Procedure

1. Check whether the SSH service is enabled on the SSH server.

   Log in to the SSH server through the console port or Telnet. Run the display ssh server status command to check the configuration on the SSH server.

   If STelnet is disabled, run the stelnet server enable command to enable the STelnet server function on the SSH server.

2. Check whether the access protocol is correctly configured in the VTY user interface view on the SSH server.

   Run the user-interface vty command on the SSH server to enter the user interface view. Run the display this command to check whether protocol inbound of the VTY user interface is ssh or all. (By default, the user interface supports all protocol types, including SSH and Telnet.) If not, run the protocol inbound { ssh | all } command to allow STelnet users to access the device.

3. Check whether an SSH user is configured on the SSH server.

   Run the display ssh user-information command to check the SSH user configuration. If no user is configured, run the ssh user, ssh user authentication-type, and ssh user service-type commands in the system view to create an SSH user and configure its authentication mode and service type.

4. Check whether the number of users who have logged in to the SSH server reaches the upper limit.

   Log in to the device through the console port. Then, run the display users command to check whether the current VTY user interfaces are all occupied. You can run the display user-interface maximum-vty command to check the maximum number of VTY user interfaces.

   If the number of current VTY user interfaces reaches the upper limit, run the user-interface maximum-vty 21 command to increase the maximum number of VTY user interfaces to 21.

5. Check whether an ACL is bound to the VTY user interface of the SSH server.

   Run the user-interface vty command on the SSH server to enter the SSH user interface view. Run the display this command to check whether an ACL has been configured on the VTY user interface. If so, record the ACL number.

   Run the display acl acl-number command on the SSH server to check whether the IP address of the STelnet client is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule, and then run the rule permit source source-ip-address soucer-wildcard command in the ACL view to permit the client IP address.

6. Check the SSH versions of the SSH client and server.

   Run the display ssh server status command on the SSH server to check the SSH version information.

7. Check whether first login is enabled for the SSH client.

   Run the display this command in the system view of the SSH client to check whether first login is enabled for the SSH client.

   If not, the initial login of the STelnet client to the SSH server fails because validity check on the RSA public key of the SSH server fails. Therefore, you need to run the ssh client first-time enable command to enable first login for the SSH client.