CloudEngine S8700 V600R022C10 Command Reference
SSH Configuration Commands
- activate ssh server ip-block ip-address
- bye (SFTP client view)
- cd (SFTP client view)
- cdup (SFTP client view)
- delete (SFTP client view)
- dir (SFTP client view)
- display dsa peer-public-key
- display ecc peer-public-key
- display key-pair
- display local-key-pair public
- display rsa key-pair
- display rsa peer-public-key
- display scp client
- display sftp client
- display sm2 peer-public-key
- display ssh client session
- display ssh server ip-block
- display ssh server session
- display ssh server status
- display ssh server-info
- display ssh user-information
- dsa local-key-pair create
- dsa local-key-pair destroy
- dsa peer-public-key
- ecc local-key-pair create
- ecc local-key-pair destroy
- ecc peer-public-key
- exit (SFTP client view)
- get (SFTP client view)
- help (SFTP client view)
- key-pair label
- key-pair maximum
- ls (SFTP client view)
- mkdir (SFTP client view)
- peer-public-key end
- public-key-code begin
- public-key-code end
- put (SFTP client view)
- pwd (SFTP client view)
- quit (SFTP client view)
- remove (SFTP client view)
- rename (SFTP client view)
- rmdir (SFTP client view)
- rsa key-pair label
- rsa local-key-pair
- rsa peer-public-key
- scp
- scp client-source -a
- scp client-source -i
- scp max-sessions
- scp server enable
- scp server enable (System view)
- sftp
- sftp client-source -a
- sftp client-source -i
- sftp client-transfile
- sftp idle-timeout
- sftp max-sessions
- sftp server default-directory
- sftp server enable
- sftp server enable (System view)
- sm2 peer-public-key
- ssh authentication-type default password
- ssh authorization-type default
- ssh client assign
- ssh client cipher
- ssh client dscp
- ssh client first-time enable
- ssh client hmac
- ssh client keepalive-interval
- ssh client keepalive-maxcount
- ssh client key-exchange
- ssh client peer assign
- ssh client publickey
- ssh client rekey
- ssh ipv6 server-source
- ssh server acl
- ssh server assign
- ssh server authentication-retries
- ssh server authentication-type keyboard-interactive enable
- ssh server cipher
- ssh server dh-exchange min-len
- ssh server dscp
- ssh server hmac
- ssh server ip-block disable
- ssh server ip-limit-session
- ssh server keepalive disable
- ssh server key-exchange
- ssh server login-failed threshold-alarm
- ssh server port
- ssh server port (System view)
- ssh server publickey
- ssh server rekey
- ssh server rsa-key min-length
- ssh server security-banner disable
- ssh server tcp forwarding enable
- ssh server timeout
- ssh server-source
- ssh user
- ssh user cert-verify-san enable
- ssh user service-type
- stelnet
- stelnet server enable
- stelnet server enable (System view)
activate ssh server ip-block ip-address
Function
The activate ssh server ip-block ip-address command unlocks the IP address of a user that fails the SSH connection authentication.
Parameters
| Parameter | Description | Value |
|---|---|---|
| ip-address |
Specifies a locked IP address. |
|
| vpn-instance vpn-name |
Specifies the name of a VPN to which the locked user belongs. |
The value is a string of 1 to 31 case-sensitive characters. When quotation marks are used around the string, spaces are allowed in the string. |
bye (SFTP client view)
cd (SFTP client view)
Parameters
| Parameter | Description | Value |
|---|---|---|
| path |
Specifies the name of the target path or directory on the SFTP server. |
The value is a string. The absolute path of the directory ranges from 1 to 255 case-insensitive characters without a blank space. |
Usage Guidelines
Usage Scenario
You can run the cd command to change the current working directory. The root directory is the default working directory.
Prerequisites
To execute this command, you must enter into the SFTP client view after log in to the SFTP server.
Precautions
The path specified in this command must exist on the server. If the path is not specified, then the current working directory for the SSH user is displayed.
cdup (SFTP client view)
Function
The cdup command switches the users from the current directory to one level upper directory of the SFTP server.
Usage Guidelines
Usage Scenario
You can use this command to access another authorized directory on the SFTP server.
Prerequisites
To execute this command, you must enter into the SFTP client view after log in to the SFTP server.
Configuration Impact
If the current directory is the upper most directory, the current directory is displayed. For example, the authorized directory of the SFTP service for the SSH user.
Precautions
To use this command, one session must be established between the SFTP client and SFTP server. You can switch the users from the current directory to one level upper directory of the SFTP server.
delete (SFTP client view)
Parameters
| Parameter | Description | Value |
|---|---|---|
| file |
Specifies the file name. |
It is a string data type. The absolute path of the file range is from 1 to 1060 characters. It contains the alphanumeric and special characters. |
Example
<HUAWEI> system-view [HUAWEI] sftp 10.164.39.223 Trying 10.164.39.223 ... Press CTRL+K to abort Connected to 10.164.39.223 ... Please input the username: client001 Enter password: sftp-client> delete test.cc Are you sure to delete it?(Y/N): Y Successfully deleted the file: /home/test.cc
<HUAWEI> system-view [HUAWEI] sftp 10.164.39.223 Trying 10.164.39.223 ... Press CTRL+K to abort Connected to 10.164.39.223 ... Please input the username: client001 Enter password: sftp-client> delete ./test.cc Warning: Are you sure to delete it? [Y/N]: Y Info: Successfully deleted the file: /test.cc
dir (SFTP client view)
Function
The dir command displays the list of directories and files in the specified directory of the remote machine.
By default, the details about the current directory are displayed.
Parameters
| Parameter | Description | Value |
|---|---|---|
| remote-directory |
Specifies the remote directory name. |
The value is a string of 1 to 255 case-sensitive characters without a blank space. |
| local-filename |
Specifies the saved local file name. |
The value is a string of 1 to 255 case-sensitive characters without a blank space. |
Usage Guidelines
Usage Scenario
You can run the dir command to query files in a specified directory on the SFTP server. After the local-filename parameter is set, the file content can be saved to a local file.
Precautions
The Flash has internal partitions. The remaining space information shown in the dir flash: command output greatly differs from that shown in the dir flash:/logfile/ command output. Before you install the target system software, run the dir flash: command to verify whether the remaining space is sufficient.
Example
<HUAWEI> system-view [HUAWEI] sftp 1.1.1.1 Trying 1.1.1.1 ... Press CTRL + K to abort Connected to 1.1.1.1. 220 VRPV8 SFTP service ready. User(1.1.1.1:(none)):sftp 331 Password required for sftp. Enter password: sftp-client> dir
<HUAWEI> system-view [HUAWEI] sftp 1.1.1.1 Trying 1.1.1.1 ... Press CTRL + K to abort Connected to 1.1.1.1. 220 VRPV8 SFTP service ready. User(1.1.1.1:(none)):sftp 331 Password required for sftp. Enter password: sftp-client> dir new_folder
<HUAWEI> system-view [HUAWEI] sftp 1.1.1.1 Trying 1.1.1.1 ... Press CTRL + K to abort Connected to 1.1.1.1. 220 VRPV8 SFTP service ready. User(1.1.1.1:(none)):sftp 331 Password required for sftp. Enter password: sftp-client> dir new_folder output.txt
display dsa peer-public-key
Function
The display dsa peer-public-key command displays information about the DSA public key configured on the remote end.
Format
display dsa peer-public-key
display dsa peer-public-key brief
display dsa peer-public-key name key-name
Parameters
| Parameter | Description | Value |
|---|---|---|
| brief |
Displays the brief information about the DSA public key configured on the remote end. |
- |
| name key-name |
Displays the name of the DSA public key configured on the remote end. |
The value is a string of 1 to 40 case-sensitive characters, spaces not supported. When quotation marks are used around the string, spaces are allowed in the string. |
Usage Guidelines
Usage Scenario
To display information about the public key in the DSA key pair configured on the remote end connected to the local device functioning as an SSH client, run the display dsa peer-public-key command. The public key enables the server to authenticate users and permits the login requests of authorized users.
Prerequisites
Before running the display dsa peer-public-key command, run the dsa peer-public-key command to generate the peer public key.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display dsa peer-public-key brief
------------------------------------------
Bits Name
------------------------------------------
2048 dsakey001
2048 key
1024 test
------------------------------------------
<HUAWEI> display dsa peer-public-key name dsakey001
=====================================
Key name: dsakey001
Encoding type: DER
=====================================
Key code:
30820322
02820100
DEDEBA5C 8244DCB8 E696917C EFEBC0B3 E6FB60BE 8B9E36D3 E4EB9CD6 EB7FD210
219AC0F4 1AD47BF1 EACD435D 39AFA8FA CB6A7819 305EE147 E428912E 60452B37
CA17D611 C2EE4C46 B4BC7726 54C26856 A99ECFA5 D800367B 31A90522 F139496F
4182DBFD AAB59973 9AB02185 856A881F 9197368B 92DBF684 9D1C746B A27E12F9
8A28E4B6 D0587D65 5979A750 5413E91E FC961C3F 79209625 CFA8D7D4 69FA35A3
9E37B614 047D535D CD63AF30 58B3A25B 79C714B6 326B7DB6 067EBF15 3CC1A720
B0E1A7E3 9C13FEB3 BA26E6B0 52DC5BFF EE7C5C52 148FE6C2 40738FBB 8F05D416
B2B5DD72 E3629BB5 9244BF9F A29C4FCD 4EA0EE50 1FC6695D 03D68D51 9324E493
0214
C6C484E1 F0076B8A FCAD302B 98B50A3A 542ABEBB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD 96AE9215 7A29C723 72FE8A02
EBED3B76 BE810B42 21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6 5BD424BD
70677EFF 1ACF9B3C CE02CD40 46560DA4 2036205C 6EFAB148 66E6A106 0DF6258B
EE31CFE7 4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7 9A56E32E C15A0659
3D17C407 29F587C7 74959017 62B08070 24564B2E E79C6E1D 86793548 76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278 26D4CDE5 189A93EA 531E0FF8
2199EF35 DF038976 4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62 A915EE63
F660C092 360C5D2D 796AF230 DB7461F7 C15B6DBA 65C9EFAB 247DB13D 4942E2FF
02820100
152BD974 C1758A6D BE609F3B 974278B7 03246768 02EF1115 6283C411 429E318E
10B2119C 75E99631 81A2C87E 00C89030 B35ABD5F 6C88C916 CE9A2925 F8C3D82E
1EFE356A 226361A2 E0ECB0EB EEBB8D39 4BF6FE4D 97709503 78CE48B7 45B0819D
674AF3CA 1742ADC3 EBC7B573 C2CC9AD6 BB733B04 6F6E773E 584FFA3C F7AEB091
F8B3A64F 35769EF1 5053CA86 1704BBC5 C6864F59 515564EA 3D05A406 C777BB68
68382183 B0BBC0FC 3A42D4B4 31FDFFDF 1309D02E 52248871 60B399F3 0DA42DB4
3ACC1841 658FA8AD 6B44564F 6613F6D6 07DF4E11 C19A13CA 5066E86C 62E2D099
BD1CC266 B8A36A47 5E9D5FC4 B087BC4F 78ACCE2B DAEC8974 FCFA01EB 72E91479
| Item | Description |
|---|---|
| Bits | Length of the DSA public key. |
| Name | Name of the DSA public key. |
| Key name | Name of the DSA public key. |
| Key code | Code of the DSA public key. |
| Encoding type | Encoding format of the DSA public key. |
display ecc peer-public-key
Function
The display ecc peer-public-key command displays information about the ECC public key configured on the remote end.
Format
display ecc peer-public-key
display ecc peer-public-key brief
display ecc peer-public-key name key-name
Parameters
| Parameter | Description | Value |
|---|---|---|
| brief |
Displays the brief information about the ECC public key configured on the remote end. |
- |
| name key-name |
Displays the name of the ECC public key configured on the remote end. |
The value is a string of 1 to 40 case-sensitive characters, spaces not supported. When quotation marks are used around the string, spaces are allowed in the string. |
Usage Guidelines
Usage Scenario
To display information about the public key in the ECC key pair configured on the remote end connected to the local device functioning as an SSH client, run the display ecc peer-public-key command. The public key enables the server to authenticate users and permits the login requests of authorized users.
Prerequisites
Before running the display ecc peer-public-key command, run the ecc peer-public-key command to generate the peer public key.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display ecc peer-public-key brief
------------------------------------------
Bits Name
------------------------------------------
521 sat
------------------------------------------
<HUAWEI> display ecc peer-public-key name sat
=====================================
Key name: sat
=====================================
Key code:
04D3B6E7 A2AC3288 99803D43 6B2596C8 4C3B986C D8902C33 F88E3026 22DC6009
792E2544 7B4D5178 DC8054BB F38780CB 43BF6478 0C06B3EE F31338FD 74D33A7A
26501324 DDB101EC 936405B8 CC4926E9 F1F20896 5276DC28 D0532B6E E61F219B
DB9E5EE1 E511BC58 AC5DDF80 0BCE2033 1B6548FF F9B5B629 D21F92FF 598C72CB
E5F465
| Item | Description |
|---|---|
| Bits | Length of the ECC public key configured on the remote end. |
| Name | Name of the ECC public key configured on the remote end. |
| Key name | Name of the ECC public key configured on the remote end. |
| Key Code | Code of the public key in the local ECC key pair. |
display key-pair
Format
display dsa key-pair
display dsa key-pair brief
display dsa key-pair label label-name
display ecc key-pair
display ecc key-pair brief
display ecc key-pair label label-name
display sm2 key-pair
display sm2 key-pair brief
display sm2 key-pair label label-name
Parameters
| Parameter | Description | Value |
|---|---|---|
| dsa |
Displays the information about all DSA key-pairs. |
- |
| brief |
Displays brief information about the specified key pairs. |
- |
| label label-name |
Displays information about the key pair with the specified label name. |
The value is a string of 1 to 35 case-insensitive characters, spaces not supported. The string can contain only letters, digits, and underscores (_). |
| ecc |
Displays the information about all ECC key-pairs. |
- |
| sm2 |
Displays the information about all SM2 key-pairs. |
- |
Usage Guidelines
Usage Scenario
To display all the information about the specified key pairs of the device functioning as a client, run the display key-pair command. Then, manually copy the displayed information to the server to enable the server to authenticate users and permit the login requests of authorized users.
Prerequisites
- To view the DSA key pair, run the dsa key-pair label command to generate a DSA key pair first.
- To view an ECC key pair, run the ecc key-pair label command to generate an ECC key pair first.
- To view an SM2 key pair, run the sm2 key-pair label command to generate an SM2 key pair first.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display sm2 key-pair brief
=====================================
Label Name: sm2key001
Modulus: 521
Time of Key pair created: 2018-06-19 15:39:45
=====================================
<HUAWEI> display sm2 key-pair
=====================================
Label Name: sm2key001
Modulus: 521
Time of Key pair created: 2018-06-19 15:39:45
=====================================
Key :
0474F110 F90F131B B6F6D929 9A23A41E F1AB1666 AC4BE4EE EF2CD876
2B633F80 DD5CF42F 147A722F DE527F39 247F3744 C23296BE FE3BE502
EEF7D9EC BC28A576 7E
=====================================
<HUAWEI> display ecc key-pair brief
=====================================
Label name: ecckey001
Modulus: 521
Time of Key pair created: 2016-03-03 20:48:26
=====================================
=====================================
Label name: ecckey002
Modulus: 521
Time of Key pair created: 2016-03-08 14:36:00
=====================================
<HUAWEI> display ecc key-pair
=====================================
Label name: ecckey001
Modulus: 521
Time of Key pair created: 2016-03-03 20:48:26
=====================================
Key :
0400F6A5 D962C5DA A710D61E 64C8EDEB 5209C897 3BBD31ED 0B09CF7E
9C59AB15 F508D518 7161F2DA D83F83CE 1BFE500F BB8049B6 D54C4CE8
389E453F 3C8E24D5 2E127501 26F00B25 26A332EC 21FCB570 10391599
E289FFED E6D523C8 10271047 28954F4F A354CDD5 EA384158 349299BA
39064277 58DBE66B A2F3DA72 23ADEB54 3AC14A90 84
=====================================
=====================================
Label name: ecckey002
Modulus: 521
Time of Key pair created: 2016-03-08 14:36:00
=====================================
Key :
0400FCB0 9B89B39D 6A60B19A F12CF8D4 861C17FE 1EB7679A 73314769
819CDA57 2DCBED49 6D9FA3DD E0200D7F 76A67683 4F25355C 4403E1C2
263A20A0 1769E471 B3944501 4BCAFF21 587F3621 30DE3834 92033D1F
D11B205D 7B29F017 5BA2B200 E3FD01F2 A26001EF C6C71AD1 60F102E8
8C81C176 CE2C7718 74F2C5F0 687A5EA8 5F5B21B3 61
=====================================
<HUAWEI> display dsa key-pair label dsakey001
=====================================
Label name: dsakey001
Modulus: 512
Time of Key pair created: 2013-11-06 15:39:45-08:00
=====================================
Key Code :
3081DC
0240
AE0AE467 2BF3587F 30FE81FF A14D8070 1FC2930B
A34004C1 B37824BB D3160595 702901CD 53F0EAE0
6CC46D2D BE78F6A4 3DC4AAEF C7228E01 9C2EF7CE
87C63485
0214
94FC5624 DCEB09DA E9B88293 2AC88508 AB7C813F
0240
91FF0F2C 91996828 BAAD5068 CD2FE83E CEFA1CF4
7BCA4251 9F04FD24 6CFB50A3 AD78CC0D 335DEFD2
0B4C3530 DAA25592 DEAFA0EB 61225712 E4AF6139
C986329F
0240
98CCB354 470D1C14 C139ECCB D3BE1001 45FE8781
D201B6C9 1B1CFB86 B8F863C0 AEB412B9 6531F20C
75FF3B72 489AA98F 14A05B70 AB1329A1 78AF23C7
7EAC0363
=====================================
| Item | Description |
|---|---|
| Label name | Indicates the label name. |
| Time of Key pair created | Indicates the creation time of the key-pair. |
| Key fingerprint | Indicates the public key fingerprint. |
| Key/Key Code | Indicates the code of a public key. |
| Modulus | Indicates the modulus of a key-pair. |
display local-key-pair public
Function
The display local-key-pair public command displays the public key information in the specified local key pair.
Format
display rsa local-key-pair public
display dsa local-key-pair public
display ecc local-key-pair public
Parameters
| Parameter | Description | Value |
|---|---|---|
| dsa |
Displays the public key in the local DSA key pair. |
- |
| ecc |
Displays the public key in the local ECC key pair. |
- |
| rsa |
Displays the public key in the local RSA key pair. |
- |
Usage Guidelines
Usage Scenario
To display information about the public key in the specified key pair of the device functioning as an SSH client, run the display local-key-pair public command. Then, manually copy the displayed information to the server to enable the server to authenticate users and permit the login requests of authorized users.
Prerequisites
- Run the dsa key-pair label command to generate DSA key pairs if specified to display the public key information about DSA key pairs.
- Run the ecc key-pair label command to generate ECC key pairs if specified to display the public key information about ECC key pairs.
- Run the rsa key-pair label command to generate RSA key pairs if specified to display the public key information about RSA key pairs.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display dsa local-key-pair public
========================================================
Time of key pair created : 2022-06-28 22:21:49
Key name : Host_DSA
Key modulus : 2048
Key type : DSA encryption key
========================================================
Key code:
30820324
02820101
00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60
BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B
F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891
2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268
56A99ECF A5D80036 7B31A905 22F13949 6F4182DB
FDAAB599 739AB021 85856A88 1F919736 8B92DBF6
849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7
505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35
A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714
B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE
B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F
BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F
CD4EA0EE 501FC669 5D03D68D 519324E4 93
0215
00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE
BB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD
96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42
21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6
5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4
2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7
4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7
9A56E32E C15A0659 3D17C407 29F587C7 74959017
62B08070 24564B2E E79C6E1D 86793548 76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278
26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976
4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62
A915EE63 F660C092 360C5D2D 796AF230 DB7461F7
C15B6DBA 65C9EFAB 247DB13D 4942E2FF
02820100
62B4FAC6 4D5009E2 BA378727 AB97D6EE 1174F951
6D1FA663 B950386E 7DD6BDDD 7447345B 5AE2ADBF
BC0EEF48 39FB49B7 62D2A601 2E110DB9 AAA4DF0B
B953DE0D D4370F48 017A185E 065E86F1 9214680A
F6003562 9A29023F 8CCBD021 8948B4E0 D89FBFD5
9EC1596E 2CA7C626 F4579757 0066AA47 964D4F73
EC4291C4 1A540832 DB995272 C2F74617 B6CEE55E
E8E35445 3831071C 03A9EAA9 C06CC3CE 1F602950
599523A2 695805F0 2DA7827C 708128F4 B202B80C
4383837B A275CD0B 79E26EAB 300BDB9F 87EFB248
295B35F6 2C00E868 5A7A2947 B9E0F40B D6C6E143
C59C12EC 623BF989 61AB4F51 5CE9E850 C2DFE43E
4857526D C4DBBAE5 8870CC17 D17C3AFF
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQ
IZrA9BrUe/HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZUwmhW
qZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB+RlzaLktv2hJ0cdGuifhL5
iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQW
srXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0w
K5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07
dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYg
XG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/t5pW4y7BWgZZPRfE
Byn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrky
eCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDA
kjYMXS15avIw23Rh98Fbbbplye+rJH2xPUlC4v8AAAEAYrT6xk1QCeK6N4cnq5fW
7hF0+VFtH6ZjuVA4bn3Wvd10RzRbWuKtv7wO70g5+0m3YtKmAS4RDbmqpN8LuVPe
DdQ3D0gBehheBl6G8ZIUaAr2ADVimikCP4zL0CGJSLTg2J+/1Z7BWW4sp8Ym9FeX
VwBmqkeWTU9z7EKRxBpUCDLbmVJywvdGF7bO5V7o41RFODEHHAOp6qnAbMPOH2Ap
UFmVI6JpWAXwLaeCfHCBKPSyArgMQ4ODe6J1zQt54m6rMAvbn4fvskgpWzX2LADo
aFp6KUe54PQL1sbhQ8WcEuxiO/mJYatPUVzp6FDC3+Q+SFdSbcTbuuWIcMwX0Xw6
/w==
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:
ssh-dss AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQIZrA9BrUe/HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZUwmhWqZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB+RlzaLktv2hJ0cdGuifhL5iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6JbeccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQWsrXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0wK5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYgXG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/t5pW4y7BWgZZPRfEByn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrkyeCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDAkjYMXS15avIw23Rh98Fbbbplye+rJH2xPUlC4v8AAAEAYrT6xk1QCeK6N4cnq5fW7hF0+VFtH6ZjuVA4bn3Wvd10RzRbWuKtv7wO70g5+0m3YtKmAS4RDbmqpN8LuVPeDdQ3D0gBehheBl6G8ZIUaAr2ADVimikCP4zL0CGJSLTg2J+/1Z7BWW4sp8Ym9FeXVwBmqkeWTU9z7EKRxBpUCDLbmVJywvdGF7bO5V7o41RFODEHHAOp6qnAbMPOH2ApUFmVI6JpWAXwLaeCfHCBKPSyArgMQ4ODe6J1zQt54m6rMAvbn4fvskgpWzX2LADoaFp6KUe54PQL1sbhQ8WcEuxiO/mJYatPUVzp6FDC3+Q+SFdSbcTbuuWIcMwX0Xw6/w== dsa-key
<HUAWEI> display ecc local-key-pair public
========================================================
Time of Key pair created : 2022-06-28 21:03:16
Key Name : Host_ECC
Key modulus : 256
Key Type : ECC Encryption Key
========================================================
Key Code:
04784D25 9A25C8BD 9C8A298D 3B64DFE6 4E6A657E
0962B8B6 4235B0F3 CD9BE00D 79FD02F5 43A35D34
59F36439 4269A8FF BEEEBD79 1301EB52 EAFE057A
4AE6FBF4 8C
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHhNJZolyL2c
iimNO2Tf5k5qZX4JYri2QjWw882b4A15/QL1Q6NdNFnzZDlCaaj/vu69eRMB61Lq
/gV6Sub79Iw=
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAy
NTYAAABBBHhNJZolyL2ciimNO2Tf5k5qZX4JYri2QjWw882b4A15/QL1Q6NdNFnz
ZDlCaaj/vu69eRMB61Lq/gV6Sub79Iw= ecdsa-key
<HUAWEI> display rsa local-key-pair public
======================Host key==========================
Time of key pair created : 2022-05-03 03:08:31
Key name : Host
Key type : RSA encryption key
========================================================
Key code:
3082010A
02820101
00A8156F B1A79FED 471A99A6 738B1C5D 1BEF87C5
8EC32FA3 6431F83C A03A188B E412C934 CC5324CE
1B427F12 B5667658 22E183DE AA7B2369 8E3B1D55
C0255731 2F9697D4 73FCC979 499E7B44 258D4413
0947A18B 09E50C26 C1582A5C 73E6730E 9E1A419D
52BF8005 59C296D9 18E8C644 176A6689 C39720D0
97EB8E85 80ADCBBA 4D6D619E 9D4F7177 1C0D6AB8
D0264239 C64935B3 644C6FC1 0F6DBE81 B3BC5900
393019E9 FC0A14EC F6E71C82 5514A091 8B0D3C99
DB8462CF D2B805E3 35D51A54 78B6E5F9 9D605240
1302B423 4DF68D65 BAF5B454 8B2657AF 16B07ABF
BA024681 CC992B06 72B6A4C9 3059771E B977C3D1
60BCC77E FBC6273D 53ECCD68 37C03F28 C5
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQCoFW+xp5/tRxqZpnOLHF0b74fFjsMvo2Qx
+DygOhiL5BLJNMxTJM4bQn8StWZ2WCLhg96qeyNpjjsdVcAlVzEvlpfUc/zJeUme
e0QljUQTCUehiwnlDCbBWCpcc+ZzDp4aQZ1Sv4AFWcKW2RjoxkQXamaJw5cg0Jfr
joWArcu6TW1hnp1PcXccDWq40CZCOcZJNbNkTG/BD22+gbO8WQA5MBnp/AoU7Pbn
HIJVFKCRiw08mduEYs/SuAXjNdUaVHi25fmdYFJAEwK0I032jWW69bRUiyZXrxaw
er+6AkaBzJkrBnK2pMkwWXceuXfD0WC8x377xic9U+zNaDfAPyjF
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoFW+xp5/tRxqZpnOLHF0b74fFjsMvo2Qx+DygOhiL5BLJNMxTJM4bQn8StWZ2WCLhg96qeyNpjjsdVcAlVzEvlpfUc/zJeUmee0QljUQTCUehiwnlDCbBWCpcc+ZzDp4aQZ1Sv4AFWcKW2RjoxkQXamaJw5cg0JfrjoWArcu6TW1hnp1PcXccDWq40CZCOcZJNbNkTG/BD22+gbO8WQA5MBnp/AoU7PbnHIJVFKCRiw08mduEYs/SuAXjNdUaVHi25fmdYFJAEwK0I032jWW69bRUiyZXrxawer+6AkaBzJkrBnK2pMkwWXceuXfD0WC8x377xic9U+zNaDfAPyjF rsa-key
| Item | Description |
|---|---|
| Time of Key pair created | Time when the public key in the local DSA key pair is generated, in the format of YYYY-MM-DD HH:MM:SS . |
| Key Name | Name of the public key in the local DSA key pair. |
| Key modulus | Length of the local DSA key pair. The length can be 2048 bits. |
| Key Type | Type of the public key in the local DSA key pair. |
| Key Code | Code of the public key in the local DSA key pair configured using the dsa local-key-pair create command. The public key coding formats from top to bottom are hexadecimal, PEM, and OpenSSH, which match the public key formats supported by the tool. Here, SSH2.0 public keys are displayed. |
display rsa key-pair
Parameters
| Parameter | Description | Value |
|---|---|---|
| brief |
Displays the brief information of all rsa key-pairs in the system. |
- |
| label label-name |
Specifies the key-pair label-name. |
The value is a string of 1 to 35 case-insensitive characters, spaces not supported. When quotation marks are used around the string, spaces are allowed in the string. |
Usage Guidelines
Usage Scenario
To display all the information about the RSA key pairs of the device functioning as an SSH client, run the display rsa key-pair command. Then, manually copy the displayed public key information to the server to enable the server to authenticate users and permit the login requests of authorized users.
Prerequisites
Before running the display rsa key-pair command, run the rsa key-pair label command to generate RSA key pairs.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display rsa key-pair
=====================================
Label name: def
Modulus: 2048
Time of Key pair created: 2016-03-03 19:44:12
=====================================
Key :
3082010A 02820101 00E4148A 80CF3B46 E03F778D 9C2B4711 1E620F36
E3B78625 48545D1B 683D441C 2DBEFD67 9B9A7F29 ACB9A012 5EB55978
1EAE61E8 817654BB 9A283429 2547C5F4 E030263A E75CC6D5 9B992A78
B54FDF7D 83A85148 53D29A5E 2CC435AD 3A3C7AA6 B532F164 204159B0
20A02685 202C3160 39CA1188 3F788874 798681E9 3D8E63D7 B043DA6A
A8C4790F 780F8498 5BB5769B 1577C182 B4934996 0EAB7360 9EC0E457
F207566F D46D732A 25E47595 54989B8B 96BD0307 4BFD4A74 E7D4471C
E08430D1 F8262147 9EAE6D0F C8E6E9EC A38D3A1E B11AE43E 0A8C8BA7
C63AE786 FCBA5748 4E597BF5 26897B0F 989C87D4 B0F310D3 6D2087A2
39F8F031 4C8D954E 129D3132 87020301 0001
=====================================
=====================================
Label name: sss
Modulus: 2048
Time of Key pair created: 2016-03-03 19:49:35
=====================================
Key :
3082010A 02820101 00C9B322 EB12D641 DA01588F D0819796 A52833A1
E6953094 0C7FDB65 BE4ABB0E A1CF05E5 F0E4038B FC9AC9AD 2713FD6F
AA01AC6C 75FEEA62 F316C575 E663C8DB 86589878 DE14B300 829C0B1B
A3BF7C73 E41815B0 49DE5810 2854D4A9 2DA2EA37 8635800A C65E489D
90824A27 4AF92185 B4C6E47E DA7C7278 AE056F26 AE0EC4D8 43ADA2C7
AC5DE13E 56FE6D2B CE8C5024 A1E04048 66FAC855 406CCF67 C50D9370
7B2AA355 9A219017 906795E0 741062C2 3BC4E0F4 68FB5E8A 1648B883
B6C77F53 4F37D3B5 B68761FD 7A686514 6B5FFE60 138FF8EA 009B4733
90AAB82C E1C8A2F6 400488D7 A1D7C756 64C3C5BC B0E13A10 AE72D7B5
310F64ED B534DD1F CA4CEED1 93020301 0001
=====================================
<HUAWEI> display rsa key-pair brief
=====================================
Label name: def
Time of Key pair created: 2016-03-03 19:44:12
=====================================
=====================================
Label name: sss
Time of Key pair created: 2016-03-03 19:49:35
=====================================
<HUAWEI> display rsa key-pair label def
=====================================
Label name: def
Time of Key pair created: 2016-03-03 19:44:12
=====================================
Key Code :
3082010A 02820101 00E4148A 80CF3B46 E03F778D 9C2B4711 1E620F36
E3B78625 48545D1B 683D441C 2DBEFD67 9B9A7F29 ACB9A012 5EB55978
1EAE61E8 817654BB 9A283429 2547C5F4 E030263A E75CC6D5 9B992A78
B54FDF7D 83A85148 53D29A5E 2CC435AD 3A3C7AA6 B532F164 204159B0
20A02685 202C3160 39CA1188 3F788874 798681E9 3D8E63D7 B043DA6A
A8C4790F 780F8498 5BB5769B 1577C182 B4934996 0EAB7360 9EC0E457
F207566F D46D732A 25E47595 54989B8B 96BD0307 4BFD4A74 E7D4471C
E08430D1 F8262147 9EAE6D0F C8E6E9EC A38D3A1E B11AE43E 0A8C8BA7
C63AE786 FCBA5748 4E597BF5 26897B0F 989C87D4 B0F310D3 6D2087A2
39F8F031 4C8D954E 129D3132 87020301 0001
=====================================
| Item | Description |
|---|---|
| Label name | Indicates the label-name. |
| Time of Key pair created | Indicates the creation time of the key-pair. |
| Key | Indicates the rsa public key. |
| Key Code | Code of a rsa public key. |
| Modulus | Indicates the modulus of a key-pair. |
display rsa peer-public-key
Function
The display rsa peer-public-key command displays the specified RSA public key. If no public key is specified, all public keys are displayed.
Format
display rsa peer-public-key
display rsa peer-public-key brief
display rsa peer-public-key name key-name
Parameters
| Parameter | Description | Value |
|---|---|---|
| brief |
Displays the brief information about the RSA public key configured on the remote end. |
- |
| name key-name |
Displays the name of the RSA public key configured on the remote end. |
The value is a string of 1 to 40 case-sensitive characters, spaces not supported. When quotation marks are used around the string, spaces are allowed in the string. |
Usage Guidelines
Usage Scenario
To display information about the public key in the RSA key pair configured on the remote end connected to the local device functioning as an SSH client, run the display rsa peer-public-key command. The public key enables the server to authenticate users and permits the login requests of authorized users.
Prerequisites
Before running the display rsa peer-public-key command, run the rsa peer-public-key command to generate the peer public key.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display rsa peer-public-key brief
------------------------------------------
Bits Name
------------------------------------------
512 rsakey001
------------------------------------------
<HUAWEI> display rsa peer-public-key name rsakey001
=====================================
Key name : rsakey001
Encoding type : DER
=====================================
Key code:
308188
028180
9F158EF2 6860CFC9 B3E807BB 9E235386 DF92A2B5 F5666998 38597031 BB1490C2
6109EA0B 4F047173 0F714F18 BD525B6B 966C789F 3FDE967F E0D35361 A47A4730
743D1038 AB23FA71 AFA66349 6E1C803F 60622F1E 33EA38FA 6DB47049 A98EF75D
06C34B83 06F21656 3AE704A2 5D1245E3 1258E281 9025B681 6CC7FBAA 1F171DBB
0203
010001
| Item | Description |
|---|---|
| Bits | Byte length. |
| Name | Name of the public key. |
| Key name | Name of the public key. |
| Key code | Code of the public key. |
| Encoding type | Coding type of the public key. |
display scp client
Usage Guidelines
After the source IP address of an SCP client is set, you can run the display scp client command to view the configuration. Otherwise, the SCP client's source IP address is 0.0.0.0 by default.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display scp client
The source address of the SCP client is 1.1.1.1.
| Item | Description |
|---|---|
| The source address | Source address. |
display sftp client
Function
The display sftp client command displays all of the currently effective configuration on the SFTP client.
display sm2 peer-public-key
Format
display sm2 peer-public-key
display sm2 peer-public-key brief
display sm2 peer-public-key name key-name
Parameters
| Parameter | Description | Value |
|---|---|---|
| brief |
Displays brief information about all remote SM2 public keys. |
- |
| name key-name |
Displays information about the remote SM2 public key with a specified name. |
The value is a string of 1 to 40 case-insensitive characters, spaces not supported. The string can contain only letters, digits, and underscores (_). |
Usage Guidelines
Usage Scenario
To display information about the public key in the SM2 key pair configured on the remote end connected to the local device functioning as a client, run the display sm2 peer-public-key command. The public key enables the server to authenticate users and permits the login requests of authorized users.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display sm2 peer-public-key brief
------------------------------------------
Bits Name
------------------------------------------
256 abc
------------------------------------------
<HUAWEI> display sm2 peer-public-key name sm2key001
=====================================
Key name: sm2key001
=====================================
Key Code:
0474F110 F90F131B B6F6D929 9A23A41E F1AB1666 AC4BE4EE EF2CD876
2B633F80 DD5CF42F 147A722F DE527F39 247F3744 C23296BE FE3BE502
EEF7D9EC BC28A576 7E
| Item | Description |
|---|---|
| Bits | Modulus of the remote SM2 public key. |
| Name | Name of the remote SM2 public key. |
| Key name | Name of the remote SM2 public key. |
| Key Code | Code of the remote SM2 public key. |
display ssh client session
Function
The display ssh client session command displays the session status information of the SSH client.
Usage Guidelines
Usage Scenario
To view current session connection information of the SSH client, run the display ssh client session command.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display ssh client session
--------------------------------------------------------------------------
Session : 1
Version : 2.0
CTOS Cipher : aes256-ctr
STOC Cipher : aes256-ctr
CTOS Hmac : hmac-sha2-256
STOC Hmac : hmac-sha2-256
CTOS Compress : none
STOC Compress : none
Public Key : RSA_SHA2_512
User Authentication Public Key : RSA_SHA2_512
Total Packet Number : 152
Packet Number after Rekey : 152
Total Data(MB) : 0
Data after Rekey(MB) : 0
Time after Session Established(Minute) : 2
Time after Rekey(Minute) : 2
Total self check random counts : 53
Total self check random fails : 0
Self check random result : 0
Total self check keypair counts : 1
Total self check keypair fails : 0
Self check keypair result : 0
--------------------------------------------------------------------------------
| Item | Description |
|---|---|
| Session | SSH session ID. |
| Version | Version information of the protocol that the SSH session connection uses. |
| CTOS Cipher | Encryption algorithm from the client to the server. |
| CTOS Hmac | HMAC algorithm from the client to the server. |
| CTOS Compress | Compression algorithm from the client to the server. |
| STOC Cipher | Encryption algorithm from the server to the client. |
| STOC Hmac | HMAC algorithm from the server to the client. |
| STOC Compress | Compression algorithm from the server to the client. |
| Public Key | Indicates the type of the public key. |
| User Authentication Public Key | The type of public key used during user authentication. |
| Total Packet Number | Total number of SSH session packets. |
| Total Data(MB) | Total data volume of the SSH session connection, in MB. |
| Total self check random counts | Indicates total number of random number self-check times. |
| Total self check random fails | Indicates total number of random number self-check failures. |
| Total self check keypair counts | Indicates total number of key pair consistency tests. |
| Total self check keypair fails | Indicates total number of key pair consistency test failures. |
| Packet Number after Rekey | Total number of SSH session packets after key re-negotiation. |
| Data after Rekey(MB) | Total data volume of the SSH session connection after key re-negotiation, in MB. |
| Time after Session Established(Minute) | Connection duration after the SSH session connection is activated, in minutes. |
| Time after Rekey(Minute) | Connection duration after the SSH session connection is activated and the key is re-negotiated, in minutes. |
| Self check random result | Indicates the result of random number self-check. |
| Self check keypair result | Indicates the result of key pair self-check. |
display ssh server ip-block
Function
The display ssh server ip-block all command displays information about the IP addresses of all the clients that fail to pass authentication.
The display ssh server ip-block list command displays information about client IP addresses that are locked because of authentication failures.
Usage Guidelines
Usage Scenario
To check information about the IP addresses of all the clients that fail to pass authentication, run the display ssh server ip-block all command. The command output includes the names of VPN instances to which the IP addresses belong, IP address status, numbers of authentication failures, and the IP addresses that fail to pass authentication will not be adopted to make invalid authentication.
If a user logs in using SSH, the user's IP address will be locked for 5 minutes upon 6 incorrect password attempts within 5 minutes. After the IP address is locked, the IP address status displayed in the display ssh server ip-block all command output changes from AUTH FAILED to BLOCKED. To check information about client IP addresses that are locked because of authentication failures, run the display ssh server ip-block list command. The command output includes the names of VPN instances to which the locked client IP addresses belong and the remaining locking period.Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display ssh server ip-block list
-------------------------------------------------------------------------------------
IP Address VPN Name UnBlock Interval(Seconds)
-------------------------------------------------------------------------------------
192.168.10.1 _public_ 36
-------------------------------------------------------------------------------------
<HUAWEI> display ssh server ip-block all
-------------------------------------------------------------------------------------
IP Address VPN Name State Auth-fail Count
--------------------------------------------------------------------------------------
192.168.10.1 _public_ BLOCKED 6
--------------------------------------------------------------------------------------
| Item | Description |
|---|---|
| IP Address | Locked client IP address. |
| VPN Name | Name of a VPN instance to which a locked client IP address belongs. |
| UnBlock Interval(Seconds) | Remaining locking period, in seconds. |
| State | Status of a locked client IP address:
|
| Auth-fail Count | Number of consecutive authentication failures within 5 minutes. |
display ssh server session
Usage Guidelines
Usage Scenario
After configuring the SSH attributes, you can run the display ssh server command to view the current session of the SSH server.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display ssh server session
--------------------------------------------------------------------------------
Session : 1
Connect type : VTY 0
Version : 2.0
State : Started
Username : root123
Retry : 1
Client to Server cipher : aes256-ctr
Server to Client cipher : aes256-ctr
Client to Server HMAC : hmac-sha2-256
Server to Client HMAC : hmac-sha2-256
Client to Server compression : zlib
Server to Client compression : zlib
Key exchange algorithm : diffie-hellman-group-exchange-sha256
Public key : ECC
User authentication public key : -
Service type : stelnet
Authentication type : password
Connection port number : 22
Idle time : 00:00:00
Total Packet Number : 117
Packet Number after Rekey : 117
Total Data(MB) : 0
Data after Rekey(MB) : 0
Time after Session Established(Minute) : 7
Time after Rekey(Minute) : 7
Total self check random counts : 72
Total self check random fails : 0
Self check random result : 0
Total self check keypair counts : 1
Total self check keypair fails : 0
Self check keypair result : 0
--------------------------------------------------------------------------------
| Item | Description |
|---|---|
| Session | Indicates the session ID. |
| Version | Indicates the protocol version of the SSH session. |
| State | Indicates the status of the SSH session. |
| Username | Indicates the username of the user for the session. |
| Retry | Indicates the number of retries. |
| Public key | Indicates the type of the public key. RSA_SHA2_512, RSA_SHA2_256, RSA, ECC, and DSA are supported currently. To ensure better security, it is recommended that you use the more secure RSA SHA2-512 or RSA SHA2-256 authentication algorithm. |
| Key exchange algorithm | Indicates the name of the key exchange algorithm. |
| User authentication public key | Indicates the type of the public key used during user authentication. |
| Authentication type | Indicates the SSH user authentication type. The following are the authentication types:
You are advised to use a more secure ECC authentication algorithm for higher security. |
| Service type | Indicates the SSH user service mode. There are three types of service modes:
|
| Connection port number | Indicates the port number through which SSH session connections are established. |
| Idle time | Indicates the SSH session idle time. |
| Time after Session Established(Minute) | Indicates the connection duration after the SSH session connection is activated, in minutes. |
| Time after Rekey(Minute) | Indicates the connection duration after the SSH session connection is activated and the key is re-negotiated, in minutes. |
| Total Packet Number | Indicates the total number of SSH session packets. |
| Total Data(MB) | Indicates the total data volume of the SSH session connection, in MB. |
| Total self check random counts | Indicates the number of random number self-check times. |
| Total self check random fails | Indicates the number of random number self-check failures. |
| Total self check keypair counts | Indicates the number of key pair consistency check times. |
| Total self check keypair fails | Indicates the number of key pair consistency check failures. |
| Packet Number after Rekey | Indicates the total number of SSH session packets after key re-negotiation. |
| Data after Rekey(MB) | Indicates the total data volume of the SSH session connection after key re-negotiation, in MB. |
| Self check random result | Indicates the random number self-check result. |
| Self check keypair result | Indicates the result of the key pair consistency check. |
| Connect type | Indicates the interface of the VTY terminal used by the SSH session.
|
| Client to Server cipher | Indicates the name of the encryption algorithm from the client to the server. |
| Client to Server HMAC | Indicates the name of the HMAC algorithm from the client to the server. |
| Client to Server compression | Indicates the name of the compression algorithm from the client to the server. |
| Server to Client cipher | Indicates the name of the encryption algorithm from the server to the client. |
| Server to Client HMAC | Indicates the name of the HMAC algorithm from the server to the client. |
| Server to Client compression | Indicates the name of the compression algorithm from the server to the client. |
display ssh server status
Usage Guidelines
Usage Scenario
After configuring the SSH attributes, you can run the display ssh server status command to view the global configuration.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Enable
SSH server keepalive : Disable
SFTP IPv4 server : Disable
SFTP IPv6 server : Disable
STELNET IPv4 server : Enable
STELNET IPv6 server : Enable
SNETCONF IPv4 server : Enable
SNETCONF IPv6 server : Enable
SNETCONF IPv4 server port(830) : Disable
SNETCONF IPv6 server port(830) : Disable
SCP IPv4 server : Enable
SCP IPv6 server : Enable
SSH port forwarding : Disable
SSH IPv4 server port : 22
SSH IPv6 server port : 22
ACL name :
ACL number :
ACL6 name :
ACL6 number :
SSH server ip-block : Enable
| Item | Description |
|---|---|
| SSH Version | Indicates the version of the SSH server. |
| SSH authentication timeout (Seconds) | Indicates the timeout period of SSH authentication in seconds. |
| SSH authentication retries (Times) | Indicates the number of SSH authentication retries. |
| SSH server key generating interval (Hours) | Indicates the interval of SSH server key generation in hours. |
| SSH version 1.x compatibility | Indicates the status of SSH version 1.x compatibility. It can be any one of the following:
|
| SSH server keepalive | Indicates the status of SSH server keep alive feature. It can be any one of the following:
|
| SSH IPv4 server port | Indicates the IPv4 port number of SSH server. |
| SSH IPv6 server port | Indicates the IPv6 port number of SSH server. |
| SSH server ip-block | Indicates the status of SSH server from locking client IP addresses. It can be any one of the following:
|
| SSH port forwarding | Indicates the SSH port forwarding status. It can be any one of the following: -Enable. -Disable. |
| SFTP IPv4 server | Indicates the IPv4 status of SFTP server. It can be any one of the following:
|
| SFTP IPv6 server | Indicates the IPv6 status of SFTP server. It can be any one of the following:
|
| STELNET IPv4 server | Indicates the IPv4 status of STelnet server. It can be any one of the following:
|
| STELNET IPv6 server | Indicates the IPv6 status of STelnet server. It can be any one of the following:
|
| SNETCONF IPv4 server | Indicates the IPv4 status of SNETCONF server. It can be any one of the following:
|
| SNETCONF IPv6 server | Indicates the IPv6 status of SNETCONF server. It can be any one of the following:
|
| SNETCONF IPv4 server port(830) | Indicates the IPv4 status of the well-known port on the SSH server. It can be any one of the following:
The protocol inbound ssh port 830 command configures well-known port 830 to establish an NETCONF connection. |
| SNETCONF IPv6 server port(830) | Indicates the IPv6 status of the well-known port on the SSH server. It can be any one of the following:
The protocol inbound ssh port 830 command configures well-known port 830 to establish an NETCONF connection. |
| SCP IPv4 server | Indicates IPv4 the status of SCP server. It can be any one of the following:
|
| SCP IPv6 server | Indicates IPv6 the status of SCP server. It can be any one of the following:
|
| ACL name | Indicates the configured ACL name. |
| ACL number | Indicates the configured ACL number. |
| ACL6 name | Indicates the configured IPv6 ACL name. |
| ACL6 number | Indicates the configured IPv6 ACL number. |
display ssh server-info
Function
The display ssh server-info command displays the binding between the SSH server and the public key (RSA/DSA/ECC) that has connected or is connecting with current SSH client.
Usage Guidelines
Usage Scenario
After the binding between an SSH server and a public key (RSA/DSA/ECC) on an SSH client is configured, you can run the display ssh server-info command to view the binding information on the SSH client.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display ssh server-info
----------------------------------------------------------------------------------------------------------------
Server Name(IP) Server public key name Server public key type State
----------------------------------------------------------------------------------------------------------------
2001:db8:2::2 2001:db8:2::2 RSA CONFIGURE
10.164.39.223 10.164.39.223 RSA CONFIGURE
192.168.1.1 192.168.1.1 RSA CONFIGURE
----------------------------------------------------------------------------------------------------------------
| Item | Description |
|---|---|
| Server Name(IP) | Indicates the host name of the SSH server. |
| Server public key name | Indicates the public key name of the server. |
| Server public key type | Indicates the public key type of the server. |
| State | Indicates the server key state:
|
display ssh user-information
Parameters
| Parameter | Description | Value |
|---|---|---|
| user-name |
Specifies the name of an SSH user. |
The value is a string of 1 to 253 case-insensitive characters, spaces not supported. When quotation marks are used around the string, spaces are allowed in the string. |
Usage Guidelines
Usage Scenario
If a user uses SSH to log in to a device and RSA or DSA or ECC mode for authentication, you can run the display ssh user-information command to check whether the user information is correct, including the user name, password, RSA or DSA or ECC public key, and service type.
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display ssh user-information
----------------------------------------------------
User Name : client001
Authentication type : password-ecc
User public key name : --
User public key type : --
Sftp directory : --
Service type : stelnet | sftp | snetconf
User Name : client002
Authentication type : rsa
User public key name : --
User public key type : --
Sftp directory : --
Service type : --
----------------------------------------------------
Total 2, 2 printed
<HUAWEI> display ssh user-information client001
--------------------------------------------------------------------------------
User Name : client001
Authentication type : password-ecc
User public key name : --
User public key type : --
Sftp directory : --
Service type : stelnet | sftp | snetconf
--------------------------------------------------------------------------------
| Item | Description |
|---|---|
| User Name | Name of SSH users. |
| User public key name | Peer public key assigned to the SSH user. |
| User public key type | Public key type allocated to SSH users. |
| Authentication type | Authentication mode of the SSH user. |
| Sftp directory | SFTP service directory of an SSH user. |
| Service type | Service type for an SSH user.
|
dsa local-key-pair create
Function
The dsa local-key-pair create command generates the local DSA host key pair and the server key pair.
By default, no local DSA host key pair or server key pair is set.
Usage Guidelines
Usage Scenario
A local key pair is a prerequisite for a successful SSH login. Digital Signature Algorithm (DSA) is an asymmetric encryption algorithm. DSA key is used in SSH connection similar to dsa algorithm for SSH authentication and DSA public key authentication of user. When the dsa local-key-pair create command is used, if the DSA key exists, the system prompts the user to confirm whether to change the original key or not. The generated DSA host key pair is named in the format of device name_Host_DSA, such as HUAWEI_Host_DSA.
Precautions
- The dsa local-key-pair create command is not saved in the configuration file. It only needs to be run once and takes effect even after the device restarts.
- Do not delete the DSA key file from the device.
- If no local key pair is configured when you log in to the device through SSH for the first time, the system automatically generates a local key pair. To ensure that this local key pair is not changed after the system restarts, run the save command to save the configuration file. Otherwise, the system generates a new local key pair after it restarts. You need to use the new local key pair to log in to the device through SSH.
Example
<HUAWEI> system-view [HUAWEI] dsa local-key-pair create Info: The key name will be: HUAWEI_Host_DSA Info: The key modulus can be any one of the following : 2048. Info: Key pair generation will take a short while. Info: Generating keys... Info: Succeeded in creating the DSA host keys.
dsa local-key-pair destroy
Function
The dsa local-key-pair destroy command deletes all local DSA key pairs, including the host key pair and server key pair.
By default, no local DSA keys are created.
Usage Guidelines
Usage Scenario
If you no longer need the local DSA key pairs, run the dsa local-key-pair destroy command to delete them.
Configuration Impact
The dsa local-key-pair destroy command deletes the local DSA host key pair, from the files on the device. Exercise caution when you run this command.
Precautions
The dsa local-key-pair create command is not saved in the configuration file. It only needs to be run once and takes effect even after the device restarts.
dsa peer-public-key
Function
The dsa peer-public-key command configures an encoding format for DSA public key and enters the DSA public key view.
The undo dsa peer-public-key command deletes the DSA public key.
By default, no DSA public key is created.
Parameters
| Parameter | Description | Value |
|---|---|---|
| key-name |
Specifies the DSA public key name. |
The value is a string of 1 to 40 case-sensitive characters, spaces not supported. When quotation marks are used around the string, spaces are allowed in the string. |
| encoding-type enc-type |
Specifies an encoding format for DSA public key. |
The value is an enumerated type, which can be:
|
Usage Guidelines
Usage Scenario
When you use a DSA public key for authentication, specify the public key on the server for the client of SSH users. When the client logs in to the server, the server uses the specified public key to authenticate the client.
After you enter the DSA public key view, run the public-key-code begin command, and copy the DSA public key to the server.Follow-up Procedure
After you copy the DSA public key generated on the client to the server, perform the following operations to exit the DSA public key view:
- Run the public-key-code end command to return to the DSA public key view.
- Run the peer-public-key end command to exit the DSA public key view and return to the system view.
Precautions
If the DSA public key has been assigned to an SSH user, delete the mapping between the DSA public key and the SSH user. If you do not delete the mapping, the undo dsa peer-public-key command cannot delete the DSA public key.
The public key on the client is randomly generated by the client software. A maximum of 20 DSA public keys can be configured.Example
<HUAWEI> system-view [HUAWEI] dsa peer-public-key dsakey001 encoding-type der Info: Enter "DSA public key" view, and you can return the system view with "peer-public-key end". [HUAWEI-dsa-public-key] public-key-code begin Info: Enter "DSA key code" view, and you can return the last view with "public-key-code end". [HUAWEI-dsa-public-key-dsa-key-code] 30820324 [HUAWEI-dsa-public-key-dsa-key-code] 02820101 [HUAWEI-dsa-public-key-dsa-key-code] 00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60 [HUAWEI-dsa-public-key-dsa-key-code] BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B [HUAWEI-dsa-public-key-dsa-key-code] F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891 [HUAWEI-dsa-public-key-dsa-key-code] 2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268 [HUAWEI-dsa-public-key-dsa-key-code] 56A99ECF A5D80036 7B31A905 22F13949 6F4182DB [HUAWEI-dsa-public-key-dsa-key-code] FDAAB599 739AB021 85856A88 1F919736 8B92DBF6 [HUAWEI-dsa-public-key-dsa-key-code] 849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7 [HUAWEI-dsa-public-key-dsa-key-code] 505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35 [HUAWEI-dsa-public-key-dsa-key-code] A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714 [HUAWEI-dsa-public-key-dsa-key-code] B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE [HUAWEI-dsa-public-key-dsa-key-code] B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F [HUAWEI-dsa-public-key-dsa-key-code] BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F [HUAWEI-dsa-public-key-dsa-key-code] CD4EA0EE 501FC669 5D03D68D 519324E4 93 [HUAWEI-dsa-public-key-dsa-key-code] 0215 [HUAWEI-dsa-public-key-dsa-key-code] 00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE [HUAWEI-dsa-public-key-dsa-key-code] BB [HUAWEI-dsa-public-key-dsa-key-code] 02820100 [HUAWEI-dsa-public-key-dsa-key-code] 3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD [HUAWEI-dsa-public-key-dsa-key-code] 96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42 [HUAWEI-dsa-public-key-dsa-key-code] 21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6 [HUAWEI-dsa-public-key-dsa-key-code] 5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4 [HUAWEI-dsa-public-key-dsa-key-code] 2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7 [HUAWEI-dsa-public-key-dsa-key-code] 4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7 [HUAWEI-dsa-public-key-dsa-key-code] 9A56E32E C15A0659 3D17C407 29F587C7 74959017 [HUAWEI-dsa-public-key-dsa-key-code] 62B08070 24564B2E E79C6E1D 86793548 76CC662A [HUAWEI-dsa-public-key-dsa-key-code] 1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278 [HUAWEI-dsa-public-key-dsa-key-code] 26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976 [HUAWEI-dsa-public-key-dsa-key-code] 4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62 [HUAWEI-dsa-public-key-dsa-key-code] A915EE63 F660C092 360C5D2D 796AF230 DB7461F7 [HUAWEI-dsa-public-key-dsa-key-code] C15B6DBA 65C9EFAB 247DB13D 4942E2FF [HUAWEI-dsa-public-key-dsa-key-code] 02820100 [HUAWEI-dsa-public-key-dsa-key-code] 13BA3593 E37EA6F3 24BF0648 0421F61A 813FB47E [HUAWEI-dsa-public-key-dsa-key-code] 52603941 96F18296 16694BA6 50668023 A1A15E07 [HUAWEI-dsa-public-key-dsa-key-code] C77DE89C E4208699 A0E00FFB 1AE881E7 F7E68AAA [HUAWEI-dsa-public-key-dsa-key-code] 79E713C4 56D810CF AEE8D6A2 385B0B80 0A1E9DDD [HUAWEI-dsa-public-key-dsa-key-code] 3D3E3D57 FD80052B 94695D06 648F4D7D 65765881 [HUAWEI-dsa-public-key-dsa-key-code] 6B0BEDC0 8FA810FA C8E1AC53 C9A5EA2E 4760545C [HUAWEI-dsa-public-key-dsa-key-code] 1A398100 5DA632A7 AA4443DA 4222C65E A2B1DA3E [HUAWEI-dsa-public-key-dsa-key-code] 5F737FAD ACFFBC39 F993FC3B 01149B38 E34E55ED [HUAWEI-dsa-public-key-dsa-key-code] F0628938 F05F99A0 E4D7D282 F68D768D 50D35D3B [HUAWEI-dsa-public-key-dsa-key-code] 35954851 9E3AFDB3 76AB1D25 61F2198A 26AD6279 [HUAWEI-dsa-public-key-dsa-key-code] 3B33437F 99164672 948CE066 7D68330A 624C13AD [HUAWEI-dsa-public-key-dsa-key-code] FF559CAE C11A24AB 0D65DCD7 AA3B9D88 37748113 [HUAWEI-dsa-public-key-dsa-key-code] 33111D88 5B99CEF9 FF0A96D7 5138941C [HUAWEI-dsa-public-key-dsa-key-code] public-key-code end [HUAWEI-dsa-public-key] peer-public-key end
ecc local-key-pair create
Function
The ecc local-key-pair create command generates a local ECC host key pair.
By default, no local ECC host key pair exists in the system.
Usage Guidelines
Usage Scenario
A local key pair is a prerequisite to a successful SSH login. Compared with the RSA algorithm used by the rsa local-key-pair create command, the ECC algorithm shortens the key length, accelerates the encryption, and improves the security. The length of the ECC server key pair and the host key pair can be 256 bits, 384 bits, and 521 bits. By default, the length of the key pair is 521 bits.
Precautions
The new key pair is named in the Host_ECC format.
If you log in to the device in SSH mode for the first time and no local key pair is configured, the system automatically generates a key pair. This command is a one-time operation command and is not saved in the configuration file. You only need to run this command once. After the device restarts, you do not need to run this command again.Example
<HUAWEI> system-view [HUAWEI] ecc local-key-pair create Info: The key name will be: Host_ECC Info: The key modulus can be any one of the following: 256, 384, 521. Info: Key pair generation will take a short while. Please input the modulus [default=521]:521 Info: Generating keys... Info: Succeeded in creating the ECC host keys.
ecc local-key-pair destroy
Function
The ecc local-key-pair destroy command deletes the local ECC keys.
By default, no local ECC host key pair exists in the system.
Usage Guidelines
Usage Scenario
A local key pair is a prerequisite to a successful SSH login. If you no longer need the local ECC key pairs, run the ecc local-key-pair destroy command to delete them.
Configuration Impact
The ecc local-key-pair destroy command deletes the local ECC host key pair, from the files on the device. Exercise caution when you run this command.
Precautions
The ecc local-key-pair destroy command is not saved in the configuration file. It only needs to be run once and takes effect even after the device restarts.
Do not delete the ECC key file from the device.Example
<HUAWEI> system-view [HUAWEI] ecc local-key-pair destroy Info: The name of the key which will be destroyed is HUAWEI_Host_ECC. Warning: These keys will be destroyed. Continue? Please select [Y/N]:y Info: Succeeded in destroying the ECC host keys.
ecc peer-public-key
Function
The ecc peer-public-key command creates an ECC public key and enters the ECC public key view.
The undo ecc peer-public-key command deletes the ECC public key.
By default, no ECC public key is created.
Parameters
| Parameter | Description | Value |
|---|---|---|
| key-name |
Specifies the ECC public key name. |
The value is a string of 1 to 40 case-sensitive characters, spaces not supported. |
| encoding-type enc-type |
Encoding type of the remote peer's public key. |
Currently, only distinguished encoding rules (DER, PEM, OPENSSH) are supported. |
Usage Guidelines
Usage Scenario
When you use an ECC public key for authentication, specify the public key on the server for the client of SSH users. When the client logs in to the server, the server uses the specified public key to authenticate the client.
After you enter the ECC public key view, run the public-key-code begin command, and copy the ECC public key to the server.Follow-up Procedure
After you copy the ECC public key generated on the client to the server, perform the following operations to exit the ECC public key view:
- Run the public-key-code end command to return to the ECC public key view.
- Run the peer-public-key end command to exit the ECC public key view and return to the system view.
Precautions
The public key on the client is randomly generated by the client software.
If an ECC public key has been assigned to an SSH user, run the undo ssh user user-name assign ecc-key command to delete the mapping between the ECC public key and the SSH user. If you do not delete the mapping, the undo ecc peer-public-key command cannot delete the ECC public key. A maximum of 20 ECC public keys can be configured.Example
<HUAWEI> system-view [HUAWEI] ecc peer-public-key ecc001 Enter "ECC public key" view, and you can return the system view with "peer-public-key end". [HUAWEI-ecc-public-key] public-key-code begin Enter "ECC key code" view, and you can return the last view with "public-key-code end". [HUAWEI-ecc-public-key-ecc-key-code] 04018880 E903B9C1 C2F146EC 2F918B16 CA8A9FAD [HUAWEI-ecc-public-key-ecc-key-code] BA540A15 FCA62A4E 56B9665B FDFB3F93 ADD9E3DE [HUAWEI-ecc-public-key-ecc-key-code] B626624D B11417D8 7E335586 0F8F69D5 392C89A1 [HUAWEI-ecc-public-key-ecc-key-code] 0CC12D0F 17C27201 7D66F6C8 70B3910C BBEFFF85 [HUAWEI-ecc-public-key-ecc-key-code] D0AA0343 0BCBA4A9 170ABB60 7FD06EBA 46DE5107 [HUAWEI-ecc-public-key-ecc-key-code] A9BE9BD7 B63CDF77 624A3461 1D13E0A1 93CA1B31 [HUAWEI-ecc-public-key-ecc-key-code] 372FAC85 1F27638B 06222881 FE [HUAWEI-ecc-public-key-ecc-key-code] public-key-code end [HUAWEI-ecc-public-key] peer-public-key end
exit (SFTP client view)
get (SFTP client view)
Parameters
| Parameter | Description | Value |
|---|---|---|
| remote-filename |
Specifies the name of the source file on the SFTP server. |
It is a string data type. The absolute path of the file range is from 1 to 255 case-sensitive characters without a blank space. |
| local-filename |
Specifies the name of the local file on the SFTP client. |
It is a string data type. The absolute path of the file range is from 1 to 255 case-sensitive characters without a blank space. |
Usage Guidelines
Usage Scenario
If the local file name is not specified, the default name of the file downloaded to the local device is the same as that of the file on the SFTP server.
Example
<HUAWEI> system-view [HUAWEI] sftp 10.1.1.3 Trying 10.1.1.3 ... Press CTRL+K to abort Connected to 10.1.1.3 ... Please input the username: client001 Enter password: sftp-client> get XXX.cc Remote file: flash:/ XXX.cc ---> Local file: XXX.cc Downloading file successfully ended. File download is completed in 1 seconds.
help (SFTP client view)
Parameters
| Parameter | Description | Value |
|---|---|---|
| command-name |
Displays the format of the specified command in the SFTP client view. |
The value is a string of 1 to 255 characters. |
Usage Guidelines
Usage Scenario
You can use this command to get the help information and format of the specified command in the SFTP client view.
You can use help or ? to get the help information of SFTP commands.Example
<HUAWEI> system-view [HUAWEI] sftp 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... Please input the username:client001 Enter password: sftp-client> help get get Remote file name STRING<1-128> [Local file name STRING<1-128>] Download file. Default local file name is the same with remote file.
<HUAWEI> system-view [HUAWEI] sftp 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... Please input the username:client001 Enter password: sftp-client> help cd cdup dir get help/? ls mkdir put pwd quit/exit/bye rename remove/delete rmdir
key-pair label
Function
The key-pair label command creates the key-pairs with specified label name.
The undo key-pair label command deletes the key-pairs with specified label name.
By default, a device does not have local key pairs or server key pairs.
Format
dsa key-pair label label-name [ modulus modulus-bits ]
ecc key-pair label label-name [ modulus modulus-bits ]
sm2 key-pair label label-name
undo { dsa | ecc } key-pair label label-name
undo sm2 key-pair label label-name
Parameters
| Parameter | Description | Value |
|---|---|---|
| label-name |
Specifies the label name of the key pair. |
The value is a string of 1 to 35 case-insensitive characters, spaces not supported. The string can contain only letters, digits, and underscores (_). |
| modulus modulus-bits |
Specifies the key-pair modulus bit value. |
The value is an integer that can be 256, 384, or 521, in bits. The default value is 521 bits. The greater the modulus of a key pair, the higher the security. However, it takes longer time to generate and use key pairs of a greater modulus. |
| ecc |
Specifies to generate the ECC key-pairs. |
- |
| sm2 |
Specifies to generate the SM2 key-pairs. |
- |
| dsa |
Specifies to generate the DSA key-pairs. |
- |
Usage Guidelines
Usage Scenario
DSA/ECC/SM2 keys are common key algorithms used for user authentication in SSH to ensure user authentication security.
After this command is executed, a new key pair is created and stored with the specified label name. The undo key-pair label command deletes a specified key pair from the database.Configuration Impact
On execution of the dsa key-pair label command, a new DSA key-pair is generated and stored with the given label name. On execution of the undo dsa key-pair label command, the DSA key-pair with the given label name is deleted from the database.
On execution of the ecc key-pair label command, a new ECC key-pair is generated and stored with the given label name. On execution of the undo ecc key-pair label command, the ECC key-pair with the given label name is deleted from the database. On execution of the sm2 key-pair label command, a new SM2 key-pair is generated and stored with the given label name. On execution of the undo sm2 key-pair label command, the SM2 key-pair with the given label name is deleted from the database.key-pair maximum
Function
The key-pair maximum command configures the maximum number of allowed key-pairs.
The undo key-pair maximum command resets the value of the key-pair to its default value.
By default, you can configure 20 key-pairs.
Format
rsa key-pair maximum max-keys
dsa key-pair maximum max-keys
ecc key-pair maximum max-keys
undo rsa key-pair maximum
undo dsa key-pair maximum
undo ecc key-pair maximum
Parameters
| Parameter | Description | Value |
|---|---|---|
| max-keys |
Specifies the maximum number for key-pairs. |
The value is an integer ranging from 1 to 20. |
| dsa |
Specifies to generate the DSA key-pairs. |
- |
| ecc |
Specifies to generate the ECC key-pairs. |
- |
| rsa |
Specifies to generate the RSA key-pairs. |
- |
ls (SFTP client view)
Function
The ls command lists all the directories and files in the present working directory of remote machine.
Parameters
| Parameter | Description | Value |
|---|---|---|
| remote-directory |
Specifies the directory name in the remote machine. |
Remote directory name is a string data type. The string length range is from 1 to 255 characters. |
| local-filename |
Specifies the local file to be saved in the directory of remote machine. |
Local file name is a string data type. The string length range is from 1 to 255 characters. |
Usage Guidelines
Usage Scenario
By default, the ls command displays all the files, if you do not specify any parameters.
Example
<HUAWEI> system-view [HUAWEI] sftp 1.1.1.1 Trying 1.1.1.1 ... Press CTRL+K to abort Connected to 1.1.1.1 ... Please input the username: sftp sftp-client> ls
<HUAWEI> system-view [HUAWEI] sftp 1.1.1.1 Trying 1.1.1.1 ... Press CTRL+K to abort Connected to 1.1.1.1 ... Please input the username: sftp sftp-client> ls new_folder
<HUAWEI> system-view [HUAWEI] sftp 1.1.1.1 Trying 1.1.1.1 ... Press CTRL+K to abort Connected to 1.1.1.1 ... Please input the username: sftp sftp-client> ls new_folder output.txt
mkdir (SFTP client view)
Parameters
| Parameter | Description | Value |
|---|---|---|
| path |
Specifies the directory path or name on the SFTP server. |
It is a string data type. The value ranges from 1 to 255 characters. |
Usage Guidelines
Usage Scenario
After creating the directory by using the mkdir command, you can run the dir or ls command to view the information. The mkdir command returns error, if the file or directory with the same name already exists.
To use the mkdir command, you must be an authorized user with a permission on the SFTP server.peer-public-key end
Function
The peer-public-key end command enables the system to return to the system view from the public key view.
By default, no peer-public-key is configured.
public-key-code begin
Function
The public-key-code begin command displays the edit view of the public key.
By default, no key pair exists in the system.
Usage Guidelines
Usage Scenario
- Before using this command, you must use the rsa peer-public-key command to specify one key name.
- After inputting the public-key-code begin command displays the public key edit view, and then input the key characters. Spaces can exist between characters. You can press Enter to continue inputting the key character.
- The public key configured must be a hex character string coded according to the public key format. It is randomly generated by the client software supporting SSH.
- The content of a key does not support Chinese characters.
Example
<HUAWEI> system-view [HUAWEI] rsa peer-public-key 003 Enter "RSA public key" view, and you can return the system view with "peer-public-key end". [HUAWEI-rsa-public-key] public-key-code begin Enter "RSA key code" view, and you can return the last view with "public-key-code end" [HUAWEI-rsa-public-key-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463 [HUAWEI-rsa-public-key-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [HUAWEI-rsa-public-key-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [HUAWEI-rsa-public-key-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [HUAWEI-rsa-public-key-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [HUAWEI-rsa-public-key-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [HUAWEI-rsa-public-key-rsa-key-code] public-key-code end [HUAWEI-rsa-public-key] peer-public-key end
public-key-code end
Function
The public-key-code end command enables the system to return to the public key view from the public key edit view and save the public key configured by the user.
By default, a device does not have local key pairs or server key pairs.
Views
DSA public key editing view,ECC key code view,RSA key code view,sm2 key code view,Public key editing view
Usage Guidelines
Usage Scenario
After this command is run, the process of editing public key ends. Before saving the public key, the system checks the validity of the key. If there are illegal characters in the public key character string configured by the user, the system displays relevant prompt. The public key configured by the user is discarded, so this configuration fails. If the public key configured is valid, it is saved in public key chain table of the client.
- Generally, in the public key view, only the peer-public-key end command can be used to exit from the public key view, and the quit command cannot be used.
- If the legal key coding is not input, the key cannot be generated after the peer-public-key end command is used. The system prompts that generating a key fails.
- If the key is deleted in another window, the system prompts that the key does not exist and returns to the system view directly when you run the peer-public-key end command.
Example
<HUAWEI> system-view [HUAWEI] rsa peer-public-key 003 Enter "RSA public key" view, and you can return the system view with "peer-public-key end". [HUAWEI-rsa-public-key] public-key-code begin Enter "RSA key code" view, and you can return the last view with "public-key-code end". [HUAWEI-rsa-public-key-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463 [HUAWEI-rsa-public-key-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913 [HUAWEI-rsa-public-key-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4 [HUAWEI-rsa-public-key-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC [HUAWEI-rsa-public-key-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16 [HUAWEI-rsa-public-key-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125 [HUAWEI-rsa-public-key-rsa-key-code] public-key-code end [HUAWEI-rsa-public-key] peer-public-key end
put (SFTP client view)
Parameters
| Parameter | Description | Value |
|---|---|---|
| local-filename |
Specifies the name of the local source file on the SFTP client. |
It is a string data type. The absolute path of the file range is from 1 to 255 characters. It contains the alphanumeric and special characters. |
| remote-filename |
Specifies the name of the destination file on the SFTP server. |
It is a string data type. The absolute path of the file range is from 1 to 255 characters. It contains the alphanumeric and special characters. |
pwd (SFTP client view)
Usage Guidelines
Usage Scenario
After executing the pwd command, if the working directory is incorrect, then execute the cd command to modify the working directory of SFTP client.
Example
<HUAWEI> system-view [HUAWEI] sftp 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... Please input the username: client001 Enter password: sftp-client> pwd / sftp-client> mkdir test Info: Succeeded in creating a directory.sftp-client> cd /test /test sftp-client> pwd /test
quit (SFTP client view)
remove (SFTP client view)
Parameters
| Parameter | Description | Value |
|---|---|---|
| path |
Specifies the file name. |
It is a string data type. The absolute path of the file range is from 1 to 1060 characters. It contains the alphanumeric and special characters. |
Example
<HUAWEI> system-view [HUAWEI] sftp 10.1.1.3 Trying 10.1.1.3 ... Press CTRL+K to abort Connected to 10.1.1.3 ... Please input the username: client001 Enter password: sftp-client> remove /testnew.txt Are you sure to remove it?(Y/N): Y Successfully removed the file: /testnew.txt
rename (SFTP client view)
Parameters
| Parameter | Description | Value |
|---|---|---|
| old-name |
Specifies the name of the source file or directory on the SFTP server. |
It is a string data type. The absolute path of the file or directory range is from 1 to 255 characters. |
| new-name |
Specifies the name of the target file or directory on the SFTP server. |
It is a string data type. The absolute path of the file or directory range is from 1 to 255 characters. |
Usage Guidelines
Usage Scenario
After renaming, the original file name becomes invalid. This command returns error, if a file exists with the new-name.
Example
<HUAWEI> system-view [HUAWEI] sftp 10.1.1.3 Trying 10.1.1.3 ... Press CTRL+K to abort Connected to 10.1.1.3 ... Please input the username: client001 Enter password: sftp-client> rename /test.txt /testnew.txt Warning: Rename /test.txt to /testnew.txt?[Y/N]: y
rmdir (SFTP client view)
Parameters
| Parameter | Description | Value |
|---|---|---|
| directory-name |
Specifies the directory on the SFTP server. |
It is a string data type. The string length range is from 1 to 1060 characters. It contains alphanumeric and special characters. |
Usage Guidelines
Usage Scenario
Before executing the rmdir command, ensure that the directory is an empty directory, else the system throws an error message.
You can delete a maximum of 10 directories at a time.Example
<HUAWEI> system-view [HUAWEI] sftp 10.164.39.222 Trying 10.164.39.222 ... Press CTRL+K to abort Connected to 10.164.39.222 ... Enter User Name: client001 Enter password: sftp-client> rmdir ssh Are you sure to remove it?(Y/N):Y Successfully removed the directory: flash:/ssh
rsa key-pair label
Function
The rsa key-pair label command creates an RSA key pair and configures a label name for it.
The undo rsa key-pair label command deletes the RSA key pair with a specified label name.
By default, a device does not have RSA local key pairs or RSA server key pairs.
Parameters
| Parameter | Description | Value |
|---|---|---|
| label-name |
Specifies the label name of an RSA key pair. |
The value is a string of 1 to 35 case-insensitive characters. The string contains letters, digits, and underscores (_). |
| modulus modulus-bits |
Specifies the modulus bit value of an RSA key pair. |
The value is 2048 bits, 3072 bits or 4096 bits. The default value is 3072 bits. |
Usage Guidelines
Usage Scenario
An RSA key is the authentication password of an SSH user, which improves the security of user authentication.
Running the rsa key-pair label label-name command creates a new RSA key pair and stores it using the specified label-nameConfiguration Impact
Running the rsa key-pair label command creates a new RSA key pair and stores it with the given label-name. The undo rsa key-pair label command deletes the specified RSA key pair from the database.
Precautions
The RSA key files stored in a storage medium cannot be manually deleted.
To ensure high security, use the RSA key pair whose length is 3072 bits or higher.rsa local-key-pair
Function
The rsa local-key-pair create command generates local RSA host and server key pairs.
The rsa local-key-pair destroy command removes all local RSA keys including the host key pair and the server key pair.
By default, no local RSA host or server key pairs are generated.
Usage Guidelines
Usage Scenario
When you run this command, if the RSA key already exists, the system prompts you to confirm whether to replace the original key. The generated key pair is named in the format of Host_Server and Host. This command is not saved in the configuration file.
After running the destroy key-pair command, you need to confirm whether to remove all local RSA keys. This command is a one-time operation command and therefore is not saved in the configuration file.Precautions
- To ensure high security, you are advised to use an RSA key pair of 3072 bits or more.
- You only need to run this command once. After the device is restarted, you do not need to run this command again.
- After you run this command, the system prompts you to enter the length of the RSA key pair to be generated. Currently, the system supports three types of RSA key pairs: 2048 bits, 3072 bits, and 4096 bits. If you press Enter without entering the key pair length, a 3072-bit RSA key pair is generated. If you do not perform any operation, the device does not generate the RSA key pair. You are advised to use an RSA key pair of 3072 bits or more, which is more secure.
- The prerequisite for a successful SSH login is that a local RSA key pair is generated. You can generate a local RSA key pair in either of the following ways:
- Run the rsa local-key-pair create command to generate a local RSA key pair.
- The system automatically generates a local RSA key pair. After the local key pair is generated in either mode, you need to run the save command to save the configuration file. In this way, the local key pair generated after the system restarts does not change. If the configuration file is not saved, the system generates a new local key pair after the restart. You need to use the new key pair to log in to the device through SSH.
Example
<HUAWEI> system-view [HUAWEI] rsa local-key-pair create The key name will be:Host The range of public key size is (2048, 4096). NOTE: Key pair generation will take a short while. Please input the modulus [default = 3072]:3072
<HUAWEI> system-view [HUAWEI] rsa local-key-pair destroy The name for the keys which will be destroyed is Host. Confirm to destroy these keys? Please select [Y/N]: Y
rsa peer-public-key
Function
The rsa peer-public-key command configures an encoding format for RSA public key and enters the RSA public key view.
The undo rsa peer-public-key command deletes the RSA public key.
By default, rsa peer-public-key is not configured.
Format
rsa peer-public-key key-name
rsa peer-public-key key-name encoding-type enc-type
undo rsa peer-public-key key-name
Parameters
| Parameter | Description | Value |
|---|---|---|
| key-name |
Specifies the RSA public key name. |
The name is a string of 1 to 40 characters without a blank space. When quotation marks are used around the string, spaces are allowed in the string. |
| encoding-type enc-type |
Specifies an encoding format for RSA public key, the default is DER. |
The value is an enumerated type, which can be:
|
Usage Guidelines
Usage Scenario
When you use RSA public key for authentication, specify the public key on the server for the client of SSH users. When the client logs in to the server, the server uses the specified public key to authenticate the client.
Peer public keys can be in the PKCS#1 format only. The public key on the client is randomly generated by the client software.Follow-up Procedure
- Run the public-key-code begin command to edit the public key and copy the public key to the server.
- Run the public-key-code end command to exit the RSA public key edit view.
- Run the peer-public-key end command to exit the RSA public key view and return to the system view.
Precautions
- To ensure high security, you are advised to use an RSA key pair of 3072 bits or more.
- After assigning an RSA public key to an SSH user, run the undo ssh user user-name assign rsa-key command to delete the mapping between the RSA public key and the SSH user. Otherwise, the undo rsa peer-public-key command cannot delete the RSA public key configuration from the device.
- A maximum of 20 RSA public keys can be configured.
Example
<HUAWEI> system-view Enter system view, return user view with return command. [HUAWEI] rsa peer-public-key rsakey001 encoding-type der Enter "RSA public key" view, and you can return the system view with "peer-public-key end". [HUAWEI-rsa-public-key] public-key-code begin Enter "RSA key code" view, and you can return the last view with "public-key-code end". [HUAWEI-rsa-public-key-rsa-key-code] 3082018A 02820181 00B5C42C 01F33F34 4FBA06E1 59978022 FEF3D9D1 [HUAWEI-rsa-public-key-rsa-key-code] 2817923E 0E921422 81ED9B35 2D89A33F 98F79F53 E919F670 BA87F264 [HUAWEI-rsa-public-key-rsa-key-code] 40705A3C 08A647EC 27C5C9C9 5A86DF5E A5856C2D 4C6CD572 7B4A0F89 [HUAWEI-rsa-public-key-rsa-key-code] BE0ED549 BCF9C9E8 6AA4F3A5 639B362F 3AE2D4BA 89E02DEF 3B86A021 [HUAWEI-rsa-public-key-rsa-key-code] 5F89FCC4 0771A537 68E79B3F 41BE7D8F 2C6235D3 ADAB7A07 F2FDFDE1 [HUAWEI-rsa-public-key-rsa-key-code] D8D0C933 EA33EDBC 8FD55CB9 0B7307B9 3DCA7B5F E6F3D636 9FFA9604 [HUAWEI-rsa-public-key-rsa-key-code] 421DF481 41B8130B 73DF4BA2 9651C56D 9AB372F2 B027B35D 4CEA28B5 [HUAWEI-rsa-public-key-rsa-key-code] 77453BA5 DFECD471 98AAC3F2 DF1D1BA0 288F641A C9CDAE94 A9A46092 [HUAWEI-rsa-public-key-rsa-key-code] 025C123E E038D6A1 7FAF5ED9 95718421 683EBB1D 09B81746 8C69D620 [HUAWEI-rsa-public-key-rsa-key-code] 5904DD3A E2572DCC 2D85F703 D7A13CAC BE0B3C7D DE1F096C 8245865F [HUAWEI-rsa-public-key-rsa-key-code] 63AADA9B 8B430C70 30AAF730 DEBA5D61 2466AB8B B47A44E7 A057DD02 [HUAWEI-rsa-public-key-rsa-key-code] 7D1AAD8E 4BB8DC09 25292039 7A2C7668 F18BA192 AE858720 65EAA3E9 [HUAWEI-rsa-public-key-rsa-key-code] 612F414A 1CE1E72A 871C217C 2327AAAF A3BF2383 1F3108C5 551368C3 [HUAWEI-rsa-public-key-rsa-key-code] 64F2FC77 3401A460 05D83E86 E85D92C9 0814CBD2 D65D5F26 D6830EE6 [HUAWEI-rsa-public-key-rsa-key-code] 55020301 0001 [HUAWEI-rsa-public-key-rsa-key-code] public-key-code end [HUAWEI-rsa-public-key] peer-public-key end
scp
Format
scp [ -a source-ip-address ] [ -force-receive-pubkey ] [ [ -port server-port ] | [ public-net | vpn-instance vpn-instance-name ] | [ identity-key identity-key-type ] | [ user-identity-key user-key ] | -r | -c | [ -cipher cipher ] | [ -prefer-kex { prefer-kex } ] ] * source-filename destination-filename
scp ipv6 [ [ vpn-instance vpn-instance-name ] | public-net ] [ -force-receive-pubkey ] [ [ -port server-port ] | [ identity-key identity-key-type ] | [ user-identity-key user-key ] | [ [ -a source-ipv6-address ] | [ -oi { interface-name | interface-type interface-number } ] ] | -r | -c | [ -cipher cipher ] | [ -prefer-kex { prefer-kex } ] ] * source-filename destination-filename
scp -i { interface-name | interface-type interface-number } [ -force-receive-pubkey ] [ [ -port server-port ] | [ identity-key identity-key-type ] | [ user-identity-key user-key ] | -r | -c | [ -cipher cipher ] | [ -prefer-kex { prefer-kex } ] ] * source-filename destination-filename
Parameters
| Parameter | Description | Value |
|---|---|---|
| -a source-ip-address |
Specifies the source IPv4 address. |
The value is in dotted decimal notation. |
| -a source-ipv6-address |
Specifies the source IPv6 address. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| -force-receive-pubkey |
Indicates that a server forcibly receives public key authentication. |
- |
| -port server-port |
Specifies the port number of the remote SCP server. |
The value is an integer ranging from 1 to 65535. The default value is 22. |
| public-net |
Specifies the public network where the server resides. |
- |
| vpn-instance vpn-instance-name |
Specifies the VPN instance name on the remote SCP server. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. The VPN instance name cannot be _public_. If the character string is quoted by double quotation marks, the character string can contain spaces. |
| identity-key identity-key-type |
Specifies a public key algorithm for server authentication. |
Currently, the RSA_SHA2_512, RSA_SHA2_256, RSA, DSA, and ECC algorithms are supported. The default algorithm is RSA_SHA2_512 and RSA_SHA2_256. To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits. You are advised to use RSA SHA2-512 or RSA SHA2-256 authentication algorithm which ensures higher security. |
| user-identity-key user-key |
Specifies a public key algorithm for user authentication. |
Currently, the RSA_SHA2_512, RSA_SHA2_256, RSA, DSA, and ECC algorithms are supported. The default algorithm is RSA_SHA2_512 and RSA_SHA2_256. To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits. You are advised to use RSA SHA2-512 or RSA SHA2-256 authentication algorithm which ensures higher security. |
| -r |
Uploads or downloads files in batches. |
- |
| -c |
Enables compression. |
- |
| -cipher cipher |
Specifies an encryption algorithm for file upload or download. |
Encryption algorithms supported depend on the ssh client cipher command settings. |
| -prefer-kex prefer-kex |
Specifies the preferred key exchange algorithm. |
Preferred algorithms for key exchange supported depend on the ssh client key-exchange command settings. |
| source-filename |
Specifies the name of the source file to be uploaded or downloaded. |
The value is a string of 1 to 256 characters. |
| destination-filename |
Specifies the name of the destination file to uploaded or downloaded. |
The value is a string of 1 to 256 characters. |
| ipv6 |
Specifies the IPv6 SCP. |
- |
| -oi |
Specifies the source interface for the IPv6 client, including the name, type and number of the interface. The IPv6 address configured in this interface view is the source IPv6 address of the packet. If no IPv6 address is configured for the source interface, the connection cannot be set up. |
- |
| interface-type |
Specifies the type the outbound interface. |
- |
| interface-number |
Specifies the number of the outbound interface. |
- |
| -i interface-name |
Specifies the name of the outbound interface. |
- |
Usage Guidelines
Usage Scenario
SCP is a secure file transfer method based on SSH2.0. Different from SFTP, SCP supports batch file upload or download.
- If a VPN instance name is specified, the SCP client logs in to the SCP server in the specified VPN instance.
- To enhance security, use -a to configure a loopback address as the source IP address or use -i to configure a loopback interface as the outbound interface.
- If -r is specified, you can use the wildcard (*) to upload or download files in batches, for example, .txt or huawei..
- If -c is specified, files are compressed before being transferred. File compression may take a long time and affect the file transfer rate. Therefore, compression is not recommended. Files on the SCP server are in the format of username@hostname:[ path ] [ filename ].
- username is the user name for logging in to the SCP server.
- hostname is the name or IP address of the SCP server.
- path is the working directory on the SCP server.
- filename is the name of a file. If filename and path are not specified, the system uploads files to the root directory of the working directory on the SCP server. If filename is specified, the system uploads files to the SCP server If hostname is an IPv6 address, the IPv6 address must be included in square brackets ([ ]), for example, john@[2001:db8:1::1]:.
- If the destination host address is an IPv6 link-local address, the local outbound interface must be specified.
- If the destination file has the same name as an existing directory, the source file is copied to the specified directory and the name of the newly generated file is the same as the source file name. If the destination file has the same name as an existing file, the system prompts you to replace the existing file and names each file with filename. If path is specified but filename is not specified, the system uploads files to the specified path on the SCP server.
Prerequisites
A VPN instance has been configured.
The SCP service function has been enabled using the scp server enable command.Precautions
- If a source IP address or a source interface is not specified, the system uses the source IP address or source interface specified in the scp client-source command.
- If a source IP address or source interface has been specified, the system does not use the source IP address or source interface specified in the scp client-source command.
- If a source IP address has been specified and VPN instance name is not specified, then the system uses Global VPN If it is configured else uses public vpn.
- in the source-filename and destination-filename fields, specifying the full file directory names as command keywords is recommended. If you specify the file names as command keywords, the command fails to be run because the command keywords are the same as the file names.
Example
<HUAWEI> system-view [HUAWEI] ip vpn-instance vpn1 [HUAWEI-vpn-instance-vpn1] quit [HUAWEI] scp -a 10.1.1.1 -port 1026 vpn-instance vpn1 -cipher aes256_ctr license.txt john@10.10.10.1: Trying 10.10.10.1 ... Press CTRL+K to abort Connected to 10.10.10.1 ... Enter password: license.txt 100% 38529827Bytes 165Kb/s
scp client-source -a
Function
The scp client-source -a command configures a source IPv4 address for the SCP client.
The scp ipv6 client-source -a command configures a source IPv6 address for the SCP client.
The undo scp client-source command restores the default source IPv4 address for the SCP client.
The undo scp ipv6 client-source command restores the default source IPv6 address for the SCP client.
By default, the source IPv4 address of the SCP client is 0.0.0.0 and the source IPv6 address is 0::0.
Format
scp client-source -a source-ip-address
scp client-source -a source-ip-address { public-net | -vpn-instance vpn-instance-name }
scp ipv6 client-source -a source-ipv6-address [ -vpn-instance ipv6-vpn-instance-name ]
undo scp client-source
undo scp ipv6 client-source
Parameters
| Parameter | Description | Value |
|---|---|---|
| -a source-ip-address |
Specifies a source IPv4 address for the SCP client. |
The value is in the decimal format. |
| -a source-ipv6-address |
Specifies a source IPv6 address for the SCP client. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| public-net |
Specifies the public network where the SCP server resides. |
- |
| -vpn-instance ipv6-vpn-instance-name |
Specifies the name of a VPN instance to which the SCP server belongs. Before specifying the parameter vpn-instance ipv6-vpn-instance-name, ensure that a VPN instance has been configured. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. |
| -vpn-instance vpn-instance-name |
Specifies the name of a VPN instance to which the SCP server belongs. Before specifying the parameter vpn-instance vpn-instance-name, ensure that a VPN instance has been configured. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string. |
Usage Guidelines
Usage Scenario
If you run the scp command to log in to the SCP server without specifying a source IP address or source interface, the source IP address or source interface specified using the scp client-source command is adopted by default. When the SCP connection on the server is viewed, the specified source IP address or the primary IP address of the specified source interface is displayed as the IP address of the user.
Prerequisites
VPN configuration must be successful, to configure the vpn instance using this command.
Precautions
- If the specified source interface has been bound to a VPN instance, the client is automatically bound to the same VPN instance.
- If the specified source interface has been bound to a VPN instance, for example, vpn1, but a different VPN instance, for example, vpn2, is specified in the scp client-source -a source-ip-address -vpn-instance vpn-instance-name command, the VPN configured by this command (vpn2) takes effect.
- After a bound VPN instance is deleted, the VPN configuration specified using the scp client-source command will not be cleared but does not take effect. In this case, the SCP server uses a public IP address. If you configure the VPN instance with the same name again, the VPN function restores.
- After a bound source interface is deleted, the interface configuration specified using the scp client-source command will not be cleared but does not take effect. If you configure the source interface with the same name again, the interface configuration specified using the scp client-source command is updated and the function restores.
scp client-source -i
Function
The scp client-source -i command configures a source interface for the SCP client.
By default, there is no specified source interface for the SCP client.
Parameters
| Parameter | Description | Value |
|---|---|---|
| interface-type |
Specifies the type of a source interface. |
- |
| interface-number |
Specifies the number of a source interface. |
- |
| interface-name |
Specifies the name of a source interface. |
- |
Usage Guidelines
Usage Scenario
If you run the scp command to log in to the SCP server without specifying a source IP address or source interface, the source IP address or source interface specified using the scp client-source command is adopted by default. When the SCP connection on the server is viewed, the specified source IP address or the primary IP address of the specified source interface is displayed as the IP address of the user.
Precautions
- If the specified source interface has been bound to a VPN instance, the client is automatically bound to the same VPN instance.
- If the specified source interface has been bound to a VPN instance, for example, vpn1, but a different VPN instance, for example, vpn2, is specified in the scp client-source -a source-ip-address -vpn-instance vpn-instance-name command, The vpn configured by this command (vpn2) takes effect.
- After a bound VPN instance is deleted, the VPN configuration specified using the scp client-source command will not be cleared but does not take effect. In this case, the SCP server uses a public IP address. If you configure the VPN instance with the same name again, the VPN function restores.
- After a bound source interface is deleted, the interface configuration specified using the scp client-source command will not be cleared but does not take effect. If you configure the source interface with the same name again, the interface configuration specified using the scp client-source command is updated and the function restores.
scp max-sessions
Function
The scp max-sessions command configures the maximum number of SCP clients that can be connected to the SSH server.
The undo scp max-sessions command restores the default value.
By default, a maximum of two SCP clients can be connected to the SSH server.
Parameters
| Parameter | Description | Value |
|---|---|---|
| max-session-count |
Specify the maximum number of SCP clients that can be connected to the SSH server. |
The value is an integer ranging from 0 to 5. The default value is 2. |
Usage Guidelines
Usage Scenario
To configure the maximum number of SCP clients that can be connected to the SSH server, run the scp max-sessions command.
If the value specified by the max-session-count parameter is less than the number of current connections, the current connections are not ended but the server no longer accepts any new connections. This command takes effect for both IPv4 and IPv6 connections.scp server enable
Function
The scp server enable command enables the SCP service on the SSH server.
The undo scp server enable command disables the SCP service on the SSH server.
By default, the SCP service is disabled on the SSH server.
Usage Guidelines
Usage Scenario
To use SCP for file transfer, you must enable the SCP service on the SSH server. A client can connect to a remote SSH server by SCP only after the SCP service is enabled on the SSH server.
The scp server enable command enables both IPv4 and IPv6 SCP services on the SSH server.Precautions
If you disable the SCP service on the SSH server, all the clients that log in to the server through SCP will be disconnected.
scp server enable (System view)
Function
The scp server enable command enables the SCP service on the SSH server.
The undo scp server enable command disables the SCP service on the SSH server.
By default, the SCP service is disabled on the SSH server.
Format
scp ipv4 server enable
scp ipv6 server enable
undo scp ipv4 server enable
undo scp ipv6 server enable
Parameters
| Parameter | Description | Value |
|---|---|---|
| ipv6 |
Enables the SCP IPv6 service. |
- |
| ipv4 |
Enables the SCP IPv4 service. |
- |
Usage Guidelines
Usage Scenario
To use SCP for file transfer, you must enable the SCP service on the SSH server. A client can connect to a remote SSH server by SCP only after the SCP service is enabled on the SSH server.
To enable the IPv4 SCP service on an SSH server, run the scp ipv4 server enable command. To enable the IPv6 SCP service on an SSH server, run the scp ipv6 server enable command.Precautions
If you disable the SCP service on the SSH server, all the clients that log in to the server through SCP will be disconnected.
sftp
Function
The sftp command enables the system to log in to another device from the current device through SFTP.
Format
sftp [ -a source-ip-address ] [ -force-receive-pubkey ] host-ip-address [ port-number ] [ [ prefer_kex { prefer_kex } ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] | [ prefer_stoc_compress zlib ] | [ public-net | -vpn-instance vpn-instance-name ] | [ -ki interval ] | [ -kc count ] | [ identity-key identity-key-type ] | [ user-identity-key user-key ] ] *
sftp ipv6 [ -force-receive-pubkey ] [ -a source-ipv6-address ] host-ipv6-address [ [ [ -vpn-instance vpn-instance-name ] | public-net ] | [ -oi { interface-name | interface-type interface-number } ] | [ port-number ] | [ prefer_kex { prefer_kex } ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] | [ prefer_stoc_compress zlib ] | [ -ki interval ] | [ -kc count ] | [ identity-key identity-key-type ] | [ user-identity-key user-key ] ] *
sftp -i { interface-name | interface-type interface-number } [ -force-receive-pubkey ] host-ip-address [ port-number ] [ [ prefer_kex { prefer_kex } ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] | [ prefer_stoc_compress zlib ] | [ -ki interval ] | [ -kc count ] | [ identity-key identity-key-type ] | [ user-identity-key user-key ] ] *
Parameters
| Parameter | Description | Value |
|---|---|---|
| -a source-ipv6-address |
Specifies the SFTP source IPv6 address. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| -a source-ip-address |
Specifies the SFTP source IP address. |
The value is in dotted decimal notation. |
| -force-receive-pubkey |
Indicates that a server forcibly receives public key authentication. |
- |
| host-ip-address |
Specifies the IP address of remote system. |
The value is in dotted decimal notation. |
| port-number |
Specifies the port number of the SSH server. |
The value is an integer ranging from 1 to 65535. The default value is 22. |
| prefer_kex prefer_kex |
Specifies the preferred algorithm for key exchange. |
Preferred algorithms for key exchange supported depend on the ssh client key-exchange command settings. |
| prefer_ctos_cipher prefer_ctos_cipher |
Specifies the preferred encryption algorithm for packets from the client to the server. |
Encryption algorithms supported depend on the ssh client cipher command settings. |
| prefer_stoc_cipher prefer_stoc_cipher |
Specifies the preferred encryption algorithm for packets from the server to the client. |
Encryption algorithms supported depend on the ssh client cipher command settings. |
| prefer_ctos_hmac prefer_ctos_hmac |
Specifies the preferred HMAC algorithm for packets from the client to the server. |
Preferred HMAC algorithms supported depend on the ssh client hmac command settings. |
| prefer_stoc_hmac prefer_stoc_hmac |
Specifies the preferred HMAC algorithm for packets from the server to the client. |
Preferred HMAC algorithms supported depend on the ssh client hmac command settings. |
| prefer_ctos_compress |
Specifies the preferred compression algorithm for packets from the server to the client. Currently, it can only be zlib. |
The default algorithm is none. |
| zlib |
Specifies the preferred compression algorithm for packets is zlib. |
- |
| prefer_stoc_compress |
Specifies the preferred compression algorithm for packets from a client to the server. Currently, it can only be zlib. |
- |
| public-net |
Indicates that the SFTP server resides on a public network. |
- |
| -vpn-instance vpn-instance-name |
Specifies a VPN instance name. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string. |
| -ki interval |
Specifies an interval at which keepalive packets are sent if no data is received. |
The value is an integer ranging from 1 to 3600, in seconds. |
| -kc count |
Specifies the maximum number of times that a server does not respond to keepalive packets. |
The value is an integer ranging from 1 to 30. |
| identity-key identity-key-type |
Specifies the public key for server authentication. |
Currently, the RSA_SHA2_512, RSA_SHA2_256, RSA, DSA, and ECC algorithms are supported. The default algorithm is RSA_SHA2_512 and RSA_SHA2_256. To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits. You are advised to use RSA SHA2-512 or RSA SHA2-256 authentication algorithm which ensures higher security. |
| user-identity-key user-key |
Specifies the public key for user authentication. |
Currently, the RSA_SHA2_512, RSA_SHA2_256, RSA, DSA, and ECC algorithms are supported. The default algorithm is RSA_SHA2_512 and RSA_SHA2_256. To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits. You are advised to use RSA SHA2-512 or RSA SHA2-256 authentication algorithm which ensures higher security. |
| ipv6 |
Specifies the IPv6 SFTP. |
- |
| host-ipv6-address |
Specifies the IPv6 address of remote system. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| -oi |
Specifies the source interface for the IPv6 client, including the type and number of the interface. If no IPv6 address is configured for the source interface, the connection cannot be set up. |
- |
| interface-type interface-number |
Specifies the source interface for the client, including the type and number of the interface. |
- |
| -i interface-name |
Specifies the name of the egress interface to the remote SFTP server. |
- |
Usage Guidelines
Usage Scenario
SFTP is short for SSH FTP, which is a secure FTP protocol. SFTP is established over SSH and enables remote users to securely log in to a device for file management and transfer. This ensures data transmission security. In addition, the device provides the SFTP client function so that you can log in to a remote SSH server from the device to securely transfer files.
When the SFTP server or its connection to a client fails, the client must detect the fault in time and release the connection. To achieve this goal, before a client logs in to the server through SFTP, configure an interval at which keepalive packets are sent if no data is received and the maximum number of times that the server does not respond. If the client does not receive any data within the specified interval, it sends a keepalive packet to the server. If the maximum number of times that the server does not respond exceeds the specified value, the client tears down the connection.Prerequisites
The VPN instance to be specified in this command has been created using the ip vpn-instance command.
The SFTP service has been enabled on the SSH server using the sftp server enable command.Precautions
- If the SSH server monitors port number 22, you may not specify the port number for SSH login.
- If command execution fails due to ACLs on the SFTP client or the TCP connection fails, the system prompts an error message indicating that the connection to the server fails.
- If no source IP address or source interface is specified, the system uses the source IP address or source interface specified in the sftp client-source command.
- If a source IP address or source interface is specified, the system does not use the source IP address or source interface specified in the sftp client-source command.
- If a source IP address has been specified and VPN instance name is not specified, the system uses the global VPN if any and the public VPN when no global VPN is available.
Example
<HUAWEI> system-view [HUAWEI] ip vpn-instance ssh [HUAWEI-vpn-instance-ssh] quit [HUAWEI] sftp -a 10.1.1.1 10.2.2.2 1025 -vpn-instance ssh Trying 10.2.2.2... Press CTRL+K to abort Connected to 10.2.2.2... Please input the username: client001 Enter password:
<HUAWEI> system-view [HUAWEI] sftp ipv6 2001:db8:1::1 1025 Trying 2001:db8:1::1... Press CTRL+K to abort Connected to 2001:db8:1::1... Please input the username: client001 Enter password:
sftp client-source -a
Function
The sftp client-source -a command configures the specified address as the source IPv4 address of the device functioning as the SFTP client.
The sftp ipv6 client-source -a command configures the specified address as the source IPv6 address of the device functioning as the SFTP client.
The undo sftp client-source command restores the default SFTP client source IPv4 address.
The undo sftp ipv6 client-source command restores the default SFTP client source IPv6 address.
By default, the source IP address of the SFTP client is the IP address of the outbound interface for accessing the SFTP server.
Format
sftp client-source -a source-ip-address
sftp client-source -a source-ip-address { public-net | -vpn-instance vpn-instance-name }
sftp ipv6 client-source -a source-ipv6-address [ -vpn-instance ipv6-vpn-instance-name ]
undo sftp client-source
undo sftp ipv6 client-source [ -a source-ipv6-address [ -vpn-instance ipv6-vpn-instance-name ] ]
Parameters
| Parameter | Description | Value |
|---|---|---|
| -a source-ip-address |
Specifies the IPv4 address of the local device. |
The value is in dotted decimal notation. |
| -a source-ipv6-address |
Specifies the IPv6 address of the local device. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| public-net |
Specifies the public network where the SFTP server resides. |
- |
| -vpn-instance ipv6-vpn-instance-name |
Specifies the name of a VPN instance to which the SFTP server belongs. Before specifying the parameter vpn-instance ipv6-vpn-instance-name, ensure that a VPN instance has been configured. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. |
| -vpn-instance vpn-instance-name |
Specifies the name of a VPN instance to which the SFTP server belongs. Before specifying the parameter vpn-instance vpn-instance-name, ensure that a VPN instance has been configured. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. |
Usage Guidelines
Usage Scenario
If you run the sftp command to log in to an SFTP server without specifying a source address or source interface, the source address or source interface specified through the sftp client-source command is adopted by default. If you run the sftp command and specify the source address or source interface, the specified source address or source interface is adopted. When viewing the current SFTP connection on the server, the specified source IP address or the primary IP address of the specified interface is displayed as the IP address of the user.
Precautions
- If the specified source interface has been bound to a VPN instance, the client is automatically bound to the same VPN instance.
- If the specified source interface has been bound to a VPN instance, for example, vpn1, but a different VPN instance, for example, vpn2, is specified in the sftp client-source command, The vpn configured by this command (vpn2) takes effect.
- After a bound VPN instance is deleted, the VPN configuration specified using the sftp client-source command will not be cleared but does not take effect. In this case, the SFTP server uses a public IP address. If you configure the VPN instance with the same name again, the VPN function restores.
- After a bound source interface is deleted, the interface configuration specified using the sftp client-source command will not be cleared but does not take effect. If you configure the source interface with the same name again, the interface configuration specified using the sftp client-source command is updated and the function restores.
sftp client-source -i
Function
The sftp client-source -i command configures the specified interface as the source interface of the device functioning as the SFTP client.
By default, the source IP address of the SFTP client is the IP address of the outbound interface for accessing the SFTP server.
Parameters
| Parameter | Description | Value |
|---|---|---|
| interface-type interface-number |
Specifies the interface type and interface number of the local device. |
- |
| -i interface-name |
Specifies the interface name of the local device. |
- |
Usage Guidelines
Usage Scenario
If you run the sftp command to log in to an SFTP server without specifying a source address or source interface, the source address or source interface specified through the sftp client-source command is adopted by default. If you run the sftp command and specify the source address or source interface, the specified source address or source interface is adopted. When viewing the current SFTP connection on the server, the specified source IP address or the primary IP address of the specified interface is displayed as the IP address of the user.
Precautions
- If the specified source interface has been bound to a VPN instance, the client is automatically bound to the same VPN instance.
- If the specified source interface has been bound to a VPN instance, for example, vpn1, but a different VPN instance, for example, vpn2, is specified in the sftp client-source -a source-ip-address -vpn-instance vpn-instance-name command, The vpn configured by this command (vpn2) takes effect.
- After a bound VPN instance is deleted, the VPN configuration specified using the sftp client-source command will not be cleared but does not take effect. In this case, the SFTP server uses a public IP address. If you configure the VPN instance with the same name again, the VPN function restores.
- After a bound source interface is deleted, the interface configuration specified using the sftp client-source command will not be cleared but does not take effect. If you configure the source interface with the same name again, the interface configuration specified using the sftp client-source command is updated and the function restores.
sftp client-transfile
Function
The sftp client-transfile command uploads files from an SFTP client to an SFTP server or downloads files from an SFTP server to an SFTP client.
Format
sftp client-transfile get ipv6 [ -a source-ipv6-address ] host-ip host-ipv6 [ -oi { interface-type interface-number | interface-name } ] [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { prefer_kex } ] | [ identity-key identity-key-type ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ -ki interval ] | [ -kc count ] ] * username user-name password password sourcefile destination [ destination source-file ]
sftp client-transfile get [ -a source-address | -i { interface-type interface-number | interface-name } ] host-ip host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { prefer_kex } ] | [ identity-key identity-key-type ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ -ki interval ] | [ -kc count ] ] * username user-name password password sourcefile destination [ destination source-file ]
sftp client-transfile put ipv6 [ -a source-ipv6-address ] host-ip host-ipv6 [ -oi { interface-type interface-number | interface-name } ] [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { prefer_kex } ] | [ identity-key identity-key-type ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ -ki interval ] | [ -kc count ] ] * username user-name password password sourcefile source-file [ destination destination ]
sftp client-transfile put [ -a source-address | -i { interface-type interface-number | interface-name } ] host-ip host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | [ prefer_kex { prefer_kex } ] | [ identity-key identity-key-type ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ -ki interval ] | [ -kc count ] ] * username user-name password password sourcefile source-file [ destination destination ]
Parameters
| Parameter | Description | Value |
|---|---|---|
| -a source-address |
Specifies the source address of an SFTP client. |
The value is in dotted decimal notation. |
| -a source-ipv6-address |
Specifies the source ipv6 address of an SFTP client. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
| host-ip host-ipv4 |
Specifies the IPv4 address or host name of an SFTP server. |
The value is a string of case-sensitive characters, spaces not supported. |
| host-ip host-ipv6 |
Specifies the IPv6 address or host name of an SFTP server. |
The value is a string of case-sensitive characters without spaces. |
| -oi |
Specifies the source IPv6 interface of an SFTP client. |
- |
| interface-type interface-number |
Specifies the source IPv6 interface of an SFTP client. If host-ipv6 is a link-local IPv6 address, you must specify the interface name corresponding to the link-local address. If host-ipv6 is not a link-local IPv6 address, no interface name is required. |
- |
| port |
Specifies the monitoring port number of an SSH server. You can log in to the server from the SFTP client without the need of specifying the monitoring port number only when the monitoring port number of the server is 22. Otherwise, the monitoring port number must be specified. |
The value is an integer ranging from 1 to 65535. The default value is 22. |
| public-net |
Indicates that the SFTP server resides on a public network. |
- |
| -vpn-instance vpn-instance-name |
Specifies a VPN instance name. This means that the SFTP server resides on a private network. |
The value is a string of 1 to 31 case-sensitive characters without spaces. If spaces are used, the string must start and end with double quotation marks ("). |
| prefer_kex prefer_kex |
Specifies the preferred algorithm for key exchange. |
Preferred algorithms for key exchange supported depend on the ssh client key-exchange command settings. |
| identity-key identity-key-type |
Specifies a public key algorithm for the server authentication. |
Currently, the RSA_SHA2_512, RSA_SHA2_256, RSA, DSA, and ECC algorithms are supported. The default algorithm is RSA_SHA2_512 and RSA_SHA2_256. To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits. You are advised to use RSA SHA2-512 or RSA SHA2-256 authentication algorithm which ensures higher security. |
| prefer_ctos_cipher prefer_ctos_cipher |
Specifies the preferred encryption algorithm for packets from the client to the server. |
Encryption algorithms supported depend on the ssh client cipher command settings. |
| prefer_stoc_cipher prefer_stoc_cipher |
Specifies the preferred encryption algorithm for packets from the server to the client. |
Encryption algorithms supported depend on the ssh client cipher command settings. |
| prefer_ctos_hmac prefer_ctos_hmac |
Specifies the preferred HMAC algorithm for packets from the client to the server. |
Preferred HMAC algorithms supported depend on the ssh client hmac command settings. |
| prefer_stoc_hmac prefer_stoc_hmac |
Specifies the preferred HMAC algorithm for packets from the server to the client. |
Preferred HMAC algorithms supported depend on the ssh client hmac command settings. |
| -ki interval |
Specifies an interval at which keepalive packets are sent if no data is received. |
The value is an integer ranging from 1 to 3600, in seconds. The default value is 60. |
| -kc count |
Specifies the maximum number of times that a server does not respond to keepalive packets. |
The value is an integer ranging from 1 to 30. The default value is 5. |
| username user-name |
Specifies the user name for an SFTP connection. |
The value is a string of 1 to 255 case-sensitive characters without spaces. If spaces are used, the string must start and end with double quotation marks ("). |
| password password |
Specifies the password for an SFTP connection. |
The value is a string of 1 to 128 case-sensitive characters without spaces. If spaces are used, the string must start and end with double quotation marks ("). |
| sourcefile source-file |
Specifies the absolute path of the source file to be uploaded or downloaded. |
The value is a string of 1 to 256 case-insensitive characters without spaces. The file name is a string of 1 to 128 characters. |
| destination destination |
Specifies the absolute path of the destination file to be uploaded or downloaded. If destination is not specified, the destination file name is the same as the source file name. |
The value is a string of 1 to 256 case-insensitive characters without spaces. The file name is a string of 1 to 128. |
| get |
Downloads files from an SFTP server. |
- |
| -i |
Specifies the source interface of an SFTP client. |
- |
| put |
Uploads files to an SFTP server. |
- |
| ipv6 |
Specifies an IPv6 SFTP server. |
- |
Usage Guidelines
Usage Scenario
To upload files from an SFTP client to an SFTP server or download files from an SFTP server to an SFTP client, run the sftp client-transfile command. This command can be run only on an SFTP client.
Before you run the sftp command to transfer files, enter the user name and password. You can transfer files only when the authentication succeeds. The sftp client-transfile command supports one-click file transfer, so that a file can be transferred after you run the command.Prerequisites
Before you run the sftp client-transfile command to connect to an SFTP server, ensure that the following requirements are met:
- The route between the SSH client and server is reachable. If the server does not use a standard port number, the port number configured on the server must be obtained.
- The IP address of the SSH server and the information about the SSH user used for login are obtained.
- The SFTP service is enabled on the server, the service types configured for the server contain SFTP, and password authentication is configured for the SSH user.
Configuration Impact
After a connection is established between an SFTP client and an SFTP server, they start to communicate.
Precautions
- If command execution fails due to ACL configuration on the SFTP client or the TCP connection fails, the system displays an error message indicating that the connection to the server fails.
- When the connection between the server and the client fails, the client must detect the fault in time and proactively tears down the connection. To achieve this, before the client logs in to the server through SFTP, configure an interval at which keepalive packets are sent if no data is received and the maximum number of times that the server does not respond. If the client does not receive any data within the specified interval, it sends a keepalive packet to the server. If the maximum number of times that the server does not respond exceeds the specified value, the client proactively tears down the connection.
- If a source interface is specified using the -i interface-type interface-number parameter, the -vpn-instance vpn-instance-name parameter cannot be set then.
- This command is used to connect to the server and transfer files. Password authentication is required for login.
Example
<HUAWEI> system-view [HUAWEI] ip vpn-instance ssh [HUAWEI-vpn-instance-ssh] ipv4-family [HUAWEI-vpn-instance-ssh-af-ipv4] quit [HUAWEI-vpn-instance-ssh] quit [HUAWEI] sftp client-transfile get host-ip 10.1.1.2 1025 -vpn-instance ssh username huawei password YsHsjx_202206 sourcefile sample.txt
<HUAWEI> system-view [HUAWEI] sftp client-transfile get host-ip 10.1.1.3 -ki 10 -kc 4 username huawei password YsHsjx_202206 sourcefile sample.txt
<HUAWEI> system-view [HUAWEI] ssh client publickey ecc Warning: Insecure public key algorithms (ecc) are enabled. Disabling them is recommended. [HUAWEI] sftp client-transfile get host-ip 10.1.1.4 identity-key ecc username huawei password YsHsjx_202206 sourcefile sample.txt
<HUAWEI> system-view [HUAWEI] ssh client publickey ecc Warning: Insecure public key algorithms (ecc) are enabled. Disabling them is recommended. [HUAWEI] sftp client-transfile put ipv6 host-ip 2001:db8::1 identity-key ecc username huawei password YsHsjx_202206 sourcefile sample.txt
sftp idle-timeout
Function
The sftp idle-timeout command sets the timeout period for an SFTP client to suspend connection from the SSH server.
The undo sftp idle-timeout command restores the default timeout period.
By default, the timeout period is 10 minutes.
Parameters
| Parameter | Description | Value |
|---|---|---|
| minutes |
Specifies the time period in minutes. |
It is an integer data type. The value range is from 0 to 35791 minutes. |
| seconds |
Specifies the time period in seconds. |
It is an integer data type. The value range is from 0 to 59 seconds. |
Usage Guidelines
Usage Scenario
The sftp idle-timeout command is used to set the timeout period to suspend the connection if you do not execute any command for a certain period of time.
You can disable the timeout disconnection function by running the sftp idle-timeout 0 0 command. This command takes effect for both IPv4 and IPv6 connections.sftp max-sessions
Function
The sftp max-sessions command configures the maximum number of clients that can be connected to the server at any point of time for SFTP service.
The undo sftp max-sessions command restores the default maximum number of clients that can be connected to the SSH server with SFTP service.
By default, the maximum number of clients that can be connected to the SFTP server is 5.
Parameters
| Parameter | Description | Value |
|---|---|---|
| max-session-count |
Specifies the maximum number of sessions for SFTP. |
The value is an integer ranging from 0 to 15. |
Usage Guidelines
Usage Scenario
You can use this command to configure the maximum number of SFTP clients that can be connected to the server at any point of time for SFTP service, and it takes effect for both IPv4 and IPv6 connections.
NOTE: If the configured max-sessions value is less than the number of current connections, then the current connection is not disconnected and the server does not accept any new connection.sftp server default-directory
Function
The sftp server default-directory command configures a default authorized SFTP server directory.
The undo sftp server default-directory command cancels the configuration of the default authorized SFTP server directory.
By default, no authorized SFTP server directory is available.
Parameters
| Parameter | Description | Value |
|---|---|---|
| sftpdir |
Specifies a default SFTP server directory. |
The value is a string of 1 to 255 characters. |
Usage Guidelines
Usage Scenario
When accessing the server through SFTP, users can access only the authorized directory on the SFTP server. You can use any of the following methods to configure the SFTP server to access the authorized directory. The priorities of the three methods in descending order are as follows:
- Run the ssh user sftp-directory command in the system view to configure the authorized SFTP server directory for a specified user.
- Run the local-user ftp-directory command in the AAA view to configure the authorized FTP server directory for a specified user.
- Run the sftp server default-directory command in the system view to configure the global default authorized SFTP server directory. The ssh user sftp-directory command has the highest priority and takes effect only for specified SSH users. The sftp server default-directory command has the lowest priority and takes effect for all SSH users. This command takes effect for both IPv4 and IPv6.
Precautions
Files cannot be uploaded to the logfile/security directory through SFTP due to permission control.
sftp server enable
Function
The sftp server enable command enables the SFTP service on the SSH server.
The undo sftp server enable command disables the SFTP service on the SSH server.
By default, the SFTP service is not enabled on the SSH server.
Usage Guidelines
Usage Scenario
To enable TCP port 22 to support the SFTP service, run this command. A client can connect to the SSH server through SFTP only after the SFTP service is enabled on the SSH server.
The sftp server enable command enables the SFTP service on the SSH server.Precautions
After you disable the SFTP service on the SSH server, all the clients that connect to the SSH server through SFTP are disconnected.
This command applies to both IPv4 and IPv6 services.sftp server enable (System view)
Function
The sftp server enable command enables the SFTP service on the SSH server.
The undo sftp server enable command disables the SFTP service on the SSH server.
By default, the SFTP service is not enabled on the SSH server.
Format
sftp ipv4 server enable
sftp ipv6 server enable
undo sftp ipv4 server enable
undo sftp ipv6 server enable
Parameters
| Parameter | Description | Value |
|---|---|---|
| ipv6 |
Enables the IPv6 SFTP service. |
- |
| ipv4 |
Enables the IPv4 SFTP service. |
- |
Usage Guidelines
Usage Scenario
- To enable TCP port 22 to support the SFTP service, run this command. A client can connect to the SSH server through SFTP only after the SFTP service is enabled on the SSH server.
- The sftp ipv4 server enable command enables the IPv4 SFTP service on the SSH server. The sftp ipv6 server enable command enables the IPv6 SFTP service on the SSH server.
- After you disable the SFTP service on the SSH server, all the clients that connect to the SSH server through SFTP are disconnected.
sm2 peer-public-key
Function
The sm2 peer-public-key command displays the SM2 public key view.
The undo sm2 peer-public-key command deletes SM2 public key configuration.
By default, no SM2 public key is configured.
Parameters
| Parameter | Description | Value |
|---|---|---|
| key-name |
Specifies the name of an SM2 public key. |
The value is a string of 1 to 40 case-insensitive characters, spaces not supported. The string can contain only letters, digits, and underscores (_). |
Usage Guidelines
Usage Scenario
If an SM2 public key is used for authentication, you need to enter the SM2 public key view to edit the public key in the SM2 key pair on the SSH server and generate a new SM2 public key that can be successfully authenticated by the private key in the SM2 key pair. This public key can be bound to an SSH user or client as a credential for server login.
Implementation Procedure
To configure an SM2 public key, perform the following steps:
- Run the sm2 peer-public-key command to enter the SM2 public key view.
- Run the public-key-code begin command to start editing.
- Copy and paste the public key in the SM2 key pair on the SSH server.
- Run the public-key-code end command to exit the SM2 public key edit view.
- Run the peer-public-key end command to exit the SM2 public key edit view and return to the system view.
Precautions
To delete SM2 public key configuration from a device after assigning an SM2 public key to an SSH user, run the undo ssh user assign sm2-key command to delete the mapping between the SM2 public key and SSH user. Otherwise, the SM2 public key configuration cannot be deleted using the undo sm2 peer-public-key command.
The public key on the client is randomly generated by client software. A maximum of 20 SM2 public keys can be configured.Example
<HUAWEI> system-view [HUAWEI] sm2 peer-public-key sm2key001 Enter "SM2 public key" view, return system view with "peer-public-key end". [HUAWEI-sm2-public-key] public-key-code begin Enter "SM2 public key" view, return system view with "peer-public-key end". [HUAWEI-sm2-public-key-sm2-key-code] 0474F110 F90F131B B6F6D929 9A23A41E F1AB1666 [HUAWEI-sm2-public-key-sm2-key-code] AC4BE4EE EF2CD876 2B633F80 DD5CF42F 147A722F [HUAWEI-sm2-public-key-sm2-key-code] DE527F39 247F3744 C23296BE FE3BE502 EEF7D9EC [HUAWEI-sm2-public-key-sm2-key-code] BC28A576 7E [HUAWEI-sm2-public-key-sm2-key-code] public-key-code end [HUAWEI-sm2-public-key] peer-public-key end
ssh authentication-type default password
Function
The ssh authentication-type default password command configures password authentication as the default authentication mode for users who request to log in to a device using SSH.
The undo ssh authentication-type default password command cancels the configuration.
By default, password authentication is used.
Usage Guidelines
Usage Scenario
When users request to log in to a device using SSH, if no SSH user is created using the ssh user, ssh user authentication-type, and ssh user service-type commands, successful user login depends on whether the ssh authentication-type default password command is run.
- If the ssh authentication-type default password command is run, users log in through AAA authentication.
- If the ssh authentication-type default password command is not run, users cannot log in. If an SSH user has been created using the ssh user, ssh user authentication-type, and ssh user service-type commands, authentication of the SSH user depends on whether the ssh user authentication-type command is run. If the ssh user authentication-type command is run, the user is authenticated using the authentication mode specified in this command. If the ssh user authentication-type command is not run, the user cannot log in to the device. This command takes effect for both IPv4 and IPv6 users.
ssh authorization-type default
Function
The ssh authorization-type default command sets the authorization method for an SSH connection to AAA or Root.
The undo ssh authorization-type default command restores the authorization method.
By default, the authorization method for an SSH connection is AAA.
Parameters
| Parameter | Description | Value |
|---|---|---|
| aaa |
Sets the authorization method for an SSH connection to AAA. |
- |
| root |
Sets the authorization method for an SSH connection to Root. |
- |
Usage Guidelines
Usage Scenario
If the authorization method for an SSH connection is AAA, the privilege level of SSH user is that configured in the AAA view.
If the authorization method for an SSH connection is Root and public key authentication is used, the privilege level of SSH users varies according to the SSH service type as follows:- In SNETCONF, SFTP, or SCP service mode, the privilege level is set to 3 or 15.
- In STelnet service mode, the privilege level is the level configured in the VTY user interface. This command takes effect for both IPv4 and IPv6 connections.
ssh client assign
Function
The ssh client assign pki command binds a PKI domain to an SSH client.
The undo ssh client assign pki command unbinds a PKI domain from an SSH client.
The ssh client assign sm2-host-key command assigns an SM2 host key to an SSH client.
The undo ssh client assign sm2-host-key command deletes the SM2 host key assigned to an SSH client.
By default, no PKI domain is bound to an SSH client.
By default, no SM2 host key is assigned to an SSH client.
Format
ssh client assign { sm2-host-key key-name | pki pki-domain }
undo ssh client assign sm2-host-key
undo ssh client assign pki
Parameters
| Parameter | Description | Value |
|---|---|---|
| key-name |
Specifies the name of an SM2 host key assigned to an SSH client. |
The value is a string of 1 to 35 case-insensitive characters, spaces not supported. The string can contain only letters, digits, and underscores (_). |
| pki pki-domain |
Specifies the PKI domain bound to the SSH client. |
The value is a string of 1 to 64 case-sensitive characters, spaces not supported. |
Usage Guidelines
Usage Scenario
When the device functions as an SSH client and uses a certificate for authentication, you can run the ssh client assign pki command to bind a PKI domain to the SSH client.
When the device functions as an SSH client and uses the SM2 algorithm for authentication, you can run the ssh client assign sm2-host-key command to assign a specified SM2 key pair to the SSH client.
Prerequisites
The pki domain domain-namecommand has been run to create a PKI domain with a specified signature.
A key pair has been created using the sm2 key-pair label command on the SSH client.
Precautions
If the PKI domain bound to an SSH client becomes invalid, run the undo ssh client assign pki command to unbind the PKI domain from the SSH client, and then run the ssh client assign pki command to bind a new PKI domain to the SSH client.
If the SM2 public key saved on the SSH client is invalid, run the undo ssh client server-ip-address assign sm2-key command to unbind the SM2 public key from the SSH client, and then run the ssh client server-ip-address assign sm2-key command to assign a new SM2 public key to the SSH client.
This command is valid for both IPv4 and IPv6.Example
<HUAWEI> system-view [HUAWEI] sm2 key-pair label sm2key001 [HUAWEI] ssh client assign sm2-host-key sm2key001
<HUAWEI> system-view [HUAWEI] ssh client assign pki domainA
<HUAWEI> system-view [HUAWEI] ssh client assign pki default Warning: A preset certificate is loaded to the specified PKI domain. The current operation has security risks. Continue? [Y/N]:Y [HUAWEI]
ssh client cipher
Function
The ssh client cipher command configures encryption algorithms on an SSH client.
The undo ssh client cipher command restores the default encryption algorithms on an SSH client.
The default situation is as follows:
- When the device starts with zero configuration, the SSH client supports these encryption algorithms: AES256_GCM, AES128_GCM, AES256_CTR, AES192_CTR, and AES128_CTR.
- When the device loads the configuration file for startup, and the ssh client cipher command configuration does not exist in the configuration file, the SSH client supports encryption algorithms: AES128_CTR, AES256_CTR, AES192_CTR, AES128_GCM and AES256_GCM.
Format
ssh client cipher { des_cbc | 3des_cbc | aes128_cbc | aes256_cbc | aes128_ctr | aes256_ctr | arcfour128 | arcfour256 | aes192_cbc | aes128_gcm | aes256_gcm | aes192_ctr | sm4_cbc } *
undo ssh client cipher
Parameters
| Parameter | Description | Value |
|---|---|---|
| des_cbc |
Specifies a DES encryption algorithm in CBC mode. |
- |
| 3des_cbc |
Specifies a 3DES encryption algorithm in CBC mode. |
- |
| aes128_cbc |
Specifies an AES128 encryption algorithm in CBC mode. |
- |
| aes256_cbc |
Specifies an AES256 encryption algorithm in CBC mode. |
- |
| aes128_ctr |
Specifies the AES128 encryption algorithm in CTR mode. |
- |
| aes256_ctr |
Specifies the AES256 encryption algorithm in CTR mode. |
- |
| arcfour128 |
Specifies the Arcfour128 encryption algorithm. |
- |
| arcfour256 |
Specifies the Arcfour256 encryption algorithm. |
- |
| aes192_cbc |
Specifies an AES192 encryption algorithm in CBC mode. |
- |
| aes128_gcm |
Specifies an AES128 encryption algorithm in GCM mode. |
- |
| aes256_gcm |
Specifies an AES256 encryption algorithm in GCM mode. |
- |
| aes192_ctr |
Specifies the AES192 encryption algorithm in CTR mode. |
- |
| sm4_cbc |
Specifies the SM4 encryption algorithm in CBC mode. |
- |
Usage Guidelines
Usage Scenario
To configure encryption algorithms on an SSH client, run the ssh client cipher command. The SSH client and server negotiate encryption algorithms for the packets exchanged between them. During negotiation, the client sends its encryption algorithms to the server. After comparing the received encryption algorithms with local ones, the server selects the first matching encryption algorithm received for packet transmission. If no matching encryption algorithm is found, the negotiation fails.
Precautions
- To ensure high security, you are advised to use the following encryption algorithms: aes128_ctr, aes256_ctr, aes192_ctr, aes128_gcm, and aes256_gcm.
- This command applies to both IPv4 and IPv6.
- The des_cbc, 3des_cbc, aes128_cbc, aes256_cbc, arcfour128, arcfour256, aes192_cbc, and sm4_cbc parameters can be used only after the weak security algorithm/protocol feature package (WEAKEA) is installed by running the install feature-software WEAKEA command.
ssh client dscp
Function
The ssh client dscp command configures a DSCP value for the SSH packets sent by a client.
The undo ssh client dscp command restores the default DSCP value of the SSH packets sent by a client.
By default, the DSCP value of SSH packets is 48.
Parameters
| Parameter | Description | Value |
|---|---|---|
| value |
Specifies a DSCP value for the SSH packets sent by a client. |
The value is an integer ranging from 0 to 63. |
Usage Guidelines
Usage Scenario
- To change the priority of the SSH packets sent by a client, run the ssh client dscp command to change the DSCP value of the packets. A greater DSCP value indicates a higher priority.
- When you run the undo ssh client dscp command:
- If value is not specified, the DSCP field is restored to the default value.
- If value is 48, the DSCP field is restored to the default value.
- If value is set to a non-48 value, the value must be the same as value in the telnet server dscp command. Otherwise, the command execution fails.
- The command only takes effect for IPv4 packets.
ssh client first-time enable
Function
The ssh client first-time enable command enables the SSH client first login function.
The undo ssh client first-time enable command disables the SSH client first login function.
By default, the SSH client first login function is disabled on an SSH client.
Usage Guidelines
Usage Scenario
If the SSH client first login function is enabled on a device functioning as a client, the STelnet/SFTP client does not check the validity of the SSH server public key when logging in to the SSH server for the first time. After the login, the system automatically allocates the public key and saves it for authentication in next login.
Precautions
When an STelnet/SFTP client attempts to log in to an SSH server for the first time, it does not check the validity of the SSH server public key because it has not saved the SSH server public key.
This command takes effect for both IPv4 and IPv6 SSH clients.ssh client hmac
Function
The ssh client hmac command configures HMAC authentication algorithms on an SSH client.
The undo ssh client hmac command restores the default HMAC authentication algorithms on an SSH client.
The default situation is as follows:
- When the device starts with zero configuration, the SSH client supports these HMAC authentication algorithms: SHA2_512 and SHA2_256. The SSH client supports these HMAC authentication algorithms: SHA2_512 and SHA2_256.
- The SSH client supports these HMAC authentication algorithms: MD5, MD5_96, SHA2_512, SHA1, SHA1_96, SHA2_256, and SHA2_256_96. The SSH client supports these HMAC authentication algorithms: MD5, MD5_96, SHA2_512, SHA1, SHA1_96, SHA2_256, and SHA2_256_96.
Format
ssh client hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 | sm3 } *
undo ssh client hmac
Parameters
| Parameter | Description | Value |
|---|---|---|
| md5 |
Specifies an HMAC MD5 authentication algorithm. |
- |
| md5_96 |
Specifies an HMAC MD5_96 algorithm. |
- |
| sha1 |
Specifies an HMAC SHA1 algorithm. |
- |
| sha1_96 |
Specifies an HMAC SHA1_96 algorithm. |
- |
| sha2_256 |
Specifies an HMAC SHA1 algorithm. This algorithm is recommended. |
- |
| sha2_256_96 |
Specifies an HMAC SHA2_256_96 authentication algorithm. |
- |
| sha2_512 |
Specifies an HMAC SHA2_512 authentication algorithm. |
- |
| sm3 |
Specifies an HMAC SM3 authentication algorithm. |
- |
Usage Guidelines
Usage Scenario
To configure HMAC authentication algorithms on an SSH client, run the ssh client hmac command. The SSH client and server negotiate authentication algorithms for the packets exchanged between them. During negotiation, the client sends its authentication algorithms to the server. After comparing the received authentication algorithms with local ones, the server selects the first matching authentication algorithm received for packet transmission. If no matching authentication algorithm is found, the negotiation fails.
Precautions
- For security purposes, you are advised to use secure HMAC algorithms sha2_512 and sha2_256.
- This command applies to both IPv4 and IPv6.
- Parameters md5, md5_96, sha1, sha1_96, and sha2_256_96 in this command can be used only after the weak security algorithm/protocol feature package (WEAKEA) is installed using the install feature-software WEAKEA command.
ssh client keepalive-interval
Function
The ssh client keepalive-interval command configures the keepalive interval on the SSH client.
The undo ssh client keepalive-interval command restores the default configuration.
By default, the keepalive interval is set to zero seconds.
Parameters
| Parameter | Description | Value |
|---|---|---|
| seconds |
Specifies a keepalive interval, in seconds. |
It is an integer data type. The keepalive interval range is from 0 to 3600 seconds. |
Usage Guidelines
Usage Scenario
The client sends a keepalive message to the server, if it does not receive any data for the keepalive interval from the server. The keepalive messages are sent after the expiry of the keepalive interval. The client disconnects the current connection in case of server response failure.
If you reset the keepalive interval to zero seconds, the client does not send any keepalive messages to the server. This command takes effect for both IPv4 and IPv6 SSH clients.ssh client keepalive-maxcount
Function
The ssh client keepalive-maxcount command configures the maximum number of keepalive messages sent by an SSH client.
The undo ssh client keepalive-maxcount command restores the default configuration.
By default, the maximum number of keepalive messages is set to 3.
Parameters
| Parameter | Description | Value |
|---|---|---|
| count |
Specifies the maximum number of keepalive messages. |
It is an integer data type. The value ranges from 1 to 30. |
Usage Guidelines
Usage Scenario
- The client sends keepalive messages to the server. If the client does not receive any data within the keepalive interval from the server, the client sends the keepalive message up to the configured maximum number. The client disconnects the current connection in case of server response failure.
- The client kept on sending the keepalive message to the server up to the configured maximum number. The client disconnects the current connection on failure of server response.
- The keepalive interval configuration overrides the keepalive maximum number configuration. For example, If the keepalive interval is set to zero seconds (does not send keepalive messages), the keepalive maximum number configuration has no effect.
- This command takes effect for both IPv4 and IPv6 SSH clients.
ssh client key-exchange
Function
The ssh client key-exchange command configures a key exchange algorithm list on an SSH client.
The undo ssh client key-exchange command restores the default configuration.
When a device starts with no configuration, the key exchange algorithm is customized by the product. After the undo command is executed, the SSH client uses the dh_group_exchange_sha256, dh_group16_sha512, and curve25519_sha256 key exchange algorithms by default.
Format
ssh client key-exchange { dh_group_exchange_sha256 | dh_group_exchange_sha1 | dh_group1_sha1 | ecdh_sha2_nistp256 | ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep | dh_group14_sha1 | dh_group16_sha512 | curve25519_sha256 } *
undo ssh client key-exchange
Parameters
| Parameter | Description | Value |
|---|---|---|
| dh_group_exchange_sha256 |
Specifies that the Diffie-hellman-group-exchange-sha256 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
| dh_group_exchange_sha1 |
Specifies that the Diffie-hellman-group-exchange-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
| dh_group1_sha1 |
Specifies that the Diffie-hellman-group1-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
| ecdh_sha2_nistp256 |
Specifies that the Elliptic curve Diffie-hellman-sha2-nistp256 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
| ecdh_sha2_nistp384 |
Specifies that the Elliptic curve Diffie-hellman-sha2-nistp384 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
| ecdh_sha2_nistp521 |
Specifies that the Elliptic curve Diffie-hellman-sha2-nistp521 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
| sm2_kep |
Specifies that the SuperMemo 2 Key Exchange Protocol algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
| dh_group14_sha1 |
Specifies that the Diffie-hellman-group14-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH client. |
- |
| dh_group16_sha512 |
Specifies that the Diffie-hellman-group16-sha512 algorithm is contained in the key exchange algorithm list configured on an SSH client. |
- |
| curve25519_sha256 |
Specifies that the Curve25519-sha256 algorithm is contained in the key exchange algorithm list configured on an SSH client. |
- |
Usage Guidelines
Usage Scenario
The client and server negotiate the key exchange algorithm used for packet transmission. You can run the ssh client key-exchange command to configure a key exchange algorithm list on the SSH client. The SSH server compares the configured key exchange algorithm list with the counterpart sent by the client and then selects the first matched key exchange algorithm for packet transmission. If the key exchange algorithm list sent by the client does not match any algorithm in the key exchange algorithm list configured on the server, the negotiation fails.
This command takes effect for both IPv4 and IPv6 SSH clients.Precautions
- To ensure high security, you are advised to use the curve25519_sha256, dh_group_exchange_sha256, sm2_kep and dh_group16_sha512 key exchange algorithms.
- The parameters dh_group_exchange_sha1, dh_group1_sha1, and dh_group14_sha1 can be used only after the weak security algorithm/protocol feature package has been installed by running the install feature-software WEAKEA command.
ssh client peer assign
Function
The ssh client peer assign command assigns a public key configured on the SSH client to the SSH server.
The undo ssh client peer assign command unbinds the public key from the SSH server.
By default, no public key is assigned to the SSH server.
Format
ssh client peer server-name assign { rsa-key | ecc-key | dsa-key | sm2-key } key-name
undo ssh client peer server-name assign { rsa-key | ecc-key | dsa-key | sm2-key }
Parameters
| Parameter | Description | Value |
|---|---|---|
| server-name |
Specifies the name of an SSH server. |
The value is a string of 1 to 255 case-sensitive characters, spaces not supported. The string can contain only letters, digits, and underscores (_). |
| rsa-key |
Specifies the RSA public key. |
- |
| ecc-key |
Specifies the ECC public key. |
- |
| dsa-key |
Specifies the DSA public key. |
- |
| sm2-key |
Specifies the SM2 public key. |
- |
| key-name |
Specifies the name of public key assigned to an SSH server. |
The value is a string of 1 to 40 case-insensitive characters, spaces not supported. |
Usage Guidelines
Usage Scenario
- When the device functions as an SSH client and key authentication is used, you can run this command to assign a public key to the SSH server.
- When the device functions as an STelnet client to connect to another server, the system asks you whether to save the public key of the peer server. If you enter Y, the corresponding configuration information is added.
- If the ssh client first-time enable command is not run to enable the SSH client to log in to the SSH server for the first time, the STelnet client fails to log in to the SSH server because the validity check on the public key of the SSH server fails.
- If the SSH server public key saved on the SSH client becomes invalid, run the undo ssh client peer assign command to unbind the SSH server from the specified public key, and then run the ssh client peer assign command to assign a new public key to the SSH server.
- You can run the display ssh server-info command to view the binding information about the SSH client.
Example
<HUAWEI> system-view [HUAWEI] sm2 peer-public-key sm2key001 Enter "SM2 public key" view, return system view with "peer-public-key end". [HUAWEI-sm2-public-key] public-key-code begin Enter "SM2 public key" view, return system view with "peer-public-key end". [HUAWEI-sm2-public-key-sm2-key-code] 0474F110 F90F131B B6F6D929 9A23A41E F1AB1666 [HUAWEI-sm2-public-key-sm2-key-code] AC4BE4EE EF2CD876 2B633F80 DD5CF42F 147A722F [HUAWEI-sm2-public-key-sm2-key-code] DE527F39 247F3744 C23296BE FE3BE502 EEF7D9EC [HUAWEI-sm2-public-key-sm2-key-code] BC28A576 7E [HUAWEI-sm2-public-key-sm2-key-code] public-key-code end [HUAWEI-sm2-public-key] peer-public-key end [HUAWEI] ssh client peer 10.1.1.1 assign sm2-key sm2key001
<HUAWEI> system-view [HUAWEI] ssh client peer 10.1.1.1 assign rsa-key key01
ssh client publickey
Function
The ssh client publickey command enables the public key algorithm function of the SSH client.
The undo ssh client publickey command restores public key algorithms of the SSH client to default values.
By default:
- When the device starts with no configuration, the ECC, RSA_SHA2_256, and RSA_SHA2_512 public key algorithms are enabled.
- When the device loads the configuration file for startup (for example, the configuration file is loaded in ZTP mode for initial configuration), and the ssh client publickey command configuration does not exist in the configuration file, the ECC, RSA_SHA2_256, and RSA_SHA2_512 public key algorithms are enabled.
Format
ssh client publickey { dsa | ecc | rsa | sm2 | rsa_sha2_256 | rsa_sha2_512 | x509v3-ssh-rsa } *
undo ssh client publickey
Parameters
| Parameter | Description | Value |
|---|---|---|
| dsa |
Indicates the DSA algorithm. |
- |
| ecc |
Indicates the ECC algorithm. |
- |
| rsa |
Indicates the RSA algorithm. |
- |
| sm2 |
Indicates the SM2 algorithm. |
- |
| rsa_sha2_256 |
Indicates the RSA SHA2-256 algorithm. |
- |
| rsa_sha2_512 |
Indicates the RSA SHA2-512 algorithm. |
- |
| x509v3-ssh-rsa |
Indicates the X509 RSA algorithm. |
- |
Usage Guidelines
Usage Scenario
- You can run this command to configure a more secure public key algorithm for device login and deny other public key algorithms, improving device security. RSA_SHA2_256 and RSA_SHA2_512 public key algorithms are recommended.
- Run the ssh client publickey + public key algorithm command to allow the use of this public key algorithm and deny the use of other public key algorithms. For example, ssh client publickey ecc indicates that the ECC algorithm is allowed but the RSA, RSA, and SM2 algorithms are not allowed. If you run this command multiple times, only the latest configuration takes effect.
Precautions
- The public key algorithm can be used for login only after the corresponding public key algorithm is enabled on both the client and server.
- The undo ssh client publickey command restores all public key algorithms on an SSH client to default values.
- If the ssh client first-time enable command is run, the SSH client prompts you to save the server public key when you log in to the server. When you save the server public key, the SSH client automatically selects a public key algorithm that can be successfully negotiated with the SSH client based on the public key algorithm configured using the ssh client publickey command and allocates the algorithm to the SSH server.
- If the ssh client first-time enable command is disabled, you must run the ssh client peer assign command to assign a public key to the SSH server. The assigned public key algorithm must be able to negotiate with the public key algorithm configured using the ssh client publickey command. In this way, the SSH client can pass the public key authentication of the SSH server.
- This command takes effect for both IPv4 and IPv6 clients.
- The dsa and rsa parameters in this command can be used only after the weak security algorithm/protocol feature package (WEAKEA) has been installed using the install feature-software WEAKEA command.
- To ensure high security, do not use the RSA algorithm whose length is less than 2048 bits. You are advised to use the RSA_SHA2_256 and RSA_SHA2_512 algorithms, which are more secure.
ssh client rekey
Function
The ssh client rekey command sets the criteria that trigger SSH client key re-negotiation.
The undo ssh client rekey command restores the default values of criteria that trigger SSH client key re-negotiation.
By default, key re-negotiation is triggered on the SSH client when one of the following conditions is met:
- The total size of sent and received packets reaches 1000 MB.
- The total number of sent and received packets reaches 2147483648.
- The online duration reaches 60 minutes.
Format
ssh client rekey { { max-packet max-packet } | { time minutes } | { data-limit data-limit } } *
undo ssh client rekey { { max-packet [ max-packet ] } | { time [ minutes ] } | { data-limit [ data-limit ] } } *
Parameters
| Parameter | Description | Value |
|---|---|---|
| max-packet max-packet |
Specifies the maximum number of packets that triggers key re-negotiation. |
The value is an integer ranging from 268435456 to 2147483648. |
| time minutes |
Specifies the session duration that triggers key re-negotiation. |
The value is an integer in the range of 30 to 1440, in minutes. |
| data-limit data-limit |
Specifies the maximum packet data volume that triggers key re-negotiation. |
The value is an integer ranging from 100 to 10000, in MB. |
Usage Guidelines
Usage Scenario
When an SSH session meets one or more of the following criteria, the system re-negotiates a key and uses the new key to establish SSH session connections, improving system security.
- The number of interaction packets meets the configured key re-negotiation criterion.
- The accumulated packet data volume meets the configured key re-negotiation criterion.
- The session duration meets the configured key re-negotiation criterion. A key re-negotiation request is initiated when either the SSH client or server meets the key re-negotiation criteria, and the other party responds. This command takes effect for both IPv4 and IPv6 SSH clients.
Precautions
A key re-negotiation request is initiated when either the SSH client or server meets the key re-negotiation criteria, and the other party responds.
Example
<HUAWEI> system-view [HUAWEI] ssh client rekey data-limit 10000 max-packet 268435456 time 1440
ssh ipv6 server-source
Function
The ssh ipv6 server-source command specifies a source IPv6 address for an SSH server.
The undo ssh ipv6 server-source command cancels the specified source IPv6 address for an SSH server.
By default, no source interface or source IPv6 address is specified for an SSH server.
Format
ssh ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ]
ssh ipv6 server-source all-interface
undo ssh ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ]
undo ssh ipv6 server-source all-interface
Parameters
| Parameter | Description | Value |
|---|---|---|
| -vpn-instance vpn-instance-name |
Specifies the VPN instance of an SSH server. |
The value is a string of 1 to 31 case-sensitive characters, spaces not supported. In addition, the VPN instance name must not be _public_. When double quotation marks are used around the string, spaces are allowed in the string. |
| all-interface |
Indicates that any interface having an IP address configured can be used as the source interface of an SSH server. |
- |
| -a ipv6-address |
Specifies the source IPv6 address of an SSH server. |
The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X. |
Usage Guidelines
Usage Scenario
The SSH server receives login requests from all interfaces and addresses, leading to low system security. To improve system security, you can run this command to specify the source interface or IPv6 source address of the SSH server so that only authorized users can log in to the server.
Prerequisites
If the source interface of the SSH server is a logical interface, the logical interface must have been created. Otherwise, the command cannot be executed successfully.
Before specifying a VPN instance for an SSH server, ensure that a VPN has been created. Otherwise, the command cannot be executed successfully.Configuration Impact
After the source interface or IPv6 source address of the SSH server is specified, the system allows only SFTP, STelnet, SCP, and SNETCONF users to log in to the server through the specified source interface or IPv6 source address, and SFTP, STelnet, SCP, and SNETCONF users who log in through other interfaces will be rejected. However, the SFTP, STelnet, SCP, and SNETCONF users who have logged in to the server are not affected.
Precautions
- After you specify the source interface or IPv6 source address of the SSH server, ensure that the SFTP, STelnet, SCP, and SNETCONF users can communicate with the specified source interface at Layer 3 so that authorized SFTP, STelnet, SCP, and SNETCONF users can successfully log in to the SSH server.
- The configuration takes effect upon the next login. The system will prompt you to determine whether to continue the operation.
- If the specified source interface is bound to a VPN instance, the SSH server is bound to the VPN instance.
- If the specified source interface is bound to the VPN instance vpn1 and the VPN instance vpn2 is configured using the ssh ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ] command, the VPN instance vpn1 bound to the source interface is used for IPv4 users, and the VPN instance vpn2 configured using the ssh ipv6 server-source command is used for IPv6 users.
- After a bound VPN instance is deleted, the VPN configuration specified using the ssh server-source command will not be cleared but does not take effect. In this case, the SSH server uses a public IP address. If you configure the VPN instance with the same name again, the VPN function is restored.
- After the bound source interface is deleted, the interface configuration in this command is not deleted, but the function does not take effect. After the source interface with the same name is configured again, the function is restored.
- For an IPv6 SSH server, you can run the ssh ipv6 server-source -a ipv6-address [ -vpn-instance vpn-instance-name ] command to configure a user to log in to the server through a specified IPv6 source address.
- If both the ssh ipv6 server-source -a and ssh ipv6 server-source all-interface commands are run, the interface specified in the ssh ipv6 server-source -a command is preferentially used as the source interface of the ssh server. If the specified source interface fails to be used for login, the system selects an interface from other valid interfaces for login.
Example
<HUAWEI> system-view [HUAWEI] ip vpn-instance vpn1 [HUAWEI-vpn-instance-vpn1] ipv6-family [HUAWEI-vpn-instance-vpn1-af-ipv6] quit [HUAWEI-vpn-instance-vpn1] quit [HUAWEI] ssh ipv6 server-source -a 2001:db8::1 -vpn-instance vpn1 Warning: SSH server source configuration will take effect in the next login. Do you want to continue? [Y/N]:y
ssh server acl
Function
The ssh server acl command configures the ACL to control the access of clients for STelnet, SFTP, SCP and SNETCONF.
The undo ssh server acl command cancels the ACL configuration.
By default, no ACL is configured.
Format
ssh server acl { acl4name | acl4num }
ssh ipv6 server acl { acl6name | acl6num }
undo ssh server acl
undo ssh ipv6 server acl
Parameters
| Parameter | Description | Value |
|---|---|---|
| acl4name |
Specifies the ACL4 name. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| acl4num |
Specifies the IPv4 ACL number. |
ACL number is an integer data type. The basic acl number value ranges from 2000 to 2999, the advanced acl number value ranges from 3000 to 3999. |
| ipv6 |
IPv6 protocol. |
- |
| acl6name |
Specify the ACL6 name. |
The value is a string of 1 to 32 case-sensitive characters, spaces not supported. |
| acl6num |
Specifies the ACL6 number. |
ACL number is an integer data type. The basic acl number value ranges from 2000 to 2999, the advanced acl number value ranges from 3000 to 3999. |
Usage Guidelines
Usage Scenario
If a device serves as
- STelnet client, you can configure the ACL on the device to control the login of the local device to the STelnet server through STelnet.
- SFTP client, you can configure the ACL on the device to control the login of the local device to the SFTP server through SFTP.
- SFTP client, you can configure the ACL on the device to control the login of the local device to the SCP server through SFTP.
- SNETCONF client, you can configure the ACL on the device to control the login of the local device to the SNETCONF server through SNETCONF.
Prerequisites
Run the acl command to create an ACL.
Example
<HUAWEI> system-view [HUAWEI] acl 2000 [HUAWEI-acl4-basic-2000] quit [HUAWEI] ssh server acl 2000
<HUAWEI> system-view [HUAWEI] acl ipv6 name test [HUAWEI-acl6-advance-test] quit [HUAWEI] ssh ipv6 server acl test
ssh server assign
Function
The ssh server assign command assigns a host key or PKI certificate to an SSH server.
The undo ssh server assign command deletes a host key or PKI certificate assigned to an SSH server.
By default, no key or PKI certificate is assigned to an SSH server.
Format
ssh server assign { rsa-host-key key-name | dsa-host-key key-name | ecc-host-key key-name | sm2-host-key key-name | pki key-name }
undo ssh server assign rsa-host-key
undo ssh server assign dsa-host-key
undo ssh server assign ecc-host-key
undo ssh server assign sm2-host-key
undo ssh server assign pki
Parameters
| Parameter | Description | Value |
|---|---|---|
| rsa-host-key key-name |
Assigns an RSA host key to an SSH server and specifies the name of the RSA host key. |
The value is a string of 1 to 35 case-insensitive characters and can only contain digits, letters, and underscores (_). |
| dsa-host-key key-name |
Assigns a DSA host key to an SSH server and specifies the name of the DSA host key. |
The value is a string of 1 to 35 case-insensitive characters and can only contain digits, letters, and underscores (_). |
| ecc-host-key key-name |
Assigns an ECC host key to an SSH server and specifies the name of the ECC host key. |
The value is a string of 1 to 35 case-insensitive characters and can only contain digits, letters, and underscores (_). |
| sm2-host-key key-name |
Assigns an SM2 host key to an SSH server and specifies the name of the SM2 host key. |
The value is a string of 1 to 35 case-insensitive characters and can only contain digits, letters, and underscores (_). |
| pki key-name |
Assigns a PKI realm to an SSH server and specifies the name of the PKI realm. |
The value is a string of 1 to 64 case-insensitive characters without spaces. If an initial certificate is loaded to the specified PKI realm, the certificate is delivered in interactive mode. |
Usage Guidelines
Usage Scenario
You can run this command to reference the generated RSA, DSA, SM2, and ECC keys or assign a PKI certificate to the SSH server to ensure security of the SSH server.
Prerequisites
Before running this command, run the following command to create a key pair based on the selected key:
- Run the rsa key-pair label command to create an RSA key pair with a specified label name.
- Run the dsa key-pair label command to create a DSA key pair with a specified label name.
- Run the ecc key-pair label command to create an ECC key pair with a specified label name.
- Run the sm2 key-pair label command to create an SM2 key pair with a specified label name.
- Run the pki domain <domain-name> command to create a PKI realm with a specified label name.
- To ensure high security, do not use the RSA algorithm whose length is less than 2048 bits as the authentication mode for SSH users. You are advised to use a more secure ECC authentication algorithm.
Configuration Impact
The RSA, DSA, or ECC key assigned to an SSH server takes precedence over the RSA, DSA, or ECC key created using the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create command, respectively. If the ssh server assign command is not run, an SSH server uses the key-pair created using the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create command.
Precautions
- The RSA host key and server key in a pair must differ in length by 128 bits. Otherwise, SSHv1 clients cannot log in to the server.
- If an RSA host key and an RSA server key have been assigned to an SSH server, and the RSA host key or server key is changed, or the key length is changed in a local RSA key pair so that the keys do not differ in length by 128 bits, SSHv1 applications are affected.
- Deleting an RSA, DSA, or ECC key pair also deletes the key assigned to an SSH server.
- This command takes effect for both IPv4 and IPv6 clients.
Example
<HUAWEI> system-view [HUAWEI] ecc key-pair label ecckey [HUAWEI] ssh server assign ecc-host-key ecckey
<HUAWEI> system-view [HUAWEI] sm2 key-pair label sm2key001 [HUAWEI] ssh server assign sm2-host-key sm2key001
<HUAWEI> system-view [HUAWEI] ssh server assign pki domainA
<HUAWEI> system-view [HUAWEI] ssh server assign pki default Warning: A preset certificate is loaded to the specified PKI domain. The current operation has security risks. Continue? [Y/N]:y [HUAWEI]
ssh server authentication-retries
Function
The ssh server authentication-retries command sets the number of retry times to authenticate an SSH connection.
The undo ssh server authentication-retries command restores the default number of retry times.
By default, the default number of retry times is 3.
Parameters
| Parameter | Description | Value |
|---|---|---|
| times |
Specifies the number of retry times to authenticate an SSH connection. |
The value ranges from 1 to 5. |
ssh server authentication-type keyboard-interactive enable
Function
The ssh server authentication-type keyboard-interactive enable command enables keyboard interactive authentication on an SSH server.
The undo ssh server authentication-type keyboard-interactive enable command disables keyboard interactive authentication on the SSH server.
By default, keyboard interactive authentication is disabled on an SSH server.
Format
ssh server authentication-type keyboard-interactive enable
undo ssh server authentication-type keyboard-interactive enable
Usage Guidelines
Usage Scenario
- Keyboard interactive authentication is the basis of password card authentication, and password card authentication is an implementation of two-factor authentication.
- Two-factor authentication: It is an identity authentication method. Two identity authentication modes are used to verify the identity of a user. For example, the first authentication mode is user name and password, and the second authentication mode is a group of encrypted passwords.
- Password card authentication: It is an identity authentication method that uses the password generated in a certain mode to verify the user identity.
- To log in to the SSH server using password card authentication, keyboard interactive authentication must be enabled. The function implementation process is as follows:
- When an SSH user logs in to the local device, the user needs to enter the user name. After detecting that the user is a password card authentication user, the TACACS server sends the user name to the password card authentication server (a third-party device that provides the authentication password).
- The password card authentication server generates a challenge code (a group of encrypted passwords) based on the user name, initiates a challenge, and sends the challenge code to the TACACS server. The TACACS server displays the challenge code to the user through the local device.
- The user enters the password and the received challenge code. The device displays the challenge response code (another group of encrypted passwords generated based on the challenge code). The user enters the challenge response code and sends it to the password card authentication server through the TACACS server. The password card authentication server checks whether the challenge response code is correct and returns the authentication result to the user.
- After this function is enabled, the system prompts the user to enter the challenge response code.
- This function takes effect only when SSH users log in to the system in password authentication mode. To disable keyboard interactive authentication, run the undo ssh server authentication-type keyboard-interactive enable command.
ssh server cipher
Function
The ssh server cipher command configures encryption algorithms on an SSH server.
The undo ssh server cipher command restores the default encryption algorithms on the SSH server.
By default:
- When the device starts with no configuration, the SSH server uses the AES256_GCM, AES128_GCM, AES256_CTR, AES192_CTR or AES128_CTR encryption algorithm.
- If the device starts with a loaded configuration file and the configuration file does not contain the ssh server cipher configuration, the SSH server uses AES128_CTR, AES256_CTR, AES192_CTR, AES128_GCM, and AES256_GCM encryption algorithms.
Format
ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc | aes256_cbc | aes128_ctr | aes256_ctr | arcfour128 | arcfour256 | blowfish_cbc | aes128_gcm | aes256_gcm | aes192_ctr | sm4_cbc } *
undo ssh server cipher
Parameters
| Parameter | Description | Value |
|---|---|---|
| des_cbc |
Specifies a DES encryption algorithm in CBC mode. |
- |
| 3des_cbc |
Specifies a 3DES encryption algorithm in CBC mode. |
- |
| aes128_cbc |
Specifies an AES128 encryption algorithm in CBC mode. |
- |
| aes192_cbc |
Specifies an AES192 encryption algorithm in CBC mode. |
- |
| aes256_cbc |
Specifies an AES256 encryption algorithm in CBC mode. |
- |
| aes128_ctr |
Specifies the AES128 encryption algorithm in CTR mode. |
- |
| aes256_ctr |
Specifies the AES256 encryption algorithm in CTR mode. |
- |
| arcfour128 |
Specifies the Arcfour128 encryption algorithm. |
- |
| arcfour256 |
Specifies the Arcfour256 encryption algorithm. |
- |
| blowfish_cbc |
Specifies the Blowfish encryption algorithm in CBC mode. |
- |
| aes128_gcm |
Specifies an AES128 encryption algorithm in GCM mode. |
- |
| aes256_gcm |
Specifies an AES256 encryption algorithm in GCM mode. |
- |
| aes192_ctr |
Specifies the AES192 encryption algorithm in CTR mode. |
- |
| sm4_cbc |
Specifies the SM4 encryption algorithm in CBC mode. |
- |
Usage Guidelines
Usage Scenario
To configure encryption algorithms on an SSH server, run the ssh server cipher command. The SSH client and server negotiate encryption algorithms for the packets exchanged between them. During negotiation, the client sends the specified encryption algorithms to the server. After comparing the received encryption algorithms with the local ones, the server selects the first matching encryption algorithm received for packet transmission. If no matching encryption algorithm is found, the negotiation fails.
Precautions
- To ensure high security, you are advised to use the following encryption algorithms: aes128_ctr, aes256_ctr, aes192_ctr, aes128_gcm, and aes256_gcm.
- This command applies to both IPv4 and IPv6 SSH clients.
- The des_cbc, 3des_cbc, aes128_cbc, aes256_cbc, arcfour128, arcfour256, blowfish_cbc, aes192_cbc, and sm4_cbc parameters can be used only after the weak security algorithm/protocol feature package (WEAKEA) is installed by running the install feature-software WEAKEA command.
ssh server dh-exchange min-len
Function
The ssh server dh-exchange min-len command configures the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.
The undo ssh server dh-exchange min-len command restores the default minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.
By default, the minimum key length supported is 3072 bits.
Parameters
| Parameter | Description | Value |
|---|---|---|
| min-len |
Specifies the minimum Diffie-hellman-group-exchange key length supported on the SSH server. |
The value can be either 1024 or 2048 or 3072 or 4096, in bits. |
Usage Guidelines
Usage Scenario
If the SSH client supports the Diffie-hellman-group-exchange key of more than 1024 bits, run the ssh server dh-exchange min-len command to set the minimum key length to 3072 bits to improve security.
Precautions
If the minimum key length of the Diffie-hellman-group-exchange algorithm is less than or equal to 2048 bits, security risks exist. Before using the Diffie-hellman-group-exchange algorithm, run the install feature-software WEAKEA command to install the weak security algorithm/protocol feature package. You are advised to set the minimum length to 3072 bits.
This command takes effect for both IPv4 and IPv6.ssh server dscp
Function
The ssh server dscp command configures a DSCP value for the SSH packets sent by a server.
The undo ssh server dscp command restores the default DSCP value of the SSH packets sent by a server.
By default, the DSCP value of SSH packets is 48.
Parameters
| Parameter | Description | Value |
|---|---|---|
| value |
Specifies a DSCP value for the SSH packets sent by a server. |
The value is an integer ranging from 0 to 63. |
Usage Guidelines
Usage Scenario
- To change the priority of the SSH packets sent by a server, run the ssh server dscp command to change the DSCP value of the packets. A greater DSCP value indicates a higher priority.
- The priority of this command is higher than that of the set priority dscp command. If a DSCP value is configured using this command, the configured value takes effect. If a DSCP value is configured using the set priority dscp command rather than this command, the value configured using the set priority dscp command takes effect. If no DSCP value is configured using the preceding commands, the default DSCP value is used.
- When you run the undo ssh server dscp command:
- If value is not specified, the DSCP field is restored to the default value.
- If value is 48, the DSCP field is restored to the default value.
- If value is set to a non-48 value, the value must be the same as value in the telnet server dscp command. Otherwise, the command execution fails.
- The command only takes effect for IPv4 packets.
ssh server hmac
Function
The ssh server hmac command configures HMAC authentication algorithms on an SSH server.
The undo ssh server hmac command restores the default HMAC authentication algorithms on the SSH server.
By default, the SSH server supports these HMAC authentication algorithms: SHA2_512 and SHA2_256.
Format
ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 | sm3 } *
undo ssh server hmac
Parameters
| Parameter | Description | Value |
|---|---|---|
| md5 |
Specifies an HMAC MD5 authentication algorithm. |
- |
| md5_96 |
Specifies an HMAC MD5_96 authentication algorithm. |
- |
| sha1 |
Specifies an HMAC SHA1 authentication algorithm. |
- |
| sha1_96 |
Specifies an HMAC SHA1_96 authentication algorithm. |
- |
| sha2_256 |
Specifies an HMAC SHA2_256 authentication algorithm. This algorithm is recommended. |
- |
| sha2_256_96 |
Specifies an HMAC SHA2_256_96 authentication algorithm. |
- |
| sha2_512 |
Specifies an HMAC SHA2_512 authentication algorithm. |
- |
| sm3 |
Specifies an HMAC SM3 authentication algorithm. |
- |
Usage Guidelines
Usage Scenario
To configure HMAC authentication algorithms on an SSH server, run the ssh server hmac command. The SSH client and server negotiate authentication algorithms for the packets exchanged between them. During negotiation, the client sends its authentication algorithms to the server. After comparing the received authentication algorithms with the local ones on the server, the server selects the first matching authentication algorithm received for packet transmission. If no matching authentication algorithm is found, the negotiation fails.
Precautions
- For security purposes, you are advised to use the HMAC algorithm sha2_512 or sha2_256.
- This command applies to both IPv4 and IPv6.
- The algorithms specified by md5, md5_96, sha1, sha1_96, and sha2_256_96 parameters in this command can be used only after the weak security algorithm/protocol feature package (WEAKEA) is installed using the install feature-software WEAKEA command.
ssh server ip-block disable
Function
The ssh server ip-block disable command disables an SSH server from locking client IP addresses.
The undo ssh server ip-block disable command enables an SSH server to lock client IP addresses.
By default, an SSH server is enabled to lock client IP addresses.
Usage Guidelines
Usage Scenario
- If an SSH server is enabled to lock client IP addresses, locked client IP addresses fail to pass authentication and are displayed in the display ssh server ip-block list command output.
- If an SSH server is disabled from locking client IP addresses, the display ssh server ip-block list command does not display any client IP address that is locked because of authentication failures.
- The operation to disable an SSH server from locking client IP addresses poses system risks and is thereby not recommended.
ssh server ip-limit-session
Function
The ssh server ip-limit-session command sets the maximum number of connections that a single IP address can connect to the SSH server.
The undo ssh server ip-limit-session command restores the maximum number of connections to the SSH server from a single IP address to the default value.
By default, a maximum of 256 connections can be established on the SSH server using a single IP address.
Parameters
| Parameter | Description | Value |
|---|---|---|
| limit-session-num |
Sets the maximum number of connections supported by a single IP address. |
The value is an integer that ranges from 1 to 256. The default value is 256. |
Usage Guidelines
Usage Scenario
Run this command to set the maximum number of SSH connections for a single IP address, run the ssh-server command, prevents malicious attacks from a single IP occupying the number of connections to the server, causing failure of other IP addresses to connect to the server.
ssh server keepalive disable
Function
The ssh server keepalive disable command disables the keepalive feature on the SSH server.
The undo ssh server keepalive disable command enables the keepalive feature on the SSH server.
By default, the keepalive feature is enabled on the SSH server.
ssh server key-exchange
Function
The ssh server key-exchange command configures a key exchange algorithm list on an SSH server.
The undo ssh server key-exchange command restores the default configuration.
When a device starts with no configuration, the key exchange algorithm is customized by the product. After the undo command is executed, the SSH server uses the dh_group_exchange_sha256, dh_group16_sha512, and curve25519_sha256 key exchange algorithms by default.
Format
ssh server key-exchange { dh_group_exchange_sha256 | dh_group_exchange_sha1 | dh_group1_sha1 | ecdh_sha2_nistp256 | ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep | dh_group14_sha1 | dh_group16_sha512 | curve25519_sha256 } *
undo ssh server key-exchange
Parameters
| Parameter | Description | Value |
|---|---|---|
| dh_group_exchange_sha256 |
Specifies that the Diffie-hellman-group-exchange-sha256 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| dh_group_exchange_sha1 |
Specifies that the Diffie-hellman-group-exchange-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| dh_group1_sha1 |
Specifies that the Diffie-hellman-group1-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| ecdh_sha2_nistp256 |
Specifies that the Elliptic curve Diffie-hellman-sha2-nistp256 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| ecdh_sha2_nistp384 |
Specifies that the Elliptic curve Diffie-hellman-sha2-nistp384 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| ecdh_sha2_nistp521 |
Specifies that the Elliptic curve Diffie-hellman-sha2-nistp521 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| sm2_kep |
Specifies that the SuperMemo 2 Key Exchange Protocol algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| dh_group14_sha1 |
Specifies that the Diffie-hellman-group14-sha1 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| dh_group16_sha512 |
Specifies that the Diffie-hellman-group16-sha512 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
| curve25519_sha256 |
Specifies that the Curve25519-sha256 algorithm is contained in the key exchange algorithm list configured on the SSH server. |
- |
Usage Guidelines
Usage Scenario
The client and server negotiate the key exchange algorithm used for packet transmission. You can run the ssh client key-exchange command to configure a key exchange algorithm list on the SSH client. The SSH server compares the configured key exchange algorithm list with the counterpart sent by the client and then selects the first matched key exchange algorithm for packet transmission. If the key exchange algorithm list sent by the client does not match any algorithm in the key exchange algorithm list configured on the server, the negotiation fails.
This command takes effect for both IPv4 and IPv6 SSH clients.Precautions
To ensure high security, you are advised to use the more secure curve25519_sha256 key exchange algorithm.
Under the same security conditions, compared with the ECDH key exchange algorithm, the DH and DHE key exchange algorithms have higher CPU usage during negotiation. You are advised to use the ECDH-type key exchange algorithms ecdh_sha2_nistp256, ecdh_sha2_nistp384, ecdh_sha2_nistp521 and curve25519_sha256. The dh_group_exchange_sha1, dh_group1_sha1, and dh_group14_sha1 parameters in this command can be used only after the weak security algorithm/protocol feature package (WEAKEA) has been installed using the install feature-software WEAKEA command.ssh server login-failed threshold-alarm
Function
The ssh server login-failed threshold-alarm command configures alarm generation and clearance thresholds for SSH server login failures within a specified period.
The undo ssh server login-failed threshold-alarm command restores the default alarm generation and clearance thresholds.
By default, an alarm is generated if the number of login failures reaches 30 within 5 minutes and is cleared if the number of login failures falls below 20 within the same period.
Format
ssh server login-failed threshold-alarm upper-limit report-times lower-limit resume-times period period-time
undo ssh server login-failed threshold-alarm
undo ssh server login-failed threshold-alarm upper-limit report-times lower-limit resume-times period period-time
Parameters
| Parameter | Description | Value |
|---|---|---|
| lower-limit resume-times |
Specifies an alarm clearance threshold. |
The value is an integer ranging from 0 to report-times and varies with report-times. The default value is 20, and the maximum value is 45. If resume-times is 0, the function is the same as that when the value is set to 1, which means that a clear alarm is generated if no login failures occur. |
| period period-time |
Specifies a statistics collection period. |
The value is an integer ranging from 1 to 120, in minutes. The default value is 5. If report-times is 0, the period-time value specified does not take effect. |
| upper-limit report-times |
Specifies an alarm generation threshold. |
The value is an integer ranging from 0 to 100. The default value is 30. If the value is 0, no alarms are generated upon SSH server login failures. |
Usage Guidelines
Usage Scenario
To manage frequent SSH server login failures within a specified period, run the ssh server login-failed threshold-alarm command to configure alarm generation and clearance thresholds for the login failures. This configuration enables the device to generate alarms for administrators to promptly handle associated events. The alarm SSH_1.3.6.1.4.1.2011.5.25.207.2.8 hwSSHLoginFailed is generated when the number of login failures reaches report-times within period-time, and the clear alarm SSH_1.3.6.1.4.1.2011.5.25.207.2.10 hwSSHLoginFailedClear is generated when the number of login failures falls below resume-times within the same period.
This command takes effect for both IPv4 and IPv6 SSH servers.Example
<HUAWEI> system-view [HUAWEI] ssh server login-failed threshold-alarm upper-limit 20 lower-limit 10 period 3
ssh server port
Function
The ssh server port command changes the port number that an SSH server monitors.
The undo ssh server port command restores the port number that the SSH server monitors to the default value.
By default, the SSH server monitors the port number 22.
Parameters
| Parameter | Description | Value |
|---|---|---|
| port-number |
Specifies the port number that an SSH server monitors. |
The value can be 22 or is an integer ranging from 1025 to 65535. |
Usage Guidelines
Usage Scenario
An SSH client can log in successfully with no port specified only when the server is monitoring port 22. If the server is monitoring another port, the port number must be specified upon login.
The ssh server port command changes the IPv4/IPv6 port number that an SSH server monitors. After the monitoring port number is changed, all connections are disconnected and the server starts to monitor new port numbers.ssh server port (System view)
Function
The ssh server port command changes the port number that an SSH server monitors.
The undo ssh server port command restores the port number that the SSH server monitors to the default value.
By default, the SSH server monitors the port number 22.
Format
ssh ipv4 server port port-number
ssh ipv6 server port port-number
undo ssh ipv4 server port
undo ssh ipv6 server port
Parameters
| Parameter | Description | Value |
|---|---|---|
| port-number |
Specifies the port number that an SSH server monitors. |
The value can be 22 or is an integer ranging from 1025 to 65535. |
| ipv6 |
Specifies the IPv6 port number that an SSH server monitors. |
- |
| ipv4 |
Specifies the IPv4 port number that an SSH server monitors. |
- |
Usage Guidelines
Usage Scenario
An SSH client can log in successfully with no port specified only when the server is monitoring port 22. If the server is monitoring another port, the port number must be specified upon login.
The ssh ipv4 server port command changes the IPv4 port number that an SSH server monitors.The ssh ipv6 server port command changes the IPv6 port number that an SSH server monitors. After the monitoring port number is changed, all connections are disconnected and the server starts to monitor new port numbers.ssh server publickey
Function
The ssh server publickey command enables the public key algorithm function of the SSH server.
The undo ssh server publickey command restores public key algorithms of the SSH server to default values.
By default:
- When a device starts with no configuration, RSA_SHA2_256 and RSA_SHA2_512 public key algorithms are enabled, and SM2, RSA, ECC, DSA, X509-SSH-RSA, and X509-RSA-SHA2-256 algorithms are disabled.
- If a device loads a configuration file for startup (for example, a configuration file is loaded using ZTP for initial configuration) and the configuration file does not contain the ssh server publickey configuration, the ECC, RSA, RSA_SHA2_256, RSA_SHA2_512 and DSA public key algorithms are enabled, and the SM2, X509-SSH-RSA, and X509-RSA-SHA2-256 algorithms are disabled.
Format
ssh server publickey { dsa | ecc | rsa | sm2 | x509v3-ssh-rsa | rsa_sha2_256 | rsa_sha2_512 | x509v3-rsa2048-sha256 } *
undo ssh server publickey
Parameters
| Parameter | Description | Value |
|---|---|---|
| dsa |
Indicates the DSA algorithm. |
- |
| ecc |
Indicates the ECC algorithm. |
- |
| rsa |
Indicates the RSA algorithm. |
- |
| sm2 |
Indicates the SM2 algorithm. |
- |
| x509v3-ssh-rsa |
Indicates the X509-SSH-RSA algorithm. |
- |
| rsa_sha2_256 |
Indicates the RSA SHA2-256 algorithm. |
- |
| rsa_sha2_512 |
Indicates the RSA SHA2-512 algorithm. |
- |
| x509v3-rsa2048-sha256 |
Indicates the X509-RSA-SHA2-256 algorithm. |
- |
Usage Guidelines
Usage Scenario
- You can run this command to configure a more secure public key algorithm for device login and deny other public key algorithms, improving device security. RSA_SHA2_256 and RSA_SHA2_512 public key algorithms are recommended.
- Run the ssh server publickey + specified public key algorithm command to allow the use of this public key algorithm and deny the use of other public key algorithms. For example, ssh server publickey dsa indicates that the DSA algorithm can be used and other algorithms cannot be used. If you run this command multiple times, only the latest configuration takes effect.
- To ensure high security, do not use the RSA algorithm whose length is less than 2048 bits as the authentication mode for SSH users. You are advised to use more secure RSA_SHA2_256 and RSA_SHA2_512 authentication algorithms.
- If the public key algorithm specified for the SSH server is X509V3-SSH-RSA or X509V3-RSA2048-SHA256, run the ssh server assign pki <pki-keyname> command to bind the SSH server to a PKI realm.
Precautions
- To ensure high security, you are advised to use the following algorithms: ecc, x509v3-ssh-rsa, rsa_sha2_256, rsa_sha2_512 and x509v3-rsa2048-sha256.
- The public key algorithm can be used for login only after the corresponding public key algorithm is enabled on both the client and server.
- The undo ssh server publickey command restores all public key algorithms of the SSH server to default values.
- If the SSH user authentication mode is set to public key authentication using the ssh user command, the public key algorithm must be the same as that enabled in this command. Otherwise, the user cannot log in to the device. For example, if the ssh server publickey ecc command is configured, run the ssh user <user-name> authentication-type { ecc | password-ecc | all } command to set the authentication mode of the SSH user to ECC, password-ECC, or all.
- This command takes effect for both IPv4 and IPv6 clients.
- The dsa and rsa parameters in this command can be used only after the weak security algorithm/protocol feature package (WEAKEA) has been installed using the install feature-software WEAKEA command.
Example
<HUAWEI> system-view [HUAWEI] ssh server publickey ecc
<HUAWEI> system-view [HUAWEI] ssh server publickey sm2
<HUAWEI> system-view [HUAWEI] ssh server publickey x509v3-ssh-rsa
ssh server rekey
Function
The ssh server rekey command sets the criteria that trigger SSH server key re-negotiation.
The undo ssh server rekey command restores the default values of criteria that trigger SSH server key re-negotiation.
By default, key re-negotiation is triggered on the SSH server when one of the following conditions is met:
- The total size of sent and received packets reaches 1000 MB.
- The total number of sent and received packets reaches 2147483648.
- The online duration reaches 60 minutes.
Format
ssh server rekey { { max-packet max-packet } | { time minutes } | { data-limit data-limit } } *
undo ssh server rekey { { max-packet [ max-packet ] } | { time [ minutes ] } | { data-limit [ data-limit ] } } *
Parameters
| Parameter | Description | Value |
|---|---|---|
| max-packet max-packet |
Specifies the maximum number of packets that triggers key re-negotiation. |
The value is an integer ranging from 268435456 to 2147483648. |
| time minutes |
Specifies the session duration that triggers key re-negotiation. |
The value is an integer in the range of 30 to 1440, in minutes. |
| data-limit data-limit |
Specifies the maximum packet data volume that triggers key re-negotiation. |
The value is an integer ranging from 100 to 10000, in MB. |
Usage Guidelines
Usage Scenario
When an SSH session meets one or more of the following criteria, the system re-negotiates a key and uses the new key to establish SSH session connections, improving system security.
- The number of interaction packets meets the configured key re-negotiation criterion.
- The accumulated packet data volume meets the configured key re-negotiation criterion.
- The session duration meets the configured key re-negotiation criterion.
- This command takes effect for both IPv4 and IPv6 SSH clients.
Precautions
A key re-negotiation request is initiated when either the SSH client or server meets the key re-negotiation criteria, and the other party responds.
This command applies only to the SSHv2 protocol.Example
<HUAWEI> system-view [HUAWEI] ssh server rekey data-limit 10000 max-packet 268435456 time 1440
ssh server rsa-key min-length
Function
The ssh server rsa-key min-length command sets the minimum length of RSA public keys allowed by the SSH server.
The undo ssh server rsa-key min-length command restores the default minimum length of RSA public keys allowed by the SSH server to 512 bits.
By default, the minimum length of RSA public keys allowed by the SSH server is 512 bits.
Parameters
| Parameter | Description | Value |
|---|---|---|
| min-length-val |
Sets the minimum length of RSA public keys. |
The value is an integer that ranges from 512 to 4096. The default value is 512. |
ssh server security-banner disable
Function
The ssh server security-banner disable command disables the risk prompt function on the SSH server.
The undo ssh server security-banner disable command enables the risk prompt function on the SSH server.
By default, the risk prompt function is enabled on the SSH server.
Usage Guidelines
Usage Scenario
When an SSH client attempts to log in to an SSH server, but the negotiated algorithm is an insecure one, the SSH server generates a risk warning message and sends the message to the SSH client. However, if the SSH client cannot parse this type of message, it fails to interact with the server, leading to a login failure. To prevent this problem, you can run the ssh server security-banner disable command to disable the risk warning function triggered by the SSH server when an insecure algorithm is used between the SSH server and client.
ssh server tcp forwarding enable
Function
The ssh server tcp forwarding enable command enables the local port forwarding function on the SSH server.
The undo ssh server tcp forwarding enable command disables the local port forwarding function on the SSH server.
By default, the tcp port forwarding service of SSH server is disabled.
Usage Guidelines
Usage Scenario
You can run this command to enable the local port forwarding service for the SSH server to allow the SSH server to establish TCP connections that cannot be established before due to limitations imposed by a firewall. The SSH server can receive forwarding request messages from the SSH client and establish a TCP connection (forwarding channel) with a host with a specified IP address and port number to forward data received from the client to the host only after the local port forwarding function is enabled on the SSH server.
Precautions
- A maximum of 32 forwarding channels can be established.
- If a forwarding channel remains idle for 10 minutes, it is disabled.
ssh server timeout
Function
The ssh server timeout command sets the authentication timeout period of the SSH server.
The undo ssh server timeout command restores the default authentication timeout period of the SSH server.
By default, the SSH authentication timeout period is 60 seconds.
Parameters
| Parameter | Description | Value |
|---|---|---|
| seconds |
Specifies the login timeout period of the SSH connection. |
It is an integer data type. The value ranges from 1 to 120 seconds. |
ssh server-source
Function
The ssh server-source command specifies a source interface for an SSH server.
The undo ssh server-source command cancels the specified source interface for an SSH server.
By default, no source interface is specified for an SSH server.
Format
ssh server-source -i { interface-type interface-number | interface-name }
ssh server-source all-interface
undo ssh server-source -i { interface-type interface-number | interface-name }
undo ssh server-source all-interface
Parameters
| Parameter | Description | Value |
|---|---|---|
| interface-type interface-number |
Specifies the source interface type and interface number of an SSH server. |
- |
| all-interface |
Indicates that any interface having an IP address configured can be used as the source interface of an SSH server. |
- |
| -i interface-name |
Specifies the source interface name of an SSH server. |
- |
Usage Guidelines
Usage Scenario
To improve system security, an SSH server does not accept login requests from any interface by default. To allow authorized users to log in to the SSH server, run this command to specify the source interface of the SSH server.
Prerequisites
If the source interface of the SSH server is a logical interface, the logical interface must have been created. Otherwise, the command cannot be executed successfully.
Configuration Impact
After the source interface of the SSH server is specified, the system allows only SFTP, STelnet, SCP, and SNETCONF users to log in to the server through the specified source interface, and SFTP, STelnet, SCP, and SNETCONF users who log in through other interfaces will be rejected. However, the SFTP, STelnet, SCP, and SNETCONF users who have logged in to the server are not affected.
Precautions
- After you specify the source interface of the SSH server, ensure that the SFTP, STelnet, SCP, and SNETCONF users can communicate with the specified source interface at Layer 3 so that authorized SFTP, STelnet, SCP, and SNETCONF users can successfully log in to the SSH server.
- The configuration takes effect upon the next login. The system will prompt you to determine whether to continue the operation.
- If the specified source interface is bound to a VPN instance, the SSH server is bound to the VPN instance.
- After a bound VPN instance is deleted, the VPN configuration specified using the ssh server-source command will not be cleared but does not take effect. In this case, the SSH server uses a public IP address. If you configure the VPN instance with the same name again, the VPN function is restored.
- After the bound source interface is deleted, the interface configuration in this command is not deleted, but the function does not take effect. After the source interface with the same name is configured again, the function is restored.
- If both the ssh server-source -i and ssh server-source all-interface commands are run, the interface specified in the ssh server-source -i command is preferentially used as the source interface of the ssh server. If the specified source interface fails to be used for login, the system selects an interface from other valid interfaces for login.
Example
<HUAWEI> system-view [HUAWEI] interface loopback 0 [HUAWEI-LoopBack0] ip address 10.1.1.1 24 [HUAWEI-LoopBack0] quit [HUAWEI] ssh server-source -i loopback 0 Warning: SSH server source configuration will take effect in the next login. Continue? [Y/N]:y
ssh user
Function
The ssh user command creates an SSH user.
The ssh user assign command assigns an existing public key to an SSH user.
The ssh user authentication-type command configures the authentication type of an SSH user.
The ssh user service-type command configures the service type for the SSH user.
The ssh user sftp-directory command configures the authorized directory of the SFTP service for SSH users.
The undo ssh user command deletes an SSH user.
The undo ssh user assign command deletes the binding between an SSH user and a public key.
The undo ssh user authentication-type command deletes the configured authentication mode.
The undo ssh user service-type command restores the default service type of an SSH user.
The undo ssh user sftp-directory command cancels the authorized SFTP service directory for an SSH user.
By default, no ssh user is created, public key is not assigned to the user, the authentication type of the SSH user is not configured, the service type of the SSH user is not configured, the authorized directory of the SFTP service for the SSH user is not configured.
Format
ssh user user-name
ssh user user-name assign { rsa-key | dsa-key | ecc-key | sm2-key } key-name
ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | all | ecc | password-ecc | sm2 | password-sm2 | password-x509v3-rsa | x509v3-rsa }
ssh user user-name service-type { sftp | stelnet | snetconf } *
ssh user user-name sftp-directory directoryname
ssh user user-name assign pki pki-name
undo ssh user [ user-name ]
undo ssh user user-name assign { rsa-key | dsa-key | ecc-key | sm2-key }
undo ssh user user-name authentication-type
undo ssh user user-name service-type
undo ssh user user-name sftp-directory
undo ssh user user-name assign pki
Parameters
| Parameter | Description | Value |
|---|---|---|
| user-name |
Indicates the name of an SSH user. |
The value is a string of 1 to 253 case-insensitive characters. |
| rsa-key |
Specifies to assign an RSA public key to a user. |
- |
| dsa-key |
Specifies to assign a DSA public key to a user. |
- |
| ecc-key |
Assigns an ECC public key to a user. |
- |
| sm2-key |
Assigns an SM2 public key to a user. |
- |
| key-name |
Specifies the name of an ECC public key generated on the client. |
The value is a string of 1 to 40 case-sensitive characters, spaces not supported. |
| password |
Indicates password authentication. |
- |
| rsa |
Indicates RSA authentication. To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits as the authentication type for the SSH user. You are advised to use a more secure ECC authentication algorithm for higher security. |
- |
| password-rsa |
Indicates that both password authentication and RSA authentication must be adopted. |
- |
| dsa |
Indicates DSA authentication. |
- |
| password-dsa |
Indicates that both password authentication and DSA authentication must be adopted. |
- |
| all |
Indicates all authentication modes. |
- |
| ecc |
Indicates ECC authentication. |
- |
| password-ecc |
Indicates that both password authentication and ECC authentication must be adopted. |
- |
| sm2 |
Indicates SM2 authentication. |
- |
| password-sm2 |
Indicates that both password authentication and SM2 authentication must be adopted. |
- |
| password-x509v3-rsa |
Indicates that both password authentication and X509V3-SSH-RSA authentication must be adopted. |
- |
| x509v3-rsa |
Indicates X509V3-SSH-RSA authentication. |
- |
| sftp |
Indicates the SFTP service type. |
- |
| stelnet |
Indicates the STelnet and SCP service type. |
- |
| snetconf |
Indicates the SNETCONF service type. |
- |
| sftp-directory directoryname |
Specifies the directory name of the SFTP server. |
The value is a string of 1 to 255 characters. |
| pki pki-name |
Indicates PKI domain. |
The value is a string of 1 to 64 case-insensitive characters without spaces. If an initial certificate is loaded to the specified PKI realm, the certificate is delivered in interactive mode. |
Usage Guidelines
Usage Scenario
You can create an SSH user in either of the following ways:
- Run the ssh user command to create an SSH user.
- When the ssh user authentication-type, ssh user service-type or ssh user sftp-directory command is executed, if the system detects that user-name does not exist, the system creates an SSH user named user-name. The highest privilege level of an SSH user is set to aaa or root using the ssh authorization-type default aaa or ssh authorization-type default root command. When you run the ssh user assign command to assign a public key to an SSH user:
- If a public key has been assigned to the user, the last assigned public key takes effect.
- The newly configured public key takes effect upon the next login. When ECC/DSA/RSA authentication is performed for an SSH user, the ECC/DSA/RSA public key generated on the client needs to be sent to the server, and then the server assigns the public key to the SSH user. Before running this command, ensure that the public key on the SSH client is valid. To ensure high security, do not use the RSA algorithm whose length is less than 2048 bits as the authentication mode for SSH users. You are advised to use a more secure ECC authentication algorithm. You must specify an authentication mode for a new SSH user. Otherwise, the user cannot log in to the system. The newly configured authentication mode takes effect upon next login. If an authentication type has been configured, the configuration will be deleted after the ssh user authentication-type command is run, and a new authentication type configured using the command will be used. Run the ssh user service-type command to configure the service type for the SSH user. When you run the ssh user sftp-directory command to configure an authorized SFTP service directory for an SSH user:
- If user-name does not exist, create an SSH user named user-name and set the authorized SFTP service directory to the configured directory. Alternatively, use the user name configured in local-user user-name ftp-directory directory to log in.
- If the configured directory and the directory specified by local-user user-name ftp-directory directory do not exist, the SFTP client fails to connect to the SSH server. When an SFTP user logs in to the device, the path configured using the ssh user sftp-directory command takes precedence over the path configured using the local-user user-name ftp-directory directory command. The sftp server default-directory command has the lowest priority. These commands are valid for both IPv4 and IPv6. You can run the display ssh user-information command to view the configuration of all SSH users.
Example
<HUAWEI> system-view [HUAWEI] ssh user testuser
<HUAWEI> system-view [HUAWEI] ssh user testuser assign ecc-key key1
<HUAWEI> system-view [HUAWEI] ssh user testuser assign sm2-key sm2key001
<HUAWEI> system-view [HUAWEI] ssh user testuser service-type all
<HUAWEI> system-view [HUAWEI] ssh user ssh_user1@dom1 authentication-type ecc
<HUAWEI> system-view [HUAWEI] ssh user testuser sftp-directory flash:/ssh
<HUAWEI> system-view [HUAWEI] undo ssh user user123
<HUAWEI> system-view [HUAWEI] ssh user testuser assign pki default Warning: A preset certificate is loaded to the specified PKI domain. The current operation has security risks. Continue? [Y/N]:Y [HUAWEI]
ssh user cert-verify-san enable
Function
The ssh user cert-verify-san enable command enables SAN/CN verification.
By default, the system does not check whether the common name (CN) or subject alternative name (SAN) in the certificate contains the domain name of the authenticated user.
Parameters
| Parameter | Description | Value |
|---|---|---|
| user-name |
Indicates the name of an SSH user. |
The value is a string of 1 to 253 case-sensitive characters, spaces not supported. |
ssh user service-type
Function
The ssh user service-type command configures the service type for the SSH user.
The undo ssh user service-type command cancels the service type for the SSH user and restores the default configuration, that is, no service type is adopted.
By default, the service type of the SSH user is not configured.
Parameters
| Parameter | Description | Value |
|---|---|---|
| user-name |
Indicates the name of an SSH user. |
The name is a string of 1 to 253 characters. |
| all |
Indicates that SFTP, STelnet, SCP, or SNETCONF can be used as the service mode. |
- |
stelnet
Function
The stelnet command enables the system to log in to another device from the current device through STelnet.
Format
stelnet ipv6 [ -a source-ipv6-address ] [ -force-receive-pubkey ] host-ipv6-address [ [ public-net | -vpn-instance vpn-instance-name ] | [ -oi { interface-name | interface-type interface-number } ] | [ server-port ] | [ prefer_kex prefer_kex ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] | [ prefer_stoc_compress zlib ] | [ -ki interval ] | [ -kc count ] | [ identity-key identity-key-type ] | [ user-identity-key user-key ] ] *
stelnet -i { interface-name | interface-type interface-number } [ -force-receive-pubkey ] host-ip-address [ server-port ] [ [ prefer_kex prefer_kex ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] | [ prefer_stoc_compress zlib ] | [ -ki interval ] | [ -kc count ] | [ identity-key identity-key-type ] | [ user-identity-key user-key ] ] *
stelnet [ -a source-ip-address ] [ -force-receive-pubkey ] host-ip-address [ server-port ] [ [ prefer_kex prefer_kex ] | [ prefer_ctos_cipher prefer_ctos_cipher ] | [ prefer_stoc_cipher prefer_stoc_cipher ] | [ prefer_ctos_hmac prefer_ctos_hmac ] | [ prefer_stoc_hmac prefer_stoc_hmac ] | [ prefer_ctos_compress zlib ] | [ prefer_stoc_compress zlib ] | [ -vpn-instance vpn-instance-name ] | [ -ki interval ] | [ -kc count ] | [ identity-key identity-key-type ] | [ user-identity-key user-key ] ] *
Parameters
| Parameter | Description | Value |
|---|---|---|
| -a source-ipv6-address |
Specifies the source IPv6 address of STelnet. |
The value is a 32-bit hexadecimal string in format X:X:X:X:X:X:X:X. |
| -a source-ip-address |
Specifies the source IP address of STelnet. |
The value is in dotted decimal notation. |
| -force-receive-pubkey |
Indicates that a server forcibly receives public key authentication. |
- |
| host-ipv6-address |
Specifies the IP address or host name of the remote system (IPv6-based STelnet server). |
The value is a string of case-sensitive characters. It cannot contain spaces. |
| public-net |
Specifies the public network where the SSH server resides. If you have run the set net-manager vpn-instance command to configure the default VPN instance used for an NMS to manage devices and want to use SSH to access a public network server, you must specify this parameter. |
- |
| -vpn-instance vpn-instance-name |
Specifies a VPN instance name. |
The value is a string of 1 to 31 case-sensitive characters without spaces. The VPN instance name cannot be _public_. If the character string is quoted by double quotation marks, the character string can contain spaces. |
| -oi |
Specifies the source interface for the IPv6 client. The IPv6 address configured in this interface view is the source IPv6 address of outbound packets. If no IPv6 address is configured for the source interface, the connection cannot be set up. |
- |
| interface-type interface-number |
Specifies the source interface for the client, including the type and number of the interface. |
- |
| server-port |
Specifies the port number of the SSH server. |
The value is an integer ranging from 1 to 65535. The default port number is 22. |
| prefer_kex prefer_kex |
Specifies the preferred algorithm for key exchange. |
The options are as follows:
|
| prefer_ctos_cipher prefer_ctos_cipher |
Specifies the preferred encryption algorithm for packets from the client to the server. |
Encryption algorithms supported depend on the ssh client cipher command settings. |
| prefer_stoc_cipher prefer_stoc_cipher |
Specifies the preferred encryption algorithm for packets from the server to the client. |
Encryption algorithms supported depend on the ssh client cipher command settings. |
| prefer_ctos_hmac prefer_ctos_hmac |
Specifies the preferred HMAC algorithm for packets from the client to the server. |
The preferred HMAC algorithms supported depend on the HMAC algorithm type configured using the ssh client hmac command. |
| prefer_stoc_hmac prefer_stoc_hmac |
Specifies the preferred HMAC algorithm for packets from the server to the client. |
The preferred HMAC algorithms supported depend on the HMAC algorithm type configured using the ssh client hmac command. |
| prefer_ctos_compress |
Specifies the preferred compression algorithm for packets from the server to the client. Only the ZLIB algorithm is supported. |
- |
| zlib |
Specifies the preferred compression algorithm is ZLIB. |
- |
| prefer_stoc_compress |
Specifies the preferred compression algorithm for packets from a client to the server. Only the ZLIB algorithm is supported. |
- |
| -ki interval |
Specifies an interval at which keepalive packets are sent if no data is received. |
The value is an integer in the range of 1 to 3600, in seconds. |
| -kc count |
Specifies the maximum number of times that a server does not respond to keepalive packets. |
The value is an integer ranging from 1 to 30. |
| identity-key identity-key-type |
Specifies the public key for server authentication. |
Currently, RSA_SHA2_512, RSA_SHA2_256, RSA, DSA, SM2, and ECC are supported. The default public key algorithms are RSA_SHA2_512 and RSA_SHA2_256. To ensure high security, do not use the RSA algorithm whose length is less than 2048 bits. You are advised to use the RSA SHA2-512 or RSA SHA2-256 authentication algorithm for higher security. |
| user-identity-key user-key |
Specifies the public key for user authentication. |
Currently, RSA_SHA2_512, RSA_SHA2_256, RSA, DSA, SM2, and ECC are supported. The default public key algorithms are RSA_SHA2_512 and RSA_SHA2_256. To ensure high security, do not use the RSA algorithm whose length is less than 2048 bits. You are advised to use the RSA SHA2-512 or RSA SHA2-256 authentication algorithm for higher security. |
| -i |
Specifies the egress interface corresponding to the link-local address or host name. |
- |
| host-ip-address |
Specifies the IP address or host name of the remote system (IPv4-based STelnet server). |
The value is a string of 0 to 4294967295 case-sensitive characters, spaces not supported. |
| ipv6 |
Indicates login to another device from the current device through IPv6 STelnet. |
- |
Usage Guidelines
Usage Scenario
- Logins by using Telnet bring security risks because Telnet does not provide any secure authentication mechanism and data is transmitted by using TCP in plain text. Compared with Telnet, SSH guarantees secure file transfer on a traditional insecure network by authenticating clients and encrypting data in bidirectional mode. The SSH protocol supports STelnet. You can run this command to use STelnet to log in to another device from the current device.
- STelnet is a secure Telnet service. SSH users can use the STelnet service in the same way as the Telnet service.
- When the STelnet server or its connection to a client fails, the client must detect the fault in time and release the connection. To achieve this goal, before a client logs in to the server through STelnet, configure an interval at which keepalive packets are sent if no data is received and the maximum number of times that the server does not respond. If the client does not receive any data within the specified interval, it sends a keepalive packet to the server. If the maximum number of times that the server does not respond exceeds the specified value, the client tears down the connection.
Prerequisites
The VPN instance to be specified in this command has been configured.
The STelnet service has been enabled on the SSH server using the stelnet server enable command.Precautions
- If the SSH server monitors port number 22, you may not specify the port number for SSH login.
- A secure algorithm is required to ensure high security. The STelnet client and the gateway NE in a DCN plug-and-play scenario must support the AES128_CTR, AES256_CTR, AES192_CTR, AES128_GCM, or AES256_GCM algorithm.
- You must run the ssh client first-time enable command on the STelnet client to enable first login for the SSH client.
- To ensure compatibility after an upgrade, the stelnet command can be run in the system view.
Example
<HUAWEI> stelnet -a 10.1.1.1 10.164.39.120 prefer-kex dh-group1 prefer-ctos-cipher aes128 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1 -vpn-instance vpn01 -ki 2 -kc 4
Trying 10.164.39.120...
Press CTRL+K to abort
Connected to 10.164.39.120...
Please input the username: client001
Enter password:
<HUAWEI> stelnet ipv6 2001:db8:1::1 1025 prefer-kex dh-group1 prefer-ctos-cipher aes128 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1 -vpn-instance vpn01
Trying 2001:db8:1::1...
Press CTRL+K to abort
Connected to 2001:db8:1::1...
Please input the username: client001
Enter password:
<HUAWEI> stelnet -a 10.1.1.1 10.164.39.120 prefer_kex dh_exchange_group prefer_ctos_cipher aes128 prefer_stoc_cipher aes128 prefer_ctos_hmac sha1 prefer_stoc_hmac sha1 -vpn-instance vpn01 -ki 2 -kc 4
Trying 10.164.39.120...
Press CTRL+K to abort
Connected to 10.164.39.120...
Please input the username: client001
Enter password:
Info: The number of current VTY users on line is 1.
The current login time is 2015-10-18 10:52:13.
<HUAWEI> stelnet ipv6 2001:db8:1::1 1025 prefer-kex dh-group1 prefer-ctos-cipher aes128 prefer-stoc-cipher aes128 prefer-ctos-hmac sha1 prefer-stoc-hmac sha1 -vpn-instance vpn01
Trying 2001:db8:1::1...
Press CTRL+K to abort
Connected to 2001:db8:1::1...
Please input the username: client001
Enter password:
Info: The number of current VTY users on line is 1.
The current login time is 2011-10-18 10:54:33.
stelnet server enable
Function
The stelnet server enable command enables the STelnet service on the SSH server.
The undo stelnet server enable command disables the STelnet service on the SSH server.
By default, the STelnet service is not enabled on the SSH server.
Usage Guidelines
Usage Scenario
- To enable TCP port 22 to support the STelnet service, run the stelnet server enable command. A client can connect to a remote SSH server by STelnet only after the STelnet service is enabled on the SSH server.
- The stelnet server enable command enables both IPv4 and IPv6 STelnet services on the SSH server.
- After you disable the STelnet service on the SSH server, all clients that have logged in through STelnet are disconnected.
stelnet server enable (System view)
Function
The stelnet server enable command enables the STelnet service on the SSH server.
The undo stelnet server enable command disables the STelnet service on the SSH server.
By default, the STelnet service is not enabled on the SSH server.
Format
stelnet ipv4 server enable
stelnet ipv6 server enable
undo stelnet ipv4 server enable
undo stelnet ipv6 server enable
Parameters
| Parameter | Description | Value |
|---|---|---|
| ipv6 |
Enables the IPv6 STelnet service. |
- |
| ipv4 |
Enables the IPv4 STelnet service. |
- |
Usage Guidelines
Usage Scenario
- To enable TCP port 22 to support the STelnet service, run the stelnet server enable command. A client can connect to a remote SSH server by STelnet only after the STelnet service is enabled on the SSH server.
- The stelnet ipv4 server enable command enables the IPv4 STelnet service on the SSH server.The stelnet ipv6 server enable command enables the IPv6 STelnet service on the SSH server.
- After you disable the STelnet service on the SSH server, all clients that have logged in through STelnet are disconnected.
- activate ssh server ip-block ip-address
- bye (SFTP client view)
- cd (SFTP client view)
- cdup (SFTP client view)
- delete (SFTP client view)
- dir (SFTP client view)
- display dsa peer-public-key
- display ecc peer-public-key
- display key-pair
- display local-key-pair public
- display rsa key-pair
- display rsa peer-public-key
- display scp client
- display sftp client
- display sm2 peer-public-key
- display ssh client session
- display ssh server ip-block
- display ssh server session
- display ssh server status
- display ssh server-info
- display ssh user-information
- dsa local-key-pair create
- dsa local-key-pair destroy
- dsa peer-public-key
- ecc local-key-pair create
- ecc local-key-pair destroy
- ecc peer-public-key
- exit (SFTP client view)
- get (SFTP client view)
- help (SFTP client view)
- key-pair label
- key-pair maximum
- ls (SFTP client view)
- mkdir (SFTP client view)
- peer-public-key end
- public-key-code begin
- public-key-code end
- put (SFTP client view)
- pwd (SFTP client view)
- quit (SFTP client view)
- remove (SFTP client view)
- rename (SFTP client view)
- rmdir (SFTP client view)
- rsa key-pair label
- rsa local-key-pair
- rsa peer-public-key
- scp
- scp client-source -a
- scp client-source -i
- scp max-sessions
- scp server enable
- scp server enable (System view)
- sftp
- sftp client-source -a
- sftp client-source -i
- sftp client-transfile
- sftp idle-timeout
- sftp max-sessions
- sftp server default-directory
- sftp server enable
- sftp server enable (System view)
- sm2 peer-public-key
- ssh authentication-type default password
- ssh authorization-type default
- ssh client assign
- ssh client cipher
- ssh client dscp
- ssh client first-time enable
- ssh client hmac
- ssh client keepalive-interval
- ssh client keepalive-maxcount
- ssh client key-exchange
- ssh client peer assign
- ssh client publickey
- ssh client rekey
- ssh ipv6 server-source
- ssh server acl
- ssh server assign
- ssh server authentication-retries
- ssh server authentication-type keyboard-interactive enable
- ssh server cipher
- ssh server dh-exchange min-len
- ssh server dscp
- ssh server hmac
- ssh server ip-block disable
- ssh server ip-limit-session
- ssh server keepalive disable
- ssh server key-exchange
- ssh server login-failed threshold-alarm
- ssh server port
- ssh server port (System view)
- ssh server publickey
- ssh server rekey
- ssh server rsa-key min-length
- ssh server security-banner disable
- ssh server tcp forwarding enable
- ssh server timeout
- ssh server-source
- ssh user
- ssh user cert-verify-san enable
- ssh user service-type
- stelnet
- stelnet server enable
- stelnet server enable (System view)