check algorithm to the HMAC check algorithm list of the SSH server. |
- |
sha2_256 |
Adds the SHA2_256 check algorithm to the HMAC check algorithm list of the SSH server. |
- |
sha2_256_96 |
Adds the SHA2_256_96 check algorithm to the HMAC check algorithm list of the SSH server. |
- |
Usage Guidelines
Usage Scenario
The server and client negotiate the algorithm for checking packets transmitted between them. You can run the ssh server hmac command to configure the check algorithm list of the SSH server. The server compares the check algorithm list sent from the client with its own check algorithm list, and selects the first matched check algorithm for checking transmitted packets. If the check algorithm lists of the server and client have no common check algorithm, the check algorithm negotiation fails.
For example, run the ssh server hmac sha2_256 command to add the high-security sha2_256 check algorithm to the HMAC check algorithm list of the SSH server, improving device security.
Precautions
The following check algorithms are listed in descending order of priority: sha2_256, sha2_256_96, sha1, sha1_96, md5, and md5_96.
You are advised not to add the following HMAC check algorithms to the HMAC check algorithm list of the SSH server because they provide low security: sha2_256_96, sha1, sha1_96, md5, and md5_96.
ssh server key-exchange
Function
The ssh server key-exchange command configures a key exchange algorithm list for an SSH server.
The undo ssh server key-exchange command restores the default setting.
By default, an SSH server supports dh_group_exchange_sha1, dh_group14_sha1, dh_group14_sha256, and dh_group15_sha512 key exchange algorithms.
Format
ssh server key-exchange { dh_group_exchange_sha1 | dh_group1_sha1 | dh_group14_sha1 | dh_group14_sha256 | dh_group15_sha512 } *
undo ssh server key-exchange
Parameters
| Parameter | Description | Value |
|---|---|---|
dh_group_exchange_sha1 |
Adds the Diffie-hellman-group-exchange-sha1 algorithm to the key exchange algorithm list of the SSH server. The length of the Diffie-hellman-group-exchange key exchange algorithm is dynamically negotiated and ranges from 1024 bits to 8192 bits. |
- |
dh_group1_sha1 |
Adds the Diffie-hellman-group1-sha1 algorithm to the key exchange algorithm list of the SSH server. The length of the Diffie-hellman-group1 key exchange algorithm is 768 bits. |
- |
dh_group14_sha1 |
Adds the Diffie-hellman-group14-sha1 kex algorithm to the key exchange algorithm list of the SSH server. The length of the Diffie-hellman-group14 key exchange algorithm is 2048 bits. |
- |
dh_group14_sha256 |
Adds the Diffie-hellman-group14-sha256 kex algorithm to the key exchange algorithm list of the SSH server. The length of the Diffie-hellman-group14 key exchange algorithm is 2048 bits. |
- |
dh_group15_sha512 |
Adds the Diffie-hellman-group15-sha512 kex algorithm to the key exchange algorithm list of the SSH server. The length of the Diffie-hellman-group15 key exchange algorithm is 3072 bits. |
- |
Usage Guidelines
Usage Scenario
An SSH user and a client need to negotiate a key exchange algorithm for the packets exchanged between them. You can run the ssh server key-exchange command to configure a key exchange algorithm list for the SSH server. After the server receives a packet from the client, the server matches the key exchange algorithm list of the client against its local list and selects the first matched key exchange algorithm. If no key exchange algorithm is matched, the negotiation fails.
Precautions
The key exchange algorithms are listed as follows in descending order of security levels: dh_group15_sha512, dh_group14_sha256, dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1. The dh_group14_sha256 algorithm is recommended.
You are advised not to add the dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1 algorithms to the key exchange algorithm list of the SSH server because they provide low security.
ssh server permit interface
Function
The ssh server permit interface command specifies interfaces on the SSH server to which clients can connect.
The undo ssh server permit interface command deletes the specified interfaces and restores the default configuration.
By default, the SSH server does not allow clients to connect to it through all interfaces.
Format
ssh server permit interface { interface-type interface-number } &<1-5>
ssh server permit interface all
undo ssh server permit interface
Parameters
| Parameter | Description | Value |
|---|---|---|
interface-type interface-number |
Specifies interfaces on the SSH server to which clients can connect. interface-type specifies the interface type. interface-number specifies the interface number. interface-number and interface-type together specify an interface. NOTE:
Only physical interfaces are supported in versions earlier than V300R021C10SPC100. |
- |
all |
Allows clients to connect to all interfaces on the SSH server. |
- |
Usage Guidelines
Usage Scenario
To prevent clients from connecting to the SSH server through unauthorized interfaces, you can run the ssh server permit interface command to specify interfaces on the SSH server to which clients can connect.
Precautions
- If no interface is specified on the SSH server to allow clients to connect to the server, the SSH service cannot be enabled. The undo ssh server permit interface command can be executed only after the SSH service is disabled.
- This command does not take effect on the MEth management interface. The SSH server always allows clients to connect to it through the MEth management interface. To allow clients to connect only through the MEth management interface, run the ssh server permit interface MEth 0/0/0 command.
- By default, clients can connect to all interfaces on the SSH server. Once a specific interface is specified using this command, a client cannot connect to the SSH server through any other interface.
- A maximum of five interfaces can be specified using the ssh server permit interface { interface-type interface-number } &<1-5> command. The latest configuration overrides the previous one. For example, before you run this command, clients can connect to three interfaces GigabitEthernet 1/0/0, GigabitEthernet 2/0/0, and GigabitEthernet 3/0/0 on the SSH server. After you run the command to specify the interface GigabitEthernet 1/0/0, clients can only connect to the interface GigabitEthernet 1/0/0.
Example
# Allow clients to connect to all interfaces on the SSH server.
<Huawei> system-view [Huawei] ssh server permit interface all Warning: Allowing access from all interfaces is insecure.
# Specify interfaces on the SSH server to which clients can connect.
<Huawei> system-view [Huawei] ssh server permit interface gigabitethernet 1/0/0 gigabitethernet 2/0/0 Info: Succeeded in setting ssh permit interface.
# Delete the configured interface.
<Huawei> system-view [Huawei] undo ssh server permit interface
ssh server port
Function
The ssh server port command changes the listening port number of the SSH server.
The undo ssh server port command restores the default listening port number of the SSH server.
The default listening port number of the SSH server is 22.
Parameters
| Parameter | Description | Value |
|---|---|---|
port-number |
Specifies the listening port number of the SSH server. |
The value is 22 or an integer ranging from 1025 to 55535. |
Usage Guidelines
Usage Scenario
Configure the listening port number of the SSH server to prevent from malicious access to the SSH service standard port and ensure security.
Precautions
The SSH client can log in successfully with no port specified only when the server is listening on port 22. If the server is listening on another port, the port number must be specified upon login.
Before changing the current port number, disconnect all devices from the port. After the port number is changed, the server starts to listen on the new port.
ssh server rekey-interval
Function
The ssh server rekey-interval command sets the interval for updating the SSH server key pair.
The undo ssh server rekey-interval command restores the default interval for updating the SSH server key pair.
The default interval for updating the SSH server key pair is 0, indicating that the key pair is never updated.
Parameters
| Parameter | Description | Value |
|---|---|---|
hours |
Specifies the interval for updating the server key pair. |
The value is an integer that ranges from 1 to 24, in hours. |
Usage Guidelines
Usage Scenario
If the server key pair is not updated for a long time, the key is easy to decrypt and the server is insecure. After the interval for updating the SSH server key pair is set using this command, the system will automatically update the key pair at intervals.
Precautions
If the client is connected to the server, the server public key on the client is not updated immediately. This key is updated only when the client is reconnected to the server.
ssh server timeout
Function
The ssh server timeout command sets the timeout interval for SSH connection authentication.
The undo ssh server timeout restores the default timeout interval for SSH connection authentication.
The default timeout interval for SSH connection authentication is 60 seconds.
Parameters
| Parameter | Description | Value |
|---|---|---|
seconds |
Specifies the timeout interval for SSH connection authentication. |
The value is an integer ranging from 60 to 120, in seconds. |
Usage Guidelines
Usage Scenario
If you have not logged in successfully at the timeout interval for SSH connection authentication, the current connection is terminated to ensure security. You can run the display ssh server command to query the current timeout interval.
Precautions
The setting for the timeout interval takes effect upon next login.
ssh server-source
Function
The ssh server-source command specifies a source IP address for an SSH server.
The undo ssh server-source command deletes the source IP address of an SSH server.
By default, the source IP address of an SSH server is not specified.
Format
ssh server-source { -a [ ipv6 ] source-ip-address | -i [ ipv6 ] interface-type interface-number }
undo ssh [ ipv6 ] server-source
Parameters
| Parameter | Description | Value |
|---|---|---|
ipv6 |
Configures the SSH server to support an IPv6 source address. |
- |
-a source-ip-address |
Specifies the source IP address for the SSH server. The loopback IP address is recommended. |
- |
-i interface-type interface-number |
Specifies the loopback interface of the SSH server as the source interface. If no loopback interface is configured or no IP address is configured for the source interface, the command fails to be executed. |
- |
Usage Guidelines
Usage Scenario
If no source IP address is specified, the SSH server uses the source IP address specified by routes to send and receive packets. The source IP address must be configured for an interface with stable performance, such as the loopback interface. Using the loopback interface as the source IP address simplifies the ACL rule and security policy configuration. This shields the IP address differences and interface status impact, filters incoming and outgoing packets, and implements security authentication.
Precautions
- After the source IP address is specified for the SSH server, you must use the specified IP address to log in to the SSH server.
- If the configured source IP address does not exist on the SSH server, configure this IP address on the device and then restart the SSH service. Then you can log in to the device.
- If the SSH service has been enabled, the SSH service restarts after the ssh server-source command is executed.
- If the specified source interface has been bound to a VPN instance, the SSH server is automatically bound to the same VPN instance.
Example
# Set the source IP address of the SSH server to LoopBack0.
<Huawei> system-view [Huawei] ssh server-source -i loopback 0 Warning: To make the server source configuration take effect, the ssh will be restarted. Continue? (y/n):y Info: Succeeded in closing the STELNET server. Info: Succeeded in setting the source interface of the ssh server to LoopBack0 Info: Succeeded in starting the STELNET server.
ssh user assign
Function
The ssh user assign command assigns an existing public key to a user.
The undo ssh user assign command deletes the mapping between the user and public key.
By default, no public key is assigned to a user.
Format
ssh user user-name assign { rsa-key | ecc-key } key-name
undo ssh user user-name assign { rsa-key | ecc-key }
Parameters
| Parameter | Description | Value |
|---|---|---|
user-name |
Specifies the SSH user name. |
The value is a string of 1 to 64 case-insensitive characters without spaces. |
rsa-key |
Specifies the RSA public key. |
- |
ecc-key |
Specifies the ECC public key. |
- |
key-name |
Specifies the client public key name. |
The name is a string of 1 to 30 case-insensitive characters without a blank space. |
Usage Guidelines
Usage Scenario
When an SSH client needs to log in to the SSH server in RSA or ECC mode, run this command to assign a public key to the client. If the client has been assigned keys, the latest assigned key takes effect.
Precautions
The newly configured public key takes effect upon next login.
If the user named user-name to whom a public key is assigned does not exist, the system automatically creates an SSH user named user-name and performs the configured authentication for the SSH user.
ssh user authentication-type
Function
The ssh user authentication-type command configures the authentication mode for an SSH user.
The undo ssh user authentication-type command restores the default authentication mode for an SSH user.
By default, the password authentication mode is configured for an SSH user.
Format
ssh user [ user-name ] authentication-type { password | rsa | password-rsa | ecc | password-ecc | all }
undo ssh user user-name authentication-type
Parameters
| Parameter | Description | Value |
|---|---|---|
user-name |
Specifies the SSH user name. |
The value is a string of 1 to 64 case-insensitive characters without spaces. |
password |
Specifies the password authentication mode. |
- |
rsa |
Specifies the RSA authentication mode. |
- |
password-rsa |
Specifies the password and RSA authentication mode. |
- |
ecc |
Specifies the ECC authentication mode. |
- |
password-ecc |
Specifies the password and ECC authentication mode. |
- |
all |
Specifies the password, RSA or ECC authentication mode. NOTE:
In all authentication mode, the user priority depends on the authentication mode selected.
If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA/ECC authentication modes. Set relevant parameters as needed. |
- |
Usage Guidelines
Usage Scenario
Table 4-35 describes the usage scenarios for different authentication modes.
Authentication Mode |
Usage Scenario |
|---|---|
RSA |
It is a public key encryption architecture and an asymmetric encryption algorithm. Based on the problem of factoring large numbers, RSA is mainly used to transmit the keys of the symmetric encryption algorithm, which can improve encryption efficiency and simplify key management. The server checks whether the SSH user, public key, and digital user signature are valid. If all of them are valid, the user is permitted to access the server. If any of them is invalid, the authentication fails and the user is denied to access the server. |
ECC |
Like RSA authentication, the server first checks the validity of the SSH user and whether the public key and the numeric signature are valid. If all of them are consistent with those configured on the server, user authentication succeeds. If any of the three cannot pass authentication, the user access is denied. Compared with the RSA algorithm, the ECC authentication has the following advantages:
|
password |
On the server, the AAA module assigns each authorized user a password for login. The server has the mapping between user names and passwords. When a user requests to access the server, the server authenticates the user name and password. If either of them fails to be authenticated, the access request of the user is denied. The account information of users who are configured with the password authentication mode can be configured on devices or remote authentication servers (for example, RADIUS servers). |
password-rsa, or password-ecc |
The SSH server authenticates a client by checking both the public key and password. The client can be authenticated only when both the public key and password meet the requirement. |
all |
In this authentication mode, the SSH server authenticates a client by checking the public key or password. The client can be authenticated when either the public key or password meets the requirement. |
Precautions
A new SSH user cannot log in to the SSH server unless being configured with an authentication mode. The newly configured authentication mode takes effect upon next login.
ssh user default-authentication-type
Function
The ssh user default-authentication-type command sets the default authentication mode for SSH users.
By default, the default authentication mode for SSH users is RSA authentication.
Only the AR651K, AR651, AR651-X8, AR651C, AR651F-Lite, AR651U-A4, AR651W-X4, AR651W-8P, AR651W, AR657W, AR6120, AR6121K, AR6121E, AR6121, AR6120-VW, AR6140K-9G-2AC, AR6140E-9G-2AC, and AR6140-9G-2AC support this function.
Only the AR6120-S, AR6140E-S, AR6140-S, AR6121-S, AR6121E-S, AR6121EC-S, and AR6121C-S support this function.
Only the AR-10 supports this function.
stelnet
Function
The stelnet command enables you to use the STelnet protocol to log in to another device from the current device.
Format
# IPv4 address
stelnet [ -a source-address ] host-ip [ port-number ] [ [ -vpn-instance vpn-instance-name ] | [ identity-key { rsa | ecc } ] | [ user-identity-key { rsa | ecc } ] | [ prefer_kex { dh_group15_sha512 | dh_group14_sha256 | dh_group14_sha1 | dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_stoc_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]
# IPv6 address
stelnet ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] [ [ -vpn6-instance vpn-instance-name ] | [ identity-key { rsa | ecc } ] | [ user-identity-key { rsa | ecc } ] | [ prefer_kex { dh_group15_sha512 | dh_group14_sha256 | dh_group14_sha1 | dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_stoc_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96 } ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ]
Parameters
| Parameter | Description | Value |
|---|---|---|
ipv6 |
Specifies an IPv6 address. |
- |
-a source-address |
Specifies the STelnet source IP address. |
- |
host-ip |
Specifies the IP address or host name of the remote IPv4 STelnet server. |
The value is a string of 1 to 255 case-insensitive characters without spaces. When double quotation marks are used around the string, spaces are allowed in the string. |
host-ipv6 |
Specifies the IPv6 address or host name of the remote IPv6 STelnet server. |
The value is a string of 1 to 255 case-insensitive characters without spaces. When double quotation marks are used around the string, spaces are allowed in the string. |
-oi interface-type interface-number |
Specifies the outbound interface on the local device. |
If the IPv6 address of the remote host is linked to a local address, the outbound interface must be specified. |
port-number |
Specifies the port number that the SSH server is listening on. |
The value is an integer that ranges from 1 to 65535. The default value 22 is the standard port number. |
identity-key |
Specifies the public key for server authentication. |
The public key algorithms include RSA and ECC. |
user-identity-key |
Specifies the public key algorithm for the client authentication. |
The public key algorithms include RSA and ECC. NOTE:
If the user-identity-key parameter is not used, RSA authentication is used by default. You can specify ECC authentication using the user-identity-key parameter. |
prefer_kex |
Specifies the preferred key exchange algorithm. |
The dh_group15_sha512, dh_group14_sha256, dh_group14_sha1, dh_group1, and dh_exchange_group algorithms are supported. The default key exchange algorithm is dh_group14_sha256. NOTE:
The length of the Diffie-hellman-group-exchange key exchange algorithm is dynamically negotiated and ranges from 1024 bits to 8192 bits. The length of the Diffie-hellman-group1 key exchange algorithm is 768 bits. The length of the Diffie-hellman-group14 key exchange algorithm is 2048 bits. The length of the Diffie-hellman-group15 key exchange algorithm is 3072 bits. |
prefer_ctos_cipher |
Specifies the preferred encryption algorithm from the client to the server. |
Encryption algorithms 3des, aes128, aes128-ctr, aes192-ctr, and aes256-ctr are supported. The default algorithms are aes128-ctr, aes192-ctr, and aes256-ctr. |
prefer_stoc_cipher |
Specifies the preferred encryption algorithm from the server to the client. |
Encryption algorithms 3des, aes128, aes128-ctr, aes192-ctr, and aes256-ctr are supported. The default algorithms are aes128-ctr, aes192-ctr, and aes256-ctr. |
prefer_ctos_hmac |
Specifies the preferred HMAC algorithm from the client to the server. |
The sha2_256, sha2_256_96, sha1, sha1_96, md5, and md5_96 algorithms are supported. The default algorithm is sha2_256. |
prefer_stoc_hmac |
Specifies the preferred HMAC algorithm from the server to the client. |
The sha2_256, sha2_256_96, sha1, sha1_96, md5, and md5_96 algorithms are supported. The default algorithm is sha2_256. |
-vpn-instance vpn-instance-name |
Specifies the name of the VPN instance to which the IPv4 server belongs. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
-vpn6-instance vpn-instance-name |
Specifies the name of the VPN instance to which the IPv6 server belongs. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
-ki aliveinterval |
Specifies the interval for sending keepalive packets when no packet is received. |
The value is an integer that ranges from 1 to 3600, in seconds. |
-kc alivecountmax |
Specifies the number of times for no reply of keepalive packets. |
The value is an integer that ranges from 3 to 10. The default value is 5. |
Usage Guidelines
Usage Scenario
Logins through Telnet bring security risks because Telnet does not provide any authentication mechanism and data is transmitted using TCP in plain text. Compared with Telnet, SSH guarantees secure file transfer on a traditional insecure network by authenticating clients and encrypting data in bidirectional mode. The SSH protocol supports STelnet. You can run this command to use STelnet to log in to another device from the current device.
STelnet is a secure Telnet service. SSH users can use the STelnet service in the same way as the Telnet service.
When a fault occurs in the connection between the client and server, the client needs to detect the fault in real time and proactively release the connection. You need to set the interval for sending keepalive packets and the maximum number of times on the client that logs in to the server through STelnet.
- Interval for sending keepalive packets: If a client does not receive any packet within the specified interval, the client sends a keepalive packet to the server.
- Maximum number of times the server has no response: If the number of times that the server does not respond exceeds the specified value, the client proactively releases the connection.
Precautions
Enable the STelnet service on the SSH server by stelnet server enable command, before connecting the SSH server by using the STelnet command.
The SSH client can log in to the SSH server with no port specified only when the server is listening on port 22. If the server is listening on another port, the port number must be specified upon login.
- For security purposes, you are advised to use the AES128, AES128-CTR, AES192-CTR, AES256-CTR or SHA2_256 encryption algorithms instead.
Example
# Set keepalive parameters when the client logs in to the server through STelnet.
<Huawei> system-view [Huawei] stelnet 10.164.39.209 -ki 10 -kc 4
<Huawei> system-view [Huawei] stelnet ipv6 fc00:2001:db8::1 prefer_ctos_cipher aes128
stelnet server enable
Function
The stelnet server enable command enables the STelnet service on the SSH server.
The undo stelnet server enable command disables the STelnet service on the SSH server.
By default, the STelnet service is disabled on the SSH server.
Usage Guidelines
Usage Scenario
To connect a client to the SSH server through STelnet, you must enable the STelnet service on the SSH server.
Prerequisites
The interfaces on the SSH server to which clients can connect have been specified by running the ssh server permit interface { { interface-type interface-number } &<1-5> | all } command. If no interface is specified, the STelnet service cannot be enabled.
Precautions
After you disable the STelnet service on the SSH server, all clients that have logged in through STelnet are disconnected.
super
Parameters
| Parameter | Description | Value |
|---|---|---|
level |
Specifies the target user level. |
The value is an integer that ranges from 0 to 15. By default, a user is switched to level 3. |
Usage Guidelines
Usage Scenario
Users are assigned one of 16 levels, and these levels correspond to command levels. After logging in to the device, users can use only the commands whose levels are equal to or lower than their user levels.
When a user is switched from a lower level to a higher level, the device requires the user to enter the authentication password for the higher user level to authenticate the user identity, preventing unauthorized users from logging in to the device. You can run the super password command to set an authentication password used to switch a user from a lower level to a higher level.
If the entered target user level is lower than or equal to the current user level, the system directly sets the entered user level as the target user level, and displays a message. If the target level is higher than the current user level, the system asks the user to enter the authentication password.
The password entered by a user is not displayed on the screen. If the user enters the correct password within three times, the system switches the user to the higher user level; otherwise, the user level remains unchanged.
- The configured target level takes effect only for the current user. The user level restores to the original level the next time the user logs in.
The password is a string of 8 to 16 characters.
The password must be a combination of at least two of the following: uppercase letters, lowercase letters, digits, and special characters.
Special characters include ` ~ ! @ # $ % ^ & * ( ) - _ = + \ | [ { } ] ; : ' " , < . > / ? spaces.
The password must be the same as the password set using the super password command.
super password
Function
The super password command sets an authentication password used to switch a user from a lower level to a higher level.
The undo super password command deletes an authentication password used to switch a user from a lower level to a higher level.
By default, no switching password is configured. You must set the authentication password before switching a user from a lower level to a higher level; otherwise, the switching fails.
Parameters
| Parameter | Description | Value |
|---|---|---|
level user-level |
Specifies the target user level. |
The value is an integer that ranges from 1 to 15. The target user level must be lower than or equal to the current user level. By default, the authentication password is set to switch a user to level 3. |
cipher |
Indicates that the configured password is displayed in cipher text. |
- |
Usage Guidelines
Usage Scenario
If rights are reconfigured, you need to run the super command to switch a user from a lower level to a higher level. When a user is switched from a lower level to a higher level, the device authenticates the user identity to prevent unauthorized users from logging in to the device. Users at a higher level can run the super password command to set an authentication password used to switch a user from a lower level to a higher level, so that the device can authenticate the user identity.
- The target user level must be lower than or equal to the current user level.
- The entered authentication password must meet the following requirements:
- It is a string of 8 to 16 characters entered only in plain text.
![]()
After user run the set password min-length command, the minimum length of the password is the password length set using the set password min-length command.
- It must be a combination of at least two of the following: uppercase letters, lowercase letters, digits, and special characters.
Special characters include ` ~ ! @ # $ % ^ & * ( ) - _ = + \ | [ { } ] ; : ' " , < . > / ? spaces.
- It is a string of 8 to 16 characters entered only in plain text.
The password entered in interactive mode is not displayed on the screen.
When setting the password in interactive mode, you can press CTRL+C to cancel the password setting.
- If this command is run, passwords entered by users will be saved in cipher text in the configuration file. Therefore, a configured password cannot be retrieved from the system. Keep the password safe.
telnet
Function
The telnet command enables you to use the Telnet protocol to log in to another device from the current device.
Format
# Log in to another device through Telnet based on IPv4.
telnet [ vpn-instance vpn-instance-name ] [ -a source-ip-address ] host-ip [ port-number ]
# Log in to another device through Telnet based on IPv6.
telnet ipv6 [ -a source-ip-address ] [ vpn6-instance vpn6-instance-name ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ]
Parameters
| Parameter | Description | Value |
|---|---|---|
vpn-instance vpn-instance-name |
Specifies the VPN4 instance name of the device to log in through Telnet. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
-a source-ip-address |
By specifying a source IP address, you can use this address to communicate with the server for high network security. If no source address is specified, the system will use the IP address of the local outbound interface to initiate a Telnet connection. |
- |
vpn6-instance vpn6-instance-name |
Specifies the VPN6 instance name of the device to log in through Telnet. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. When double quotation marks are used around the string, spaces are allowed in the string. |
host-ip |
Specifies the IPv4 address or host name of the remote device. |
The value is a string of 1 to 255 case-insensitive characters without spaces. |
host-ipv6 |
Specifies the IPv6 address or host name of the remote device. |
The value is a string of 1 to 255 case-insensitive characters without spaces. |
-oi interface-type interface-number |
Specifies the outbound interface on the local device. |
If the IPv6 address of the remote host is linked to a local address, the outbound interface must be specified. |
port-number |
Specifies the number of the TCP port that is used by the remote device to provide the Telnet service. |
The value is an integer that ranges from 1 to 65535. The default value is 23. |
Usage Guidelines
Usage Scenario
If one or multiple devices on the network need to be configured and managed, you do not need to connect each device to your terminal for local maintenance. If you have learned the IP address of the device, you can run this command to log in to the device from your terminal for remote device configuration. By doing this, you can use one terminal to maintain multiple devices on the network.
You can press Ctrl_] to terminate an active connection between the local and remote devices.
Precautions
Before you run the telnet command to connect to the Telnet server, the Telnet client and server must be able to communicate through Layer 3 and the Telnet service must be enabled on the Telnet server.
Logins through Telnet bring security risks because Telnet does not provide any authentication mechanism and data is transmitted using TCP in plain text. The STelnet mode is recommended for the network that has the high security requirement.
telnet client-source
Function
The telnet client-source command specifies the source IP address and interface for a Telnet client.
The undo telnet client-source command restores the default settings.
The default source IP address of the Telnet client is 0.0.0.0.
Format
telnet client-source { -a source-ip-address | -i interface-type interface-number }
undo telnet client-source
Parameters
| Parameter | Description | Value |
|---|---|---|
-a source-ip-address |
Specifies the IPv4 address of the local router. |
- |
-i interface-type interface-number |
Specifies the outbound interface of the local router. |
- |
Usage Guidelines
Usage Scenario
If the source IP address and interface are not specified in the telnet command, use the default settings specified by telnet client-source. If the source IP address and interface are specified in the telnet command, use the specified settings. Check the current Telnet connection on the server. The IP address displayed is the specified source IP address or the primary IP address of the specified interface.
Precautions
If the specified source interface has been bound to a VPN instance, the client is automatically bound to the same VPN instance.
telnet server-source
Function
The telnet server-source command specifies a source IP address for a Telnet server.
The undo telnet server-source command deletes the source IP address of a Telnet server.
By default, the source interface of a Telnet server is not specified.
Format
telnet server-source { -a [ ipv6 ] source-ip-address | -i [ ipv6 ] interface-type interface-number }
undo telnet [ ipv6 ] server-source
Parameters
| Parameter | Description | Value |
|---|---|---|
ipv6 |
Configures the Telnet server to support an IPv6 source address. |
- |
-a source-ip-address |
Specifies the source IP address for the Telnet server. The loopback IP address is recommended. |
- |
-i interface-type interface-number |
Specifies the loopback interface of the Telnet server as the source interface. If no loopback interface is configured or no IP address is configured for the source interface, the command fails to be executed. |
- |
Usage Guidelines
Usage Scenario
If no source IP address is specified, the Telnet server uses the source IP address specified by routes to send packets. The source IP address must be configured for an interface with stable performance, such as the loopback interface. Using the loopback interface as the source IP address simplifies the ACL rule and security policy configuration. This shields the IP address differences and interface status impact, filters incoming and outgoing packets, and implements security authentication.
Precautions
- After the source IP address is specified for the Telnet server, you must use the specified IP address to log in to the Telnet server.
- If the Telnet service has been enabled, the Telnet service restarts after the telnet server-source command is executed.
- If the specified source interface has been bound to a VPN instance, the server is automatically bound to the same VPN instance.
Example
# Set the source IP address of the Telnet server to LoopBack0.
<Huawei> system-view [Huawei] telnet server-source -i loopback 0 Warning: To make the server source configuration take effect, the telnet server will be restarted. Continue? [Y/N]: y Info: Succeeded in setting the source interface of the telnet server to LoopBack0 Info: Telnet is insecure, recommended to use stelnet with encryption features.
telnet server permit interface
Function
The telnet server permit interface command specifies interfaces on the Telnet server to which clients can connect.
The undo telnet server permit interface command deletes the specified interfaces and restores the default configuration.
By default, the Telnet server does not allow clients to connect to it through all interfaces.
Format
telnet server permit interface { interface-type interface-number } &<1-5>
telnet server permit interface all
undo telnet server permit interface
Parameters
| Parameter | Description | Value |
|---|---|---|
interface-type interface-number |
Specifies an interface to which clients can connect on the Telnet server. interface-type specifies the interface type. interface-number specifies the interface number. interface-number and interface-type together specify an interface. NOTE:
Only physical interfaces are supported in versions earlier than V300R021C10SPC100. |
- |
all |
Allows clients to connect to all interfaces on the Telnet server. |
- |
Usage Guidelines
Usage Scenario
To prevent clients from connecting to the Telnet server through unauthorized interfaces, you can run the telnet server permit interface command to specify interfaces on the Telnet server to which clients can connect.
Precautions
- This command does not take effect on the MEth management interface. The Telnet server always allows clients to connect to it through the MEth management interface.
- By default, clients can connect to all interfaces on the Telnet server. Once a specific interface is specified using this command, a client cannot connect to the Telnet server through any other interface.
- A maximum of five interfaces can be specified using the telnet server permit interface { interface-type interface-number } &<1-5> command. The latest configuration overrides the previous one. For example, before you run this command, clients can connect to three interfaces GigabitEthernet 1/0/0, GigabitEthernet 2/0/0, and GigabitEthernet 3/0/0 on the Telnet server. After you run the command to specify the interface GigabitEthernet 1/0/0, clients can only connect to the interface GigabitEthernet 1/0/0.
- If no interface is specified on the Telnet server to allow clients to connect to the server, the Telnet service cannot be enabled.
- The undo telnet server permit interface command can be executed only after the Telnet service is disabled.
Example
# Allow clients to connect to all interfaces on the Telnet server.
<Huawei> system-view [Huawei] telnet server permit interface all Warning: Allowing access from all interfaces is insecure.
# Specify interfaces on the Telnet server to which clients can connect.
<Huawei> system-view [Huawei] telnet server permit interface gigabitethernet 1/0/0 gigabitethernet 2/0/0 Info: Succeeded in setting telnet permit interface.
# Delete the configured interface.
<Huawei> system-view [Huawei] undo telnet server permit interface
telnet server enable
Function
The telnet server enable command enables the Telnet server function.
The undo telnet server enable command disables the Telnet server function.
By default, the Telnet server function is disabled.
Usage Guidelines
Usage Scenario
You can run this command to enable and disable the Telnet server function. A Telnet server can be connected only when the Telnet server function is enabled.
When the undo telnet [ ipv6 ] server enable command is executed to disable the Telnet server function, an online Telnet user goes offline because the Telnet service is disabled.
When the Telnet server function is disabled, you can log in to the device only through the console port or SSH.
STelnet V2 is more secure than Telnet, and is therefore recommended.
Prerequisites
The interfaces on the Telnet server to which clients can connect have been specified by running the telnet server permit interface { { interface-type interface-number } &<1-5> | all } command. If no interface is specified, the Telnet service cannot be enabled.
Example
# Enable the Telnet server function.
<Huawei> system-view [Huawei] telnet server permit interface all Warning: Allowing access from all interfaces is insecure. [Huawei] telnet server enable
# Disable the Telnet server function.
<Huawei> system-view [Huawei] undo telnet server enable
<Huawei> system-view [Huawei] telnet server permit interface all Warning: Allowing access from all interfaces is insecure. [Huawei] telnet ipv6 server enable
telnet server port
Function
The telnet server port command configures the listening port number of a Telnet server.
The default listening port of a Telnet server is 23.
Parameters
| Parameter | Description | Value |
|---|---|---|
port-number |
Specifies the listening port number of a Telnet server. |
The value is an integer that is 23 or ranges from 1025 to 1999 or ranges from 5001 to 55535. The default value 23 is the standard Telnet server port number. |
Usage Guidelines
Usage Scenario
To protect the Telnet standard port against attacks and ensure network security, configure the listening port number of the Telnet server.
Precautions
A Telnet client can log in to the server with no port specified only when the server is listening on port 23. If the server is listening on another port, the port number must be specified upon login.
Before changing the current port number, disconnect all devices from the port. After the port number is changed, the server starts to listen on the new port.
transparent-mode enable
Function
The transparent-mode enable command enables the transparent transmission mode for redirection on a serial port.
The undo transparent-mode enable command disables the transparent transmission mode for redirection on a serial port.
By default, the transparent transmission mode for redirection on a serial port is disabled.
Usage Guidelines
Usage Scenario
By default, the device checks data redirected by a serial port and discards unidentifiable data, damaging the original data. You can run the transparent-mode enable command to ensure the original data integrity. The device will transparently transmit data without checking it.
Prerequisites
The redirection function has been enabled using the redirect enable command.
system lock type
Function
The system lock type command sets the type of a locked object.
By default, the system locks an IP address. That is, when a user uses SFTP, STelnet, Telnet, or FTP to log in to the device, the system locks the IP address of the user if the number of login failures reaches the specified value.
Parameters
| Parameter | Description | Value |
|---|---|---|
ip |
Enables the device to lock the IP addresses of users who fail authentication. |
- |
none |
Disables the device from locking the IP addresses of users who fail authentication. |
- |
Usage Guidelines
To ensure service security, the device locks the IP addresses of users who fail to log in to the device using SFTP, STelnet, Telnet, or FTP.
If a user enters an incorrect user name or password, the device adds the IP address of the user to the blacklist and locks the user for 5 seconds upon the first login failure, 10 seconds upon the second login failure, and 20 seconds upon the third login failure. If the user enters incorrect user names or passwords for five consecutive times, the device locks the user for 300 seconds upon the sixth login failures. When a user account is locked, the user's IP address cannot be used to set up a connection in a new window because it is in the blacklist. If the user enters the correct user name and password and logs in to the device successfully after the locking duration expires, the user's IP address will be removed from the blacklist and a recovery log is generated. If the login fails again, the user account will be locked for 300 seconds. A maximum of 32 IP addresses can be locked at the same time. If more than 32 IP addresses are added to the blacklist, a new IP address will overwrite the earliest one.
By default, the device locks a user's IP address after the user fails authentication. If you do not need to lock the IP address of a user after the user fails authentication, run the system lock type none command and delete the IP address from the blacklist as prompted. After the IP address locking function is disabled, if a user enters an incorrect user name and password when logging in to the device through Telnet, STelnet, FTP, or SFTP, the IP address of the user will not be added to the blacklist. That is, the IP address will not be locked.
Example
# Enable the device to lock the IP addresses of users who fail authentication.
<Huawei> system-view [Huawei] system lock type ip
# Disable the device from locking the IP addresses of users who fail authentication.
<Huawei> system-view [Huawei] system lock type none Info:All ip lock records logged in via telnet, stelnet, ftp and sftp will be del eted. Continue? [Y/N]:y
- Support for User Login
- connect
- config lock
- config unlock interval
- display config lock
- display ecc local-key-pair public
- display ecc peer-public-key
- display rsa local-key-pair public
- display rsa peer-public-key
- display ssh server
- display ssh user-information
- display telnet server status
- display telnet-client
- ecc local-key-pair
- ecc peer-public-key
- exline-breaker
- language character-set
- lock
- matched upper-view
- peer-public-key end
- public-key-code begin
- public-key-code end
- redirect binding vpn-instance
- redirect enable
- redirect listen-port
- rsa local-key-pair create
- rsa local-key-pair destroy
- rsa peer-public-key
- send
- set insecure-protocol enable
- ssh client assign
- ssh client first-time enable
- ssh server authentication-retries
- ssh server compatible-ssh1x enable
- ssh server cipher
- ssh server hmac
- ssh server key-exchange
- ssh server permit interface
- ssh server port
- ssh server rekey-interval
- ssh server timeout
- ssh server-source
- ssh user assign
- ssh user authentication-type
- ssh user default-authentication-type
- stelnet
- stelnet server enable
- super
- super password
- telnet
- telnet client-source
- telnet server-source
- telnet server permit interface
- telnet server enable
- telnet server port
- transparent-mode enable
- system lock type