The USG9310 firewall version is V100R003C00SPC200, and the patch version is SPH203. A customer used to log in to the USG9310 through XXX. Now to ensure security, the customer wants to maintain the USG9310 through SSH. However, after completing the SSH service configuration on the USG9310 according to the configuration guide, the customer fails to log in to the USG9310 through SSH.
1. Use the ping command to perform ping tests between the SSH client and the USG9310. The ping operations succeed. Go to the next step.
2. Respectively use SSH 1.5 and SSH 2.0 on the SSH client to log in to the USG9310. Logins fail. Go to the next step.
3. Check the data inter-zone rule on the USG9310. The rule between the local zone and untrust zone has opened the SSH protocol. Go to the next step.
4. Check the SSH login configuration on the USG9310.
User huawei has been added to the AAA authentication scheme, and the service type is SSH.
local-user huawei password cipher "@J*U2S*(7FC*,%;A&VB2Q!!
local-user huawei service-type terminal telnet ssh
local-user huawei level 15
The SSH service has been enabled on the USG9310 using the stelnet server enable command.
stelnet server enable
ssh authentication-type default password
ssh user huawei
ssh user huawei service-type sftp
Therefore, the SSH local key may be faulty.
5. Configure a local key on the USG9310. The USG9310 displays the following information:
HRP_M[HELAF-PS-IMS-FW01-HWE8080E]rsa local-key-pair create
% Fail to create RSA host keys.
% Error occurred when get key name, please check the hostname.
The USG9310 system name is used during the configuration of a local key on a USG9310. The system name can contain a maximum of 25 characters. However, the local USG9310 system name contains 26 characters. As a result, the system displays error information during the local key configuration. To rectify the fault, change the system name to a character string with fewer than 25 characters, generate a local key, and then change the system name back to the original one.
The SSH client can log in to the USG9310.
1. The route between the SSH client and the USG9310 is unreachable.
2. The SSH client uses a different SSH version from the USG9310.
3. The SSH protocol is not allowed in the rule for the USG9310 local zone and the untrust zone.
4. The SSH service configuration on the USG9310 is incorrect.
5. The USG9310 does not generate a local key to negotiate with the remote SSH client. Therefore, negotiation fails.
Development of the Internet increases people's concern on network security. SSH provides high security and starts being widely used to maintain devices. Therefore, we must configure the SSH login mode according to the configuration guide and be familiar with device features.