29-SSH典型配置举例
本章节下载: 29-SSH典型配置举例 (387.62 KB)
目 录
1.3 设备作为Stelnet服务器配置举例(password认证)
1.4 设备作为Stelnet服务器配置举例(publickey认证)
1.5 设备作为Stelnet客户端配置举例(password认证)
1.6 设备作为SFTP客户端配置举例(publickey认证)
本章介绍了使用SSH(Secure Shell,安全外壳)功能实现安全的远程访问或文件管理的典型配置举例。
设备作为SSH服务器时,支持SSH2和SSH1两个版本;设备作为SSH客户端时,只支持SSH2版本。
如图1所示,网络管理员需要通过Internet远程登录到小区的网关设备(Switch)上对其进行相关配置。为了提高对Switch进行管理的安全性,可将Switch配置为Stelnet服务器,并在Host上运行Stelnet客户端软件,在二者之间建立SSH连接。具体应用要求如下:
· Switch通过SSH的password认证方式对客户端进行认证,认证过程在Switch本地完成;
· Switch上限制用户的尝试登录次数,防止非法用户对用户名和密码进行恶意地猜测和破解。
图1 设备作为Stelnet服务器配置组网图(password认证)
· 虽然一个SSH客户端只会采用DSA和RSA公钥算法中的一种来认证服务器,但是由于不同客户端支持的公钥算法不同,为了确保客户端能够成功登录服务器,建议在SSH服务器上同时生成DSA和RSA两种密钥对。
· 使用password认证方式的用户登录服务器后,用户可以访问的命令级别由AAA来授权。
· SSH客户端通过publickey和password两种方式进行认证尝试的次数总和,不能超过ssh server authentication-retries命令配置的SSH连接认证尝试次数,且该配置仅对新登录的用户生效。
# 配置VLAN接口1的IP地址,客户端将通过该地址连接Stelnet服务器。
<Switch> system-view
[Switch] interface vlan-interface 1
[Switch-Vlan-interface1] ip address 20.20.0.105 255.255.255.0
[Switch-Vlan-interface1] quit
# 生成RSA及DSA密钥对。
[Switch] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:2048
Generating Keys...
+++++++++++++++++++++++++++
++++++++++++++++++++++++
+++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++
[Switch] public-key local create dsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:2048
Generating Keys...
*
..+.++++*
# 开启SSH服务器功能。
[Switch] ssh server enable
Info: Enable SSH server
# 配置允许SSH用户认证尝试的最大次数为5次。
[Sysname] ssh server authentication-retries 5
# 设置Stelnet客户端登录用户界面的认证方式为AAA认证,远程用户登录协议为SSH。
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] protocol inbound ssh
[Switch-ui-vty0-15] quit
# 创建本地用户client001,密码为aabbcc,服务类型为SSH,并授权用户访问的命令级别为3。
[Switch] local-user client001
New local user added.
[Switch-luser-client001] password simple aabbcc
[Switch-luser-client001] service-type ssh
[Switch-luser-client001] authorization-attribute level 3
[Switch-luser-client001] quit
# 配置SSH用户client001的服务类型为Stelnet,认证方式为password认证。
[Switch] ssh user client001 service-type stelnet authentication-type password
SSH客户端软件有很多,例如PuTTY、OpenSSH等。本文中仅以客户端软件PuTTY0.58为例,说明SSH客户端的配置方法。
# 安装PuTTY0.58软件。
# 配置Stelnet服务器的IP地址。
打开PuTTY.exe程序,出现如图2所示的客户端配置界面。在“Host Name(or IP address)”文本框中输入Stelnet服务器的IP地址为20.20.0.105。
图2 Stelnet服务器配置界面
在图2中,单击<Open>按钮,弹出服务器登录安全提示,单击<是>:
图3 Stelnet服务器登录安全提示
客户端向Switch发起连接后,按提示输入用户名“client001”和密码“aabbcc”,即可进入Switch的用户界面。
Login as: client001
client001@20.20.0.105’s password:
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<Switch>
#
vlan 1
#
local-user client001
password cipher $c$3$6XrvmIWDHxv6M9ykP9qJrqy9/Jlb1z8xSg==
authorization-attribute level 3
service-type ssh
#
interface Vlan-interface1
ip address 20.20.0.105 255.255.255.0
#
ssh server enable
ssh server authentication-retries 5
ssh user client001 service-type stelnet authentication-type password
#
user-interface vty 0 15
authentication-mode scheme
user privilege level 3
protocol inbound ssh
#
如图4所示,网络管理员需要通过Internet远程登录到小区的网关设备(Switch)上对其进行相关配置。为了提高对Switch进行管理的安全性和认证强度,可将Switch配置为Stelnet服务器,并要求Switch通过SSH的publickey认证方式对客户端进行认证,使用的公钥算法为RSA。
图4 设备作为Stelnet服务器配置组网图(publickey认证)
使用publickey认证方式的用户登录服务器后,可以访问的命令级别均为在用户界面上通过user privilege level命令配置的级别。
使用SSH的publickey认证方式:客户端首先要生成RSA密钥对,并将公钥文件上传到Stelnet服务器;服务器端也要生成RSA密钥对。服务器使用本地保存的客户端公钥,与报文中携带的客户端公钥进行比较,完成客户端持有公钥的正确性的验证。如果公钥验证成功,客户端继续使用自己本地密钥对的私钥部分,对特定报文进行摘要运算,将所得的结果(即数字签名)发送给服务器,向服务器证明自己的身份;服务器使用预先配置的该用户的公钥,对客户端发送过来的数字签名进行验证,验证成功后,建立安全的SSH连接。
在客户端运行PuTTYGen.exe,在参数栏中选择“SSH-2 RSA”,密钥位数中输入“2048”,点击<Generate>,产生客户端密钥对。
图5 生成客户端密钥(1)
在产生密钥对的过程中需不停的移动鼠标,鼠标移动仅限于下图蓝色框中除绿色标记进程条外的地方,否则进程条的显示会不动,密钥对将停止产生,见图6。
密钥对产生后,点击<Save public key>,选择保存的路径(比如C:\),并输入公钥文件名(例如key.pub)后,点击<保存>按钮。
图7 生成客户端密钥(3)
点击<Save private key>存储私钥,弹出警告框,提醒是否保存没做任何保护措施的私钥,点击<Yes>;然后选择保存的路径(比如C:\),并输入私钥文件名(例如private.ppk)后,点击<保存>按钮。
图8 生成客户端密钥(4)
客户端生成密钥对后,需要将保存的公钥文件“key.pub”通过FTP/TFTP方式上传到服务器,具体请参见3. 配置客户端上传公钥文件。
# 配置VLAN接口1的IP地址。
<Switch> system-view
[Switch] interface vlan-interface 1
[Switch-Vlan-interface1] ip address 20.20.0.105 255.255.255.0
[Switch-Vlan-interface1] quit
# 在Switch上创建一个ftp类型的本地用户。
[Switch] local-user ftp
New local user added.
[Switch-luser-ftp] password simple ftp
[Switch-luser-ftp] authorization-attribute level 3
[Switch-luser-ftp] authorization-attribute work-directory flash:/
[Switch-luser-ftp] service-type ftp
[Switch-luser-ftp] quit
# 开启Switch的FTP服务器功能。
[Switch] ftp server enable
[Switch] quit
# Host通过FTP登录并上传公钥文件key.pub到Switch。
c:\> ftp 20.20.0.105
Connected to 20.20.0.105.
220 FTP service ready.
User(20.20.0.105:(none)):ftp
331 Password required for ftp.
Password:
230 User logged in.
ftp> put key.pub
200 Port command okay.
150 Opening ASCII mode data connection for /key.pub.
226 Transfer complete.
ftp> bye
221 Server closing.
c:\
# 生成RSA密钥对。
[Switch] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:2048
Generating Keys...
++++++++
++++++++++++++
+++++
++++++++
# 启动SSH服务器。
[Switch] ssh server enable
# 设置客户端登录用户界面的认证方式为AAA,远程用户登录协议为SSH,用户能访问的命令级别为3。
[Switch] user-interface vty 0 15
[Switch-ui-vty0-15] authentication-mode scheme
[Switch-ui-vty0-15] protocol inbound ssh
[Switch-ui-vty0-15] user privilege level 3
[Switch-ui-vty0-15] quit
# 从文件key.pub中导入远端的公钥,并命名为Switch001。
[Switch] public-key peer Switch001 import sshkey key.pub
# 创建本地用户client002,服务类型为SSH,并授权用户访问的命令级别为3。
[Switch] local-user client002
New local user added.
[Switch-luser-client002] service-type ssh
[Switch-luser-client002] authorization-attribute level 3
[Switch-luser-client002] quit
# 设置SSH用户client002的认证方式为publickey,并指定公钥为Switch001。
[Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001
[Switch] quit
# 指定私钥文件,并建立与Stelnet服务器的连接。
打开PuTTY.exe程序,出现如图9所示的客户端配置界面。在“Host Name(or IP address)”文本框中输入Stelnet服务器的IP地址为20.20.0.105。
图9 SSH客户端配置界面(1)
单击“SSH”下面的“Auth”(认证),出现如图10的界面。单击<Browse…>按钮,弹出文件选择窗口。选择与配置到服务器端的公钥对应的私钥文件“private.ppk”。
图10 SSH客户端配置界面(2)
如图10,单击<Open>按钮。
按提示输入用户名client002,即可进入Switch的配置界面。
Login as: client002
Authenticating with public key “rsa-key-20130316”
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<Switch>
#
vlan 1
#
public-key peer Switch001
public-key-code begin
30819D300D06092A864886F70D010101050003818B0030818702818100A2DBC1FD76A837BEF5D322598442D6
753B2E8F7ADD6D6209C80843B206B309078AFE2416CB4FAD496A6627243EAD766D57AEA70B901B4B4566D9A6
51B133BAE34E9B9F04E542D64D0E9814D7E3CBCDBCAF28FF21EE4EADAE6DF52001944A40414DFF280FF043B1
4838288BE7F9438DC71ABBC2C28BF78F34ADF3D1C912579A19020125
public-key-code end
peer-public-key end
#
local-user client002
authorization-attribute level 3
service-type ssh
#
local-user ftp
password cipher $c$3$sg9WgqO1w8vnAv2FKGTOYgFJm3nn2w==
authorization-attribute work-directory flash:/
authorization-attribute level 3
service-type ftp
#
interface Vlan-interface1
ip address 20.20.0.105 255.255.255.0
#
ssh server enable
ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001
#
user-interface vty 0 15
authentication-mode scheme
user privilege level 3
protocol inbound ssh
#
如图11所示,通过将Switch A配置为Stelnet客户端,Switch B配置为Stelnet服务器,在二者之间建立SSH连接,使用户能够通过Switch A安全地登录到Switch B上进行配置管理。要求Switch B通过SSH的password认证方式对客户端进行认证,使用的公钥算法为DSA。
图11 设备作为Stelnet客户端配置组网图
在比较安全的网络环境中,为了简化客户端的配置,可以开启Switch A的SSH首次认证功能(交换机缺省情况下该功能开启)。这样客户端可直接与服务器建立连接,不需要客户端配置服务器的主机公钥。因为该功能开启状态下,SSH客户端第一次和服务器端连接时,服务器会将它的公钥发送给客户端,并在客户端保存该主机公钥;当用户下次访问该服务器时,就以保存的主机公钥来认证该服务器。
由于SSH首次认证功能默认完全相信服务器公钥的正确性,因此存在一定的安全隐患。通过配置关闭SSH客户端支持首次认证功能,可以实现更高的安全性。这种情况下,客户端必须事先将要访问的服务器端的主机公钥配置在本地,同时指定要连接的服务器端的主机公钥名称,以便对连接的服务器进行认证。
# 配置VLAN接口1的IP地址。
<SwitchB> system-view
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ip address 192.168.0.51 255.255.255.0
[SwitchB-Vlan-interface1] quit
# 生成DSA密钥对。
[SwitchB] public-key local create dsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:2048
Generating Keys...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
++++++++++++++++++
# 查看Switch B上的DSA公钥信息。
[SwitchB ] display public-key local dsa public
=====================================================
Time of Key pair created: 15:23:11 2012/02/26
Key name: HOST_KEY
Key type: DSA Encryption Key
=====================================================
Key code:
3082033B3082022E06072A8648CE380401308202210282010100F13ACC1693AFD04B9E1E8D2A9DEA
6DE8DE4C276BE2BF15B6CFF6E269B0169378CB0DDDE23D187827015DC67E6768193914B823BDF215
D0DAD7A151E434F9E128DAFB9DEFAE07874621E70D7FC4577D2851C707BC86AC0FD3829B862C5CD7
003334E3BBF36FD48D54766638788B790AAC6451407281A3694D6B74DA31DA0415264F3FA3E1A6E0
F57002C0FAEF46F15545242D323BF0ED85A3365F00702CBDE794C09A6C7DDE05F1E0E928E82EEA31
DB2454CD2E6866599DDF2381163734AD5C6F8A98A791BAD8942A5D12D674FCA42EA93FF7FDD23E4E
E29C35F75C8E52EF1B132073679EE2E62DF435CE35BB7F0FB756DF92A95C3652F979BD03F8D2BB62
018B021500C773218C737EC8EE993B4F2DED30F48EDACE915F0282010100D43E90A700F70A4EE08C
728A297DA04566A0A112DC49ABF51A37BBB56BFE518BBDCD71359EACE98712BEC58A261FC6D5FE78
B9A67ED494288CB5A1984CA67037A16BFC75B889829C92465BA094460D7EEF918969C0ADAE4841D1
4A880142151C394C28F2731304C456350479D62014C81F07A0BA5FD0F9301D8F9AF9F30C6D21471F
00B65714991F96E34328798FBFBAAA1A64A74EA05DFA2CA0035F2A94C2EBCE7D283D144D4F5B5B61
B4ED74E9A10E375FFE2FA9D2D41B889D36620183637A77D328C67C2196ABA36E3DAE08B774836A3B
5D3BFD059A967F95A00863A1660EB59F9AAD7F470D14F3D174DB51885E6B430B003ACDEB6C9B213A
8749765992E40382010500028201005B7C602A155775741EAAC552562B46D766D9917946D9C66E09
509BBB26E6A05EA5E45B95A797ED59E7BA6F06E15B3355A472DF734D625F4BFD41D9F3FF52F48D0E
D17285E70EF203D4EB97C915D5AEF2EE32F3F00BC742D080E7635AB49EF3624F6AB27E3270E082B8
C7FD5E0610259993D931719F5D6A8165A62E209A1734242C5E161AC68B5670F8CA58BF7C6ED25E79
812DAE633EB94C5A9E9614777FB7038A200965266E46145173C8EA9EB91C35550A335F6E7E4C1FBD
2D43E67CC7422E3D4D6AE931A4AD817335600BD76642196568013BDCC98973E57EE281004BEC7539
8559E27FE893A6F3BC1E11ACDB1DB4453343B0219A8C6D15AB280EFFB05F37
# 开启SSH服务器功能。
[SwitchB] ssh server enable
# 设置SSH客户端登录用户界面的认证方式为AAA认证,远程用户登录协议为SSH。
[SwitchB] user-interface vty 0 15
[SwitchB-ui-vty0-15] authentication-mode scheme
[SwitchB-ui-vty0-15] protocol inbound ssh
[SwitchB-ui-vty0-15] quit
# 创建本地用户client001。
[SwitchB] local-user client001
New local user added.
[SwitchB-luser-client001] password simple aabbcc
[SwitchB-luser-client001] service-type ssh
[SwitchB-luser-client001] authorization-attribute level 3
[SwitchB-luser-client001] quit
# 配置SSH用户client001的服务类型为Stelnet,认证方式为password认证。
[SwitchB] ssh user client001 service-type stelnet authentication-type password
# 配置VLAN接口1的IP地址。
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address 192.168.0.105 255.255.255.0
[SwitchA-Vlan-interface1] quit
[SwitchA] quit
· 若SSH客户端首次认证功能开启,可以直接建立到服务器的链接,具体参见1.5.4 验证配置。
· 若SSH客户端首次认证功能关闭,需要输入服务器公钥并指定公钥名称才能连接服务器,步骤如下。
# 进入公钥视图。
[SwitchA] public-key peer key1
Public key view: return to System View with "peer-public-key end".
# 进入公钥编辑视图。
[SwitchA-pkey-public-key] public-key-code begin
Public key code view: return to last view with "public-key-code end".
# 输入服务器端的主机公钥(由于客户端缺省采用DSA主机公钥认证服务器,因此这里输入的是在服务器端通过display public-key local dsa public命令显示的公钥内容)。
[SwitchA-pkey-key-code]3082033B3082022E06072A8648CE380401308202210282010100F13ACC169
3AFD04B9E1E8D2A9DEA
[SwitchA-pkey-key-code]6DE8DE4C276BE2BF15B6CFF6E269B0169378CB0DDDE23D187827015DC67E6
768193914B823BDF215
[SwitchA-pkey-key-code]D0DAD7A151E434F9E128DAFB9DEFAE07874621E70D7FC4577D2851C707BC8
6AC0FD3829B862C5CD7
[SwitchA-pkey-key-code]003334E3BBF36FD48D54766638788B790AAC6451407281A3694D6B74DA31D
A0415264F3FA3E1A6E0
[SwitchA-pkey-key-code]F57002C0FAEF46F15545242D323BF0ED85A3365F00702CBDE794C09A6C7DD
E05F1E0E928E82EEA31
[SwitchA-pkey-key-code]DB2454CD2E6866599DDF2381163734AD5C6F8A98A791BAD8942A5D12D674F
CA42EA93FF7FDD23E4E
[SwitchA-pkey-key-code]E29C35F75C8E52EF1B132073679EE2E62DF435CE35BB7F0FB756DF92A95C3
652F979BD03F8D2BB62
[SwitchA-pkey-key-code]018B021500C773218C737EC8EE993B4F2DED30F48EDACE915F0282010100D
43E90A700F70A4EE08C
[SwitchA-pkey-key-code]728A297DA04566A0A112DC49ABF51A37BBB56BFE518BBDCD71359EACE9871
2BEC58A261FC6D5FE78
[SwitchA-pkey-key-code]B9A67ED494288CB5A1984CA67037A16BFC75B889829C92465BA094460D7EE
F918969C0ADAE4841D1
[SwitchA-pkey-key-code]4A880142151C394C28F2731304C456350479D62014C81F07A0BA5FD0F9301
D8F9AF9F30C6D21471F
[SwitchA-pkey-key-code]00B65714991F96E34328798FBFBAAA1A64A74EA05DFA2CA0035F2A94C2EBC
E7D283D144D4F5B5B61
[SwitchA-pkey-key-code]B4ED74E9A10E375FFE2FA9D2D41B889D36620183637A77D328C67C2196ABA
36E3DAE08B774836A3B
[SwitchA-pkey-key-code]5D3BFD059A967F95A00863A1660EB59F9AAD7F470D14F3D174DB51885E6B4
30B003ACDEB6C9B213A
[SwitchA-pkey-key-code]8749765992E40382010500028201005B7C602A155775741EAAC552562B46D
766D9917946D9C66E09
[SwitchA-pkey-key-code]509BBB26E6A05EA5E45B95A797ED59E7BA6F06E15B3355A472DF734D625F4
BFD41D9F3FF52F48D0E
[SwitchA-pkey-key-code]D17285E70EF203D4EB97C915D5AEF2EE32F3F00BC742D080E7635AB49EF36
24F6AB27E3270E082B8
[SwitchA-pkey-key-code]C7FD5E0610259993D931719F5D6A8165A62E209A1734242C5E161AC68B567
0F8CA58BF7C6ED25E79
[SwitchA-pkey-key-code]812DAE633EB94C5A9E9614777FB7038A200965266E46145173C8EA9EB91C3
5550A335F6E7E4C1FBD
[SwitchA-pkey-key-code]2D43E67CC7422E3D4D6AE931A4AD817335600BD76642196568013BDCC9897
3E57EE281004BEC7539
[SwitchA-pkey-key-code]8559E27FE893A6F3BC1E11ACDB1DB4453343B0219A8C6D15AB280EFFB05F3
7
# 退回公钥视图,并保存配置的主机公钥。
[SwitchA-pkey-key-code] public-key-code end
# 退回系统视图。
[SwitchA-pkey-public-key] peer-public-key end
# 指定服务器192.168.0.51对应的主机公钥名称为key1。
[SwitchA] ssh client authentication server 192.168.0.51 assign publickey key1
[SwitchA] quit
· SSH客户端首次认证功能开启
# 建立Switch A到Switch B的SSH连接,输入正确的密码之后,即可成功登录到Switch B上。
<SwitchA> ssh 192.168.0.51
Username: client001
Trying 192.168.0.51 ...
Press CTRL+K to abort
Connected to 192.168.0.51 ...
The Server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
Enter password:
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<SwitchB>
· SSH客户端首次认证功能关闭
# 建立Switch A到Switch B的SSH连接,输入正确的密码之后,即可成功登录到Switch B上。
<SwitchA> ssh2 192.168.0.51
Username: client001
Trying 192.168.0.51
Press CTRL+K to abort
Connected to 192.168.0.51...
Enter password:
******************************************************************************
* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
******************************************************************************
<SwitchB>
· Switch A
#
vlan 1
#
public-key peer key1
public-key-code begin
3082033B3082022E06072A8648CE380401308202210282010100F13ACC1693AFD04B9E1E8D
2A9DEA6DE8DE4C276BE2BF15B6CFF6E269B0169378CB0DDDE23D187827015DC67E67681939
14B823BDF215D0DAD7A151E434F9E128DAFB9DEFAE07874621E70D7FC4577D2851C707BC86
AC0FD3829B862C5CD7003334E3BBF36FD48D54766638788B790AAC6451407281A3694D6B74
DA31DA0415264F3FA3E1A6E0F57002C0FAEF46F15545242D323BF0ED85A3365F00702CBDE7
94C09A6C7DDE05F1E0E928E82EEA31DB2454CD2E6866599DDF2381163734AD5C6F8A98A791
BAD8942A5D12D674FCA42EA93FF7FDD23E4EE29C35F75C8E52EF1B132073679EE2E62DF435
CE35BB7F0FB756DF92A95C3652F979BD03F8D2BB62018B021500C773218C737EC8EE993B4F
2DED30F48EDACE915F0282010100D43E90A700F70A4EE08C728A297DA04566A0A112DC49AB
F51A37BBB56BFE518BBDCD71359EACE98712BEC58A261FC6D5FE78B9A67ED494288CB5A198
4CA67037A16BFC75B889829C92465BA094460D7EEF918969C0ADAE4841D14A880142151C39
4C28F2731304C456350479D62014C81F07A0BA5FD0F9301D8F9AF9F30C6D21471F00B65714
991F96E34328798FBFBAAA1A64A74EA05DFA2CA0035F2A94C2EBCE7D283D144D4F5B5B61B4
ED74E9A10E375FFE2FA9D2D41B889D36620183637A77D328C67C2196ABA36E3DAE08B77483
6A3B5D3BFD059A967F95A00863A1660EB59F9AAD7F470D14F3D174DB51885E6B430B003ACD
EB6C9B213A8749765992E40382010500028201005B7C602A155775741EAAC552562B46D766
D9917946D9C66E09509BBB26E6A05EA5E45B95A797ED59E7BA6F06E15B3355A472DF734D62
5F4BFD41D9F3FF52F48D0ED17285E70EF203D4EB97C915D5AEF2EE32F3F00BC742D080E763
5AB49EF3624F6AB27E3270E082B8C7FD5E0610259993D931719F5D6A8165A62E209A173424
2C5E161AC68B5670F8CA58BF7C6ED25E79812DAE633EB94C5A9E9614777FB7038A20096526
6E46145173C8EA9EB91C35550A335F6E7E4C1FBD2D43E67CC7422E3D4D6AE931A4AD817335
600BD76642196568013BDCC98973E57EE281004BEC75398559E27FE893A6F3BC1E11ACDB1D
B4453343B0219A8C6D15AB280EFFB05F37
public-key-code end
peer-public-key end
#
interface Vlan-interface1
ip address 192.168.0.105 255.255.255.0
#
ssh client authentication server 192.168.0.51 assign publickey key1
#
· Switch B
#
vlan 1
#
local-user client001
password cipher $c$3$G+xmuBmDrurppAOsyNcYNzNqB+C/NSFsPg==
authorization-attribute level 3
service-type ssh
#
interface Vlan-interface1
ip address 192.168.0.51 255.255.255.0
#
ssh server enable
ssh user client001 service-type stelnet authentication-type password
#
user-interface vty 0 15
authentication-mode scheme
user privilege level 3
protocol inbound ssh
#
如图12所示,通过将Switch A配置为SFTP客户端,Switch B配置为SFTP服务器,在二者之间建立SSH连接,使用户能够从Switch A安全地登录到Switch B上进行文件管理和文件传送操作。为了提高认证强度,要求Switch B通过SSH的publickey认证方式对客户端进行认证,使用的公钥算法为DSA。
图12 设备作为SFTP客户端配置组网图
为实现SSH的publickey认证方式,Switch A首先要生成DSA密钥对;而后将生成的DSA主机公钥导出到指定文件中,并上传给Switch B。Switch B也要生成DSA密钥对,并使用本地保存的客户端公钥,与报文中携带的客户端公钥进行比较,完成客户端持有公钥的正确性的验证。如果公钥验证成功,Switch A继续使用自己本地密钥对的私钥部分,对特定报文进行摘要运算,将所得的结果(即数字签名)发送给Switch B,向其证明自己的身份;Switch B使用预先配置的该用户的公钥,对Switch A发送过来的数字签名进行验证,验证成功后,建立安全的SSH连接。
# 配置VLAN接口1的IP地址。
<SwitchA> system-view
[SwitchA] interface vlan-interface 1
[SwitchA-Vlan-interface1] ip address 192.168.0.105 255.255.255.0
[SwitchA-Vlan-interface1] quit
# 生成DSA密钥对。
[SwitchA] public-key local create dsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:2048
Generating Keys...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++.++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++
# 将生成的DSA主机公钥导出到指定文件key2.pub中。
[SwitchA] public-key local export dsa ssh2 key2.pub
..
[SwitchA] quit
客户端生成密钥对后,需要将保存的公钥文件key2.pub通过FTP/TFTP方式上传到服务器,具体请参见3. 配置客户端上传公钥文件。
# 配置VLAN接口1的IP地址。
<SwitchB> system-view
[SwitchB] interface vlan-interface 1
[SwitchB-Vlan-interface1] ip address 192.168.0.51 255.255.255.0
[SwitchB-Vlan-interface1] quit
# 在SwitchB上创建一个ftp类型的本地用户,用户名和密码均为“ftp”。
[SwitchB] local-user ftp
New local user added.
[SwitchB-luser-ftp] password simple ftp
[SwitchB-luser-ftp] authorization-attribute level 3
[SwitchB-luser-ftp] authorization-attribute work-directory flash:/
[SwitchB-luser-ftp] service-type ftp
[SwitchB-luser-ftp] quit
# 开启SwitchB的FTP服务器功能。
[SwitchB] ftp server enable
[SwitchB] quit
# SwitchA登录FTP服务器,并上传公钥文件。
<SwitchA> ftp 192.168.0.51
Trying 192.168.0.51 ...
Press CTRL+K to abort
Connected to 192.168.0.51.
220 FTP service ready.
User(192.168.0.51:(none)):ftp
331 Password required for ftp.
Password:
230 User logged in.
[ftp] put key2.pub
227 Entering Passive Mode (192,168,0,51,8,157).
125 ASCII mode data connection already open, transfer starting for /key2.pub.
226 Transfer complete.
FTP: 1187 byte(s) sent in 0.206 second(s), 5.00Kbyte(s)/sec.
[ftp] quit
# 生成DSA密钥对,并开启SSH服务器功能。
[SwitchB] public-key local create dsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Press CTRL+C to abort.
Input the bits of the modulus[default = 1024]:2048
Generating Keys...
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++
# 使能SSH服务器功能。
[SwitchB] ssh server enable
# 启动SFTP服务器。
[SwitchB] sftp server enable
# 设置SSH客户端登录用户界面的认证方式为AAA认证,远程用户登录协议为SSH,用户能访问的命令级别为3。
[SwitchB] user-interface vty 0 15
[SwitchB-ui-vty0-15] authentication-mode scheme
[SwitchB-ui-vty0-15] protocol inbound ssh
[SwitchB-ui-vty0-15] user privilege level 3
[SwitchB-ui-vty0-15] quit
# 从文件key2.pub中导入远端的公钥。
[SwitchB] public-key peer Switch001 import sshkey key2.pub
# 创建本地用户client002,服务类型为SSH,并授权用户访问的命令级别为3。
[SwitchB] local-user client002
New local user added.
[SwitchB-luser-client002] service-type ssh
[SwitchB-luser-client002] authorization-attribute level 3
[SwitchB-luser-client002] quit
# 设置SSH用户client002的服务类型为SFTP,认证方式为publickey,并指定公钥为Switch001,工作目录为flash:/。
[SwitchB] ssh user client002 service-type sftp authentication-type publickey assign publickey Switch001 work-directory flash:/
# 与远程SFTP服务器建立连接,进入SFTP客户端视图。
<SwitchA> sftp 192.168.0.51 identity-key dsa
Input Username: client002
Trying 192.168.0.51 ...
Press CTRL+K to abort
Connected to 192.168.0.51 ...
The Server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:n
sftp-client>
# 显示服务器的当前目录。
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 5268 Apr 26 23:50 startup.cfg
-rwxrwxrwx 1 noone nogroup 13138750 Apr 26 13:52 switchB.bin
drwxrwxrwx 1 noone nogroup 0 Apr 26 12:00 seclog
-rwxrwxrwx 1 noone nogroup 466612 Apr 26 14:25 switchB.btm
-rwxrwxrwx 1 noone nogroup 287 Apr 26 23:50 system.xml
-rwxrwxrwx 1 noone nogroup 1187 Apr 26 15:06 key2.pub
sftp-client>
# 新增目录new1,并检查新目录是否创建成功。
sftp-client> mkdir new1
New directory created
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 5268 Apr 26 23:50 startup.cfg
-rwxrwxrwx 1 noone nogroup 13138750 Apr 26 13:52 switchB.bin
drwxrwxrwx 1 noone nogroup 0 Apr 26 12:00 seclog
-rwxrwxrwx 1 noone nogroup 466612 Apr 26 14:25 switchB.btm
-rwxrwxrwx 1 noone nogroup 287 Apr 26 23:50 system.xml
-rwxrwxrwx 1 noone nogroup 1187 Apr 26 15:06 key2.pub
drwxrwxrwx 1 noone nogroup 0 Apr 26 15:16 new1
# 将目录名new1更名为new2,并查看是否更名成功。
sftp-client> rename new1 new2
File successfully renamed
sftp-client> dir
-rwxrwxrwx 1 noone nogroup 5268 Apr 26 23:50 startup.cfg
-rwxrwxrwx 1 noone nogroup 13138750 Apr 26 13:52 switchB.bin
drwxrwxrwx 1 noone nogroup 0 Apr 26 12:00 seclog
-rwxrwxrwx 1 noone nogroup 466612 Apr 26 14:25 switchB.btm
-rwxrwxrwx 1 noone nogroup 287 Apr 26 23:50 system.xml
-rwxrwxrwx 1 noone nogroup 1187 Apr 26 15:06 key2.pub
drwxrwxrwx 1 noone nogroup 0 Apr 26 15:16 new2
# 退出SFTP客户端视图。
sftp-client> quit
Bye
Connection closed.
<SwitchA>
· SwitchA
#
vlan 1
#
public-key peer Switch001
public-key-code begin
3082033B3082022E06072A8648CE380401308202210282010100F13ACC1693AFD04B9E1E8D
2A9DEA6DE8DE4C276BE2BF15B6CFF6E269B0169378CB0DDDE23D187827015DC67E67681939
14B823BDF215D0DAD7A151E434F9E128DAFB9DEFAE07874621E70D7FC4577D2851C707BC86
AC0FD3829B862C5CD7003334E3BBF36FD48D54766638788B790AAC6451407281A3694D6B74
DA31DA0415264F3FA3E1A6E0F57002C0FAEF46F15545242D323BF0ED85A3365F00702CBDE7
94C09A6C7DDE05F1E0E928E82EEA31DB2454CD2E6866599DDF2381163734AD5C6F8A98A791
BAD8942A5D12D674FCA42EA93FF7FDD23E4EE29C35F75C8E52EF1B132073679EE2E62DF435
CE35BB7F0FB756DF92A95C3652F979BD03F8D2BB62018B021500C773218C737EC8EE993B4F
2DED30F48EDACE915F0282010100D43E90A700F70A4EE08C728A297DA04566A0A112DC49AB
F51A37BBB56BFE518BBDCD71359EACE98712BEC58A261FC6D5FE78B9A67ED494288CB5A198
4CA67037A16BFC75B889829C92465BA094460D7EEF918969C0ADAE4841D14A880142151C39
4C28F2731304C456350479D62014C81F07A0BA5FD0F9301D8F9AF9F30C6D21471F00B65714
991F96E34328798FBFBAAA1A64A74EA05DFA2CA0035F2A94C2EBCE7D283D144D4F5B5B61B4
ED74E9A10E375FFE2FA9D2D41B889D36620183637A77D328C67C2196ABA36E3DAE08B77483
6A3B5D3BFD059A967F95A00863A1660EB59F9AAD7F470D14F3D174DB51885E6B430B003ACD
EB6C9B213A8749765992E40382010500028201001CBCFC26EBDF618121FA5B4934E0A591EC
B11954AE88AE577A87866D2861B1DB8629B65BE2E2892455EF125A936528338375BF0CEA85
F502FA2D0AA22675AE7908D06F34334FFE550B3D30EC28ABB668B0CAC9F8D26A198F4C8A0A
DC086E9F8A30E8F8035B3949F6004F18A6DA21E7A1DBAE52F56ABFD5B9A32A52C6F43A272C
9CAA7C751F0711BCECBE86BB16F0FC3939BD262B8732C6859156C456C01989EB37A275E8C9
D4A2091433205693760557E3CA8A3CDA432856026C2F6279CC516CA84265CA63621DFB97A7
2A40BC3C6DAD3A7D6DEDD3550293A81A36767C41501E7ECB217C85EC3779CAF0514C479A8D
D476C2D4D1BE2A9D29F0206006CED45675
public-key-code end
peer-public-key end
#
interface Vlan-interface1
ip address 192.168.0.105 255.255.255.0
#
ssh user client002 service-type sftp authentication-type publickey
assign publickey Switch001
· Switch B
#
ftp server enable
#
vlan 1
#
local-user client002
authorization-attribute level 3
service-type ssh
#
local-user ftp
password cipher $c$3$1KhhVXwJ6k3Ms0RMDqHOYCEKHzhULw==
authorization-attribute work-directory flash:/
authorization-attribute level 3
service-type ftp
#
interface Vlan-interface1
ip address 192.168.0.51 255.255.255.0
#
user-interface vty 0 15
authentication-mode scheme
user privilege level 3
protocol inbound ssh
#
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!