Stelnet(安全telnet)登陆也成为shh(sercure shell,安全外壳)登陆
-----------必要配置---------------
1、先根据加密算法生成秘钥对,用于传输数据时加密保护,保存在交换机中但不保存在配置文件中
[Huawei]rsa local-key-pair create
[Huawei]dsa local-key-pair create
举例:
[Huawei]rsa local-key-pair create
The key name will be: Huawei_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 512]:1024 #设置密钥位数
Generating keys...
.................................................++++++
.++++++
............++++++++
..............................++++++++
[Huawei]
#客户端登陆SSH server服务端后自动获得分配钥匙
2、打开设备SSH(stelnet)服务端功能
[Huawei]stelnet server enable
3、创建SSH用户并指定其登陆验证方式
[Huawei]ssh user sshtest authentication-type ?
all Any authentication mode, any one of password, RSA, and DSA
dsa DSA authentication
password Password authentication
password-dsa Both password and DSA authentication modes
password-rsa Both password and RSA authentication modes
rsa RSA authentication
4、设置SSH用户服务类型
[Huawei]ssh user sshtest service-type ?
all Set all service type
sftp Set SFTP service type
stelnet Set Stelnet service type
当通过password、password-dsa、passowrd-rsa认证时,需要在AAA视图下创建同名本地用户,并设置其服务类型和级别
5、配置参考如下
[Huawei-aaa]local-user sshtest password cipher 123456
[Huawei-aaa]local-user sshtest service-type ssh
[Huawei-aaa]local-user sshtest privilege level 3
当通过DSA、RSA认证时,需要在服务器端和客户端都生成本地RSA或DSA密钥对,且在服务器端和客户端都需要将对方的公钥配置到本地。
具体配置,一般很少用
6、配置对端RSA或DSA 公钥名并进入公钥编辑视图(以RSA为例)
[Huawei]rsa peer-public-key 001
Enter "RSA public key" view, return system view with "peer-public-key end".
[Huawei-rsa-public-key]
7、开始输入编辑公钥秘钥[1]
[Huawei-rsa-public-key]public-key-code begin
[Huawei-rsa-key-code] A8268E05 56254CD1 D73FA4C6 2356FFFC 0567C814
[Huawei-rsa-key-code] 5EB8CE45 83B18D2A 9A90B558 0A260DD5 49B4CA18
……………………….
8、完成公钥秘钥编辑并退出返回到公钥视图
[Huawei-rsa-key-code]public-key-code end
[Huawei-rsa-public-key]
9、返回系统视图
[Huawei-rsa-public-key]peer-public-key end
[Huawei]
10、为用户分配存在的公钥
Ssh user user-name 001
-----------可选配置-------------
1、SSH服务器可选配置
[Huawei]ssh server ?
authentication-retries Set the authentication times #SSH登陆重试次数,防止非法登陆
compatible-ssh1x Set the compatible ssh1x #设置ssh兼容低版本ssh协议
port Set the port attribute #修改ssh服务器端口(默认22)
rekey-interval Set the interval generated by the SSH sever key #配置SSH 密钥的更新周期
timeout Set the authentication timeout #设置ssh验证超时时间(多长时间为登陆成功则断开)
Ssh server authentication-retrieves
2、为指定的SSH用户配置按命令行授权[2]
[Huawei]ssh user xia authorization-cmd aaa
===================================
1、查看本地密钥对中的公钥部分信息
[Huawei]display rsa local-key-pair public
=====================================================
Time of Key pair created: 10:35:36 2015/9/23
Key name: Huawei_Host
Key type: RSA encryption Key
=====================================================
Key code:
308188
028180
A8268E05 56254CD1 D73FA4C6 2356FFFC 0567C814
5EB8CE45 83B18D2A 9A90B558 0A260DD5 49B4CA18
0025AE4D 728FC5A2 7597DEF5 2A267D0A 9ACC27E9
02393E9D F7ADCB6E 4E48523B 835C1BB8 D6319DF3
AC32DF82 73E8B5BC AB57C22A 250B19E8 08BE3AD9
D006FD50 A072663E 045B2470 D7CBF1B6 87FF2A03
8BC34D1B E1E67A9B
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAgQCoJo4FViVM0dc/pMYjVv/8BWfIFF64zkWD
sY0qmpC1WAomDdVJtMoYACWuTXKPxaJ1l971KiZ9CprMJ+kCOT6d963Lbk5IUjuD
XBu41jGd86wy34Jz6LW8q1fCKiULGegIvjrZ0Ab9UKByZj4EWyRw18vxtof/KgOL
w00b4eZ6mw==
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCoJo4FViVM0dc/pMYjVv/8BWfIFF64zkWDsY0qmpC1W
AomDdVJtMoYACWuTXKPxaJ1l971KiZ9CprMJ+kCOT6d963Lbk5IUjuDXBu41jGd86wy34Jz6LW8q1fCKi
ULGegIvjrZ0Ab9UKByZj4EWyRw18vxtof/KgOLw00b4eZ6mw== rsa-key
=====================================================
Time of Key pair created: 10:35:36 2015/9/23
Key name: Huawei_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
E91B1261 A2B31920 132AA32B C4CA7F82 D8F2B7F4
BCC2693D 4C6DA486 10F87A22 C945688E CC690A03
8B0B4742 2DC3476F 96B501C8 CF6718EE 8BA89736
9565AC4B A34A5543 5CA5DA87 BA4F0C62 C64A7AF0
5F596BEE D2DF3260 61EF61B6 B68BE7CF
0203
010001
[Huawei]
2、显示SSH(stelnet)相关信息
[Huawei]display ssh ?
server SSH server information
server-info Display server information
user-information SSH user information
----------------
[Huawei]display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Disable
Stelnet server :Enable
Scp server :Disable
SSH server source :0.0.0.0
[Huawei]display ssh server se
[Huawei]display ssh server session
[Huawei]sis
[Huawei]dis
[Huawei]display sh
[Huawei]display ss
[Huawei]display ssh ?
server SSH server information
server-info Display server information
user-information SSH user information
[Huawei]display ssh ser
[Huawei]display ssh server ?
session Server session
status Server state
[Huawei]display ssh server st
[Huawei]display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Disable
Stelnet server :Enable
Scp server :Disable
SSH server source :0.0.0.0
[Huawei]display ssh server-i
[Huawei]display ssh server-info
Server Name(IP) Server Public Key Type Server public key name
______________________________________________________________________________
[Huawei]display ssh user-information ?
STRING<1-64> The specified user name
| Matching output
[Huawei]display ssh user-information
User 1:
User Name : sshtest
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : -
Service-type : stelnet
Authorization-cmd : No
[1]通过display rsa (dsa)local-key-pair public查看通过dsa local-key-pair create或rsa local-key-pair create生成的密钥。 [2]只对使用RSA或DSA验证方式的ssh用户有效,授权后再进行AAA授权配置
