使用STelnet V1協議存在安全風險,建議使用STelnet V2登錄設備。
1、生成本地密鑰對
密鑰保存在交換機中單不保存在配置文件中
[Huawei]rsa ?
key-pair RSA key pair
local-key-pair Local RSA public key pair operations
peer-public-key Remote peer RSA public key configuration
[Huawei]rsa local-key-pair ?
create Create new local public key pairs
destroy Destroy the local public key pairs # 銷燬本地密鑰對
[Huawei]rsa local-key-pair create
The key name will be: Huawei_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 512]:1024 # 密鑰對長度越大,密鑰對安全性就越好,建議使用最大的密鑰對長度
Generating keys...
.......++++++
.++++++
........................++++++++
..........++++++++
或
[Huawei]dsa local-key-pair ?
create Create a new local key-pair
destroy Destroy the local key-pair
[Huawei]dsa local-key-pair create
Info: The key name will be: Huawei_Host_DSA.
Info: The key modulus can be any one of the following : 512, 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=512]:1024
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
----------------------查看密鑰對-----------------------
[Huawei]display dsa local-key-pair public
=====================================================
Time of Key pair created: 11:37:32 2016/3/30
Key name : Huawei_Host_DSA
Key modulus : 1024
Key type : DSA encryption Key
=====================================================
Key code:
3082019F
028180
9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC
54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E
7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898
43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368
9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4
0B752AC7 817E877F
0214
CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27
028180
6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2
C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3
AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66
C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B
264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328
C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E
F459F826 B9A5CF6D
028180
7F379C46 85328DCE F9603A92 2EF0FF48 84C7560E
D3E0660C B7ED2F84 39219FEB 61BDE65A F9B55D45
AEE8445F FA3F36AD 3A5310D2 36214AF1 619F61CB
31980AEE E4D6BD98 8003E903 8FD54933 26948C87
CD3F7EBC E7BEAB90 9E4A3FCA D92AF70F 24E69611
2D2573C7 1A19AA43 A9AAF80B 3A6F3B37 CB737102
744D0A49 F9636680
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1kc3MAAACBAKScXq+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4Y
jLfYWGtQ7rxUv7CJYaDdMV9/MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiY
Q/rQWZi47qjnOV/Hyp0WVUeSc2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/
AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXK
osjQDD1mb2HU8uNkRUAn/QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMM
FBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun88oNGYs+2UNoRbpe
ifGtt570WfgmuaXPbQAAAIB/N5xGhTKNzvlgOpIu8P9IhMdWDtPgZgy37S+EOSGf
62G95lr5tV1FruhEX/o/Nq06UxDSNiFK8WGfYcsxmAru5Na9mIAD6QOP1UkzJpSM
h80/frznvquQnko/ytkq9w8k5pYRLSVzxxoZqkOpqvgLOm87N8tzcQJ0TQpJ+WNm
gA==
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-dss AAAAB3NzaC1kc3MAAACBAKScXq+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4YjLfYWGtQ
7rxUv7CJYaDdMV9/MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiYQ/rQWZi47qjnOV/Hyp0WVUeS
c2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBt
MgLnTcrF25cDQwWNef2ydtXKosjQDD1mb2HU8uNkRUAn/QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbF
WuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun88oNGYs+2UNoRbpeifGtt570
WfgmuaXPbQAAAIB/N5xGhTKNzvlgOpIu8P9IhMdWDtPgZgy37S+EOSGf62G95lr5tV1FruhEX/o/Nq06
UxDSNiFK8WGfYcsxmAru5Na9mIAD6QOP1UkzJpSMh80/frznvquQnko/ytkq9w8k5pYRLSVzxxoZqkOp
qvgLOm87N8tzcQJ0TQpJ+WNmgA== dsa-key
[Huawei]
2、打開STelnet服務器功能
[Huawei]stelnet server enable
3、配置SSH服務器端口號
[Huawei]ssh server port ?
INTEGER<22,1025-55535> Set the port number, the default value is 22
4、配置密鑰對更新時間
[Huawei]ssh server rekey-interval ?
INTEGER<0-24> Set the interval (in hours), the default value is 0, which means the server will not generate the new key automatically
5、配置SSH認證超時時間
[Huawei]ssh server timeout ?
INTEGER<1-120> Set the authentication timeout, the default value is 60 seconds
6、配置SSH認證重試次數
配置SSH認證重試次數用來設置SSH用戶請求連接的認證重試次數,防止非法用戶登錄。
[Huawei]ssh server authentication-retries ?
INTEGER<1-5> Set the authentication times, the default value is 3 times
7、使能兼容低版本SSH協議
[Huawei]ssh server compatible-ssh1x ?
enable Enable or disable the compatibility with SSH1, the default value is enabled
8、配置SSH服務器的源接口
指定SSH服務器端的源接口前,必須已經成功創建LoopBack接口,否則會導致本配置無法成功執行。
[Huawei]ssh server-source -i ?
<null> Not exists loopback interface/<null>
9、配置訪問控制列表
[Huawei]ssh server acl 2001
10、配置通過SSH登陸的帳號密碼
具體配置見VTY配置
11、配置VTY用戶界面支持SSH協議
[Huawei-ui-vty0-4]protocol inbound ?
all All protocols
ssh SSH protocol
telnet Telnet protocol
12、創建SSH用戶
[Huawei]ssh user ?
STRING<1-64> The specified user name
[Huawei]ssh user 1
Info: Succeeded in adding a new SSH user.
[Huawei]
13、配置SSH用戶的認證方式
[Huawei]ssh user 1 ?
assign Set the key
authentication-type Authentication type
authorization-cmd Authorization mode
service-type Set service type
sftp-directory Set SFTP directory
[Huawei]ssh user 1 authentication-type ?
all Any authentication mode, any one of password, RSA, and DSA
dsa DSA authentication
password Password authentication
password-dsa Both password and DSA authentication modes
password-rsa Both password and RSA authentication modes
rsa RSA authentication
如果沒有使用ssh user命令配置相應的SSH用戶,則可以直接執行ssh authentication-type default password命令為用戶配置SSH認證缺省採用密碼認證,在用戶數量比較多時,對用戶使用缺省密碼認證方式可以簡化配置,此時只需再配置AAA用戶即可。
14、配置SSH用戶的服務類型
[Huawei]ssh user 1 service-type ?
all Set all service type
sftp Set SFTP service type
stelnet Set Stelnet service type
[Huawei]ssh user 1 service-type stelnet
15、配置SSH用戶按命令行授權,即只能通過命令行使用
[Huawei]ssh user 1 authorization-cmd ?
aaa Set the AAA authorization mode
password認證依靠AAA實現,當用戶使用password、password-rsa或password-dsa認證方式登錄設備時,需要在AAA視圖下創建同名的本地用戶。
如果SSH用戶使用password認證,則只需要在SSH服務器端生成本地RSA或DSA密鑰。
如果SSH用戶使用RSA或DSA認證,則在服務器端和客戶端都需要生成本地RSA或DSA密鑰對,並且服務器端和客戶端都需要將對方的公鑰配置到本地。
16、對SSH用戶進行password、password-dsa或password-rsa認證時在AAA下創建同名用戶名
[Huawei-aaa]local-user 1 password irreversible-cipher 023wg.com
17、對SSH用戶進行dsa、rsa、password-dsa或password-rsa認證時配置方法
17.1、進入RSA或DSA公共密鑰視圖
[Huawei]rsa peer-public-key 023wg.com
Enter "RSA public key" view, return system view with "peer-public-key end".
[Huawei-rsa-public-key]
或
[Huawei]dsa peer-public-key ?
STRING<1-30> Name of the peer public key
[Huawei]dsa peer-public-key 1 ?
encoding-type Encoding type of the remote peer's public key
[Huawei]dsa peer-public-key 1 encoding-type ?
der DER encoded public key # DER編碼的公鑰
pem PEM encoded public key # PEM編碼的公鑰
[Huawei]dsa peer-public-key 1 encoding-type der ?
[Huawei]dsa peer-public-key 1 encoding-type der
Info: Enter "DSA public key" view, return system view with "peer-public-key end"
.
[Huawei-dsa-public-key]
[Huawei-rsa-public-key]public-key-code ?
begin Begin to input public key code
[Huawei-rsa-public-key]public-key-code begin ?
[Huawei-rsa-public-key]public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[Huawei-rsa-key-code]
鍵入的公共密鑰必須是按公鑰格式編碼的十六進制字符串,由支持SSH的客戶端軟件生成。請將獲取的RSA或DSA公鑰輸入到作為SSH服務端的設備上。
[Huawei-rsa-key-code]30820108 02820101 00DD8904 1A5E30AA 976F384B 5DB366A7
[Huawei-rsa-key-code]048C0E79 06EC6B08 8BB9567D 75914B5B 4EA7B2E5 1938D118
………………………………………………………………………………………………………
[Huawei-rsa-key-code]4B863A38 BA7E0F0D BE5C5AE4 CA55B192 B531AC48 B07D21E3
[Huawei-rsa-key-code]1B020125
[Huawei-rsa-key-code]
[Huawei-rsa-key-code]public-key-code end
% Fail to decode key string, the key string may be invalid.
[Huawei-rsa-public-key]
17.5、退出公共密鑰視圖
[Huawei-rsa-public-key]peer-public-key end
[Huawei]
17.6、為SSH用戶分配RSA或DSA公鑰
[Huawei]ssh user 023wg.com assign dsa-key 023wg.com