• 产品与解决方案
  • 行业解决方案
  • 服务
  • 支持
  • 合作伙伴
  • 新华三人才研学中心
  • 关于我们

H3C SOHO交换机 典型配置举例(Comware V5)-6W102

29-SSH典型配置举例

本章节下载 29-SSH典型配置举例  (387.62 KB)

29-SSH典型配置举例


1  SSH典型配置举例

1.1  简介

本章介绍了使用SSH(Secure Shell,安全外壳)功能实现安全的远程访问或文件管理的典型配置举例。

1.2  使用限制

设备作为SSH服务器时,支持SSH2和SSH1两个版本;设备作为SSH客户端时,只支持SSH2版本。

1.3  设备作为Stelnet服务器配置举例(password认证)

1.3.1  组网需求

图1所示,网络管理员需要通过Internet远程登录到小区的网关设备(Switch)上对其进行相关配置。为了提高对Switch进行管理的安全性,可将Switch配置为Stelnet服务器,并在Host上运行Stelnet客户端软件,在二者之间建立SSH连接。具体应用要求如下:

·     Switch通过SSH的password认证方式对客户端进行认证,认证过程在Switch本地完成;

·     Switch上限制用户的尝试登录次数,防止非法用户对用户名和密码进行恶意地猜测和破解。

图1 设备作为Stelnet服务器配置组网图(password认证)

 

1.3.2  配置注意事项

·     虽然一个SSH客户端只会采用DSA和RSA公钥算法中的一种来认证服务器,但是由于不同客户端支持的公钥算法不同,为了确保客户端能够成功登录服务器,建议在SSH服务器上同时生成DSA和RSA两种密钥对。

·     使用password认证方式的用户登录服务器后,用户可以访问的命令级别由AAA来授权。

·     SSH客户端通过publickey和password两种方式进行认证尝试的次数总和,不能超过ssh server authentication-retries命令配置的SSH连接认证尝试次数,且该配置仅对新登录的用户生效。

1.3.3  配置步骤

1. Switch的配置

# 配置VLAN接口1的IP地址,客户端将通过该地址连接Stelnet服务器。

<Switch> system-view

[Switch] interface vlan-interface 1

[Switch-Vlan-interface1] ip address 20.20.0.105 255.255.255.0

[Switch-Vlan-interface1] quit

# 生成RSA及DSA密钥对。

[Switch] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:2048

Generating Keys...

+++++++++++++++++++++++++++

++++++++++++++++++++++++

+++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++

[Switch] public-key local create dsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:2048

Generating Keys...

*

..+.++++*

# 开启SSH服务器功能。

[Switch] ssh server enable

Info: Enable SSH server

# 配置允许SSH用户认证尝试的最大次数为5次。

[Sysname] ssh server authentication-retries 5

# 设置Stelnet客户端登录用户界面的认证方式为AAA认证,远程用户登录协议为SSH。

[Switch] user-interface vty 0 15

[Switch-ui-vty0-15] authentication-mode scheme

[Switch-ui-vty0-15] protocol inbound ssh

[Switch-ui-vty0-15] quit

# 创建本地用户client001,密码为aabbcc,服务类型为SSH,并授权用户访问的命令级别为3。

[Switch] local-user client001

New local user added.

[Switch-luser-client001] password simple aabbcc

[Switch-luser-client001] service-type ssh

[Switch-luser-client001] authorization-attribute level 3

[Switch-luser-client001] quit

# 配置SSH用户client001的服务类型为Stelnet,认证方式为password认证。

[Switch] ssh user client001 service-type stelnet authentication-type password

2. Host的配置

说明

SSH客户端软件有很多,例如PuTTY、OpenSSH等。本文中仅以客户端软件PuTTY0.58为例,说明SSH客户端的配置方法。

 

# 安装PuTTY0.58软件。

# 配置Stelnet服务器的IP地址。

打开PuTTY.exe程序,出现如图2所示的客户端配置界面。在“Host Name(or IP address)”文本框中输入Stelnet服务器的IP地址为20.20.0.105。

图2 Stelnet服务器配置界面

 

图2中,单击<Open>按钮,弹出服务器登录安全提示,单击<是>:

图3 Stelnet服务器登录安全提示

 

1.3.4  验证配置

客户端向Switch发起连接后,按提示输入用户名“client001”和密码“aabbcc”,即可进入Switch的用户界面。

Login as: client001

client001@20.20.0.105’s password:

 

****************************************************************************** 

* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.* 

* Without the owner's prior written consent,                                 * 

* no decompiling or reverse-engineering shall be allowed.                    * 

****************************************************************************** 

                                                                               

<Switch>

1.3.5  配置文件

#

vlan 1

#

local-user client001

 password cipher $c$3$6XrvmIWDHxv6M9ykP9qJrqy9/Jlb1z8xSg==

 authorization-attribute level 3

 service-type ssh

#

interface Vlan-interface1

 ip address 20.20.0.105 255.255.255.0

#

 ssh server enable

 ssh server authentication-retries 5

 ssh user client001 service-type stelnet authentication-type password

#

user-interface vty 0 15

 authentication-mode scheme

 user privilege level 3

 protocol inbound ssh

#

1.4  设备作为Stelnet服务器配置举例(publickey认证)

1.4.1  组网需求

图4所示,网络管理员需要通过Internet远程登录到小区的网关设备(Switch)上对其进行相关配置。为了提高对Switch进行管理的安全性和认证强度,可将Switch配置为Stelnet服务器,并要求Switch通过SSH的publickey认证方式对客户端进行认证,使用的公钥算法为RSA。

图4 设备作为Stelnet服务器配置组网图(publickey认证)

 

1.4.2  配置注意事项

使用publickey认证方式的用户登录服务器后,可以访问的命令级别均为在用户界面上通过user privilege level命令配置的级别。

1.4.3  配置思路

使用SSH的publickey认证方式:客户端首先要生成RSA密钥对,并将公钥文件上传到Stelnet服务器;服务器端也要生成RSA密钥对。服务器使用本地保存的客户端公钥,与报文中携带的客户端公钥进行比较,完成客户端持有公钥的正确性的验证。如果公钥验证成功,客户端继续使用自己本地密钥对的私钥部分,对特定报文进行摘要运算,将所得的结果(即数字签名)发送给服务器,向服务器证明自己的身份;服务器使用预先配置的该用户的公钥,对客户端发送过来的数字签名进行验证,验证成功后,建立安全的SSH连接。

1.4.4  配置步骤

1. 配置客户端

在客户端运行PuTTYGen.exe,在参数栏中选择“SSH-2 RSA”,密钥位数中输入“2048”,点击<Generate>,产生客户端密钥对。

图5 生成客户端密钥(1)

 

在产生密钥对的过程中需不停的移动鼠标,鼠标移动仅限于下图蓝色框中除绿色标记进程条外的地方,否则进程条的显示会不动,密钥对将停止产生,见图6

图6 生成客户端密钥(2

 

密钥对产生后,点击<Save public key>,选择保存的路径(比如C:\),并输入公钥文件名(例如key.pub)后,点击<保存>按钮。

图7 生成客户端密钥(3)

 

点击<Save private key>存储私钥,弹出警告框,提醒是否保存没做任何保护措施的私钥,点击<Yes>;然后选择保存的路径(比如C:\),并输入私钥文件名(例如private.ppk)后,点击<保存>按钮。

图8 生成客户端密钥(4)

 

客户端生成密钥对后,需要将保存的公钥文件“key.pub”通过FTP/TFTP方式上传到服务器,具体请参见3. 配置客户端上传公钥文件

2. 配置Switch作为FTP服务器

# 配置VLAN接口1的IP地址。

<Switch> system-view

[Switch] interface vlan-interface 1

[Switch-Vlan-interface1] ip address 20.20.0.105 255.255.255.0

[Switch-Vlan-interface1] quit

# 在Switch上创建一个ftp类型的本地用户。

[Switch] local-user ftp

New local user added.

[Switch-luser-ftp] password simple ftp

[Switch-luser-ftp] authorization-attribute level 3

[Switch-luser-ftp] authorization-attribute work-directory flash:/

[Switch-luser-ftp] service-type ftp

[Switch-luser-ftp] quit

# 开启Switch的FTP服务器功能。

[Switch] ftp server enable

[Switch] quit

3. 配置客户端上传公钥文件

# Host通过FTP登录并上传公钥文件key.pub到Switch。

c:\> ftp 20.20.0.105

Connected to 20.20.0.105.

220 FTP service ready.

User(20.20.0.105:(none)):ftp

331 Password required for ftp.

Password:

230 User logged in.

ftp> put key.pub

200 Port command okay.

150 Opening ASCII mode data connection for /key.pub.

226 Transfer complete.

ftp> bye

221 Server closing.

 

c:\

4. 配置Switch作为Stelnet服务器

# 生成RSA密钥对。

[Switch] public-key local create rsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:2048

Generating Keys...

++++++++

++++++++++++++

+++++

++++++++

# 启动SSH服务器。

[Switch] ssh server enable

# 设置客户端登录用户界面的认证方式为AAA,远程用户登录协议为SSH,用户能访问的命令级别为3。

[Switch] user-interface vty 0 15

[Switch-ui-vty0-15] authentication-mode scheme

[Switch-ui-vty0-15] protocol inbound ssh

[Switch-ui-vty0-15] user privilege level 3

[Switch-ui-vty0-15] quit

# 从文件key.pub中导入远端的公钥,并命名为Switch001。

[Switch] public-key peer Switch001 import sshkey key.pub

# 创建本地用户client002,服务类型为SSH,并授权用户访问的命令级别为3。

[Switch] local-user client002

New local user added.

[Switch-luser-client002] service-type ssh

[Switch-luser-client002] authorization-attribute level 3

[Switch-luser-client002] quit

# 设置SSH用户client002的认证方式为publickey,并指定公钥为Switch001。

[Switch] ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001

[Switch] quit

5. 客户端建立与Stelnet服务器的连接

# 指定私钥文件,并建立与Stelnet服务器的连接。

打开PuTTY.exe程序,出现如图9所示的客户端配置界面。在“Host Name(or IP address)”文本框中输入Stelnet服务器的IP地址为20.20.0.105。

图9 SSH客户端配置界面(1)

 

单击“SSH”下面的“Auth”(认证),出现如图10的界面。单击<Browse…>按钮,弹出文件选择窗口。选择与配置到服务器端的公钥对应的私钥文件“private.ppk”。

图10 SSH客户端配置界面(2)

 

图10,单击<Open>按钮。

1.4.5  验证配置

按提示输入用户名client002,即可进入Switch的配置界面。

Login as: client002

Authenticating with public key “rsa-key-20130316”

 

****************************************************************************** 

* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.* 

* Without the owner's prior written consent,                                 * 

* no decompiling or reverse-engineering shall be allowed.                    * 

****************************************************************************** 

                                                                               

<Switch>

1.4.6  配置文件

#

vlan 1

#

 public-key peer Switch001

  public-key-code begin

30819D300D06092A864886F70D010101050003818B0030818702818100A2DBC1FD76A837BEF5D322598442D6
753B2E8F7ADD6D6209C80843B206B309078AFE2416CB4FAD496A6627243EAD766D57AEA70B901B4B4566D9A6
51B133BAE34E9B9F
04E542D64D0E9814D7E3CBCDBCAF28FF21EE4EADAE6DF52001944A40414DFF280FF043B1
4838288BE7F9438DC71ABBC2C28BF78F34ADF3D1C912579A19020125

  public-key-code end

 peer-public-key end

#

local-user client002

 authorization-attribute level 3

 service-type ssh

#

local-user ftp

 password cipher $c$3$sg9WgqO1w8vnAv2FKGTOYgFJm3nn2w==

 authorization-attribute work-directory flash:/

 authorization-attribute level 3

 service-type ftp

#

interface Vlan-interface1

 ip address 20.20.0.105 255.255.255.0

#

 ssh server enable

 ssh user client002 service-type stelnet authentication-type publickey assign publickey Switch001

#

user-interface vty 0 15

 authentication-mode scheme

 user privilege level 3

 protocol inbound ssh

#

1.5  设备作为Stelnet客户端配置举例(password认证)

1.5.1  组网需求

图11所示,通过将Switch A配置为Stelnet客户端,Switch B配置为Stelnet服务器,在二者之间建立SSH连接,使用户能够通过Switch A安全地登录到Switch B上进行配置管理。要求Switch B通过SSH的password认证方式对客户端进行认证,使用的公钥算法为DSA。

图11 设备作为Stelnet客户端配置组网图

 

1.5.2  配置思路

在比较安全的网络环境中,为了简化客户端的配置,可以开启Switch A的SSH首次认证功能(交换机缺省情况下该功能开启)。这样客户端可直接与服务器建立连接,不需要客户端配置服务器的主机公钥。因为该功能开启状态下,SSH客户端第一次和服务器端连接时,服务器会将它的公钥发送给客户端,并在客户端保存该主机公钥;当用户下次访问该服务器时,就以保存的主机公钥来认证该服务器。

由于SSH首次认证功能默认完全相信服务器公钥的正确性,因此存在一定的安全隐患。通过配置关闭SSH客户端支持首次认证功能,可以实现更高的安全性。这种情况下,客户端必须事先将要访问的服务器端的主机公钥配置在本地,同时指定要连接的服务器端的主机公钥名称,以便对连接的服务器进行认证。

1.5.3  配置步骤

1. Switch B的配置

# 配置VLAN接口1的IP地址。

<SwitchB> system-view

[SwitchB] interface vlan-interface 1

[SwitchB-Vlan-interface1] ip address 192.168.0.51 255.255.255.0

[SwitchB-Vlan-interface1] quit

# 生成DSA密钥对。

[SwitchB] public-key local create dsa

The range of public key size is (512 ~ 2048).                                  

NOTES: If the key modulus is greater than 512,                                 

It will take a few minutes.                                                    

Press CTRL+C to abort.                                                         

Input the bits of the modulus[default = 1024]:2048                             

Generating Keys...                                                             

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*                

++++++++++++++++++

# 查看Switch B上的DSA公钥信息。

[SwitchB ] display public-key local dsa public                                  

                                                                               

=====================================================                           

Time of Key pair created: 15:23:11  2012/02/26                                 

Key name: HOST_KEY                                                             

Key type: DSA Encryption Key                                                   

=====================================================                          

Key code:                                                                      

3082033B3082022E06072A8648CE380401308202210282010100F13ACC1693AFD04B9E1E8D2A9DEA

6DE8DE4C276BE2BF15B6CFF6E269B0169378CB0DDDE23D187827015DC67E6768193914B823BDF215

D0DAD7A151E434F9E128DAFB9DEFAE07874621E70D7FC4577D2851C707BC86AC0FD3829B862C5CD7

003334E3BBF36FD48D54766638788B790AAC6451407281A3694D6B74DA31DA0415264F3FA3E1A6E0

F57002C0FAEF46F15545242D323BF0ED85A3365F00702CBDE794C09A6C7DDE05F1E0E928E82EEA31

DB2454CD2E6866599DDF2381163734AD5C6F8A98A791BAD8942A5D12D674FCA42EA93FF7FDD23E4E

E29C35F75C8E52EF1B132073679EE2E62DF435CE35BB7F0FB756DF92A95C3652F979BD03F8D2BB62

018B021500C773218C737EC8EE993B4F2DED30F48EDACE915F0282010100D43E90A700F70A4EE08C

728A297DA04566A0A112DC49ABF51A37BBB56BFE518BBDCD71359EACE98712BEC58A261FC6D5FE78

B9A67ED494288CB5A1984CA67037A16BFC75B889829C92465BA094460D7EEF918969C0ADAE4841D1

4A880142151C394C28F2731304C456350479D62014C81F07A0BA5FD0F9301D8F9AF9F30C6D21471F

00B65714991F96E34328798FBFBAAA1A64A74EA05DFA2CA0035F2A94C2EBCE7D283D144D4F5B5B61

B4ED74E9A10E375FFE2FA9D2D41B889D36620183637A77D328C67C2196ABA36E3DAE08B774836A3B

5D3BFD059A967F95A00863A1660EB59F9AAD7F470D14F3D174DB51885E6B430B003ACDEB6C9B213A

8749765992E40382010500028201005B7C602A155775741EAAC552562B46D766D9917946D9C66E09

509BBB26E6A05EA5E45B95A797ED59E7BA6F06E15B3355A472DF734D625F4BFD41D9F3FF52F48D0E

D17285E70EF203D4EB97C915D5AEF2EE32F3F00BC742D080E7635AB49EF3624F6AB27E3270E082B8

C7FD5E0610259993D931719F5D6A8165A62E209A1734242C5E161AC68B5670F8CA58BF7C6ED25E79

812DAE633EB94C5A9E9614777FB7038A200965266E46145173C8EA9EB91C35550A335F6E7E4C1FBD

2D43E67CC7422E3D4D6AE931A4AD817335600BD76642196568013BDCC98973E57EE281004BEC7539

8559E27FE893A6F3BC1E11ACDB1DB4453343B0219A8C6D15AB280EFFB05F37

# 开启SSH服务器功能。

[SwitchB] ssh server enable

# 设置SSH客户端登录用户界面的认证方式为AAA认证,远程用户登录协议为SSH。

[SwitchB] user-interface vty 0 15

[SwitchB-ui-vty0-15] authentication-mode scheme

[SwitchB-ui-vty0-15] protocol inbound ssh

[SwitchB-ui-vty0-15] quit

# 创建本地用户client001。

[SwitchB] local-user client001

New local user added.

[SwitchB-luser-client001] password simple aabbcc

[SwitchB-luser-client001] service-type ssh

[SwitchB-luser-client001] authorization-attribute level 3

[SwitchB-luser-client001] quit

# 配置SSH用户client001的服务类型为Stelnet,认证方式为password认证。

[SwitchB] ssh user client001 service-type stelnet authentication-type password

2. Switch A的配置

# 配置VLAN接口1的IP地址。

<SwitchA> system-view

[SwitchA] interface vlan-interface 1

[SwitchA-Vlan-interface1] ip address 192.168.0.105 255.255.255.0

[SwitchA-Vlan-interface1] quit

[SwitchA] quit

·     若SSH客户端首次认证功能开启,可以直接建立到服务器的链接,具体参见1.5.4  验证配置

·     若SSH客户端首次认证功能关闭,需要输入服务器公钥并指定公钥名称才能连接服务器,步骤如下。

# 进入公钥视图。

[SwitchA] public-key peer key1                                                     

Public key view: return to System View with "peer-public-key end".                 

# 进入公钥编辑视图。

[SwitchA-pkey-public-key] public-key-code begin                                    

Public key code view: return to last view with "public-key-code end".              

# 输入服务器端的主机公钥(由于客户端缺省采用DSA主机公钥认证服务器,因此这里输入的是在服务器端通过display public-key local dsa public命令显示的公钥内容)。

[SwitchA-pkey-key-code]3082033B3082022E06072A8648CE380401308202210282010100F13ACC169

3AFD04B9E1E8D2A9DEA                                                            

[SwitchA-pkey-key-code]6DE8DE4C276BE2BF15B6CFF6E269B0169378CB0DDDE23D187827015DC67E6

768193914B823BDF215                                                             

[SwitchA-pkey-key-code]D0DAD7A151E434F9E128DAFB9DEFAE07874621E70D7FC4577D2851C707BC8

6AC0FD3829B862C5CD7                                                            

[SwitchA-pkey-key-code]003334E3BBF36FD48D54766638788B790AAC6451407281A3694D6B74DA31D

A0415264F3FA3E1A6E0                                                            

[SwitchA-pkey-key-code]F57002C0FAEF46F15545242D323BF0ED85A3365F00702CBDE794C09A6C7DD

E05F1E0E928E82EEA31                                                            

[SwitchA-pkey-key-code]DB2454CD2E6866599DDF2381163734AD5C6F8A98A791BAD8942A5D12D674F

CA42EA93FF7FDD23E4E                                                            

[SwitchA-pkey-key-code]E29C35F75C8E52EF1B132073679EE2E62DF435CE35BB7F0FB756DF92A95C3

652F979BD03F8D2BB62                                                            

[SwitchA-pkey-key-code]018B021500C773218C737EC8EE993B4F2DED30F48EDACE915F0282010100D

43E90A700F70A4EE08C                                                            

[SwitchA-pkey-key-code]728A297DA04566A0A112DC49ABF51A37BBB56BFE518BBDCD71359EACE9871

2BEC58A261FC6D5FE78                                                            

[SwitchA-pkey-key-code]B9A67ED494288CB5A1984CA67037A16BFC75B889829C92465BA094460D7EE

F918969C0ADAE4841D1                                                            

[SwitchA-pkey-key-code]4A880142151C394C28F2731304C456350479D62014C81F07A0BA5FD0F9301

D8F9AF9F30C6D21471F                                                            

[SwitchA-pkey-key-code]00B65714991F96E34328798FBFBAAA1A64A74EA05DFA2CA0035F2A94C2EBC

E7D283D144D4F5B5B61                                                            

[SwitchA-pkey-key-code]B4ED74E9A10E375FFE2FA9D2D41B889D36620183637A77D328C67C2196ABA

36E3DAE08B774836A3B                                                             

[SwitchA-pkey-key-code]5D3BFD059A967F95A00863A1660EB59F9AAD7F470D14F3D174DB51885E6B4

30B003ACDEB6C9B213A                                                            

[SwitchA-pkey-key-code]8749765992E40382010500028201005B7C602A155775741EAAC552562B46D

766D9917946D9C66E09                                                            

[SwitchA-pkey-key-code]509BBB26E6A05EA5E45B95A797ED59E7BA6F06E15B3355A472DF734D625F4

BFD41D9F3FF52F48D0E                                                             

[SwitchA-pkey-key-code]D17285E70EF203D4EB97C915D5AEF2EE32F3F00BC742D080E7635AB49EF36

24F6AB27E3270E082B8                                                            

[SwitchA-pkey-key-code]C7FD5E0610259993D931719F5D6A8165A62E209A1734242C5E161AC68B567

0F8CA58BF7C6ED25E79                                                            

[SwitchA-pkey-key-code]812DAE633EB94C5A9E9614777FB7038A200965266E46145173C8EA9EB91C3

5550A335F6E7E4C1FBD                                                             

[SwitchA-pkey-key-code]2D43E67CC7422E3D4D6AE931A4AD817335600BD76642196568013BDCC9897

3E57EE281004BEC7539                                                            

[SwitchA-pkey-key-code]8559E27FE893A6F3BC1E11ACDB1DB4453343B0219A8C6D15AB280EFFB05F3

7                                                                               

# 退回公钥视图,并保存配置的主机公钥。

[SwitchA-pkey-key-code] public-key-code end

# 退回系统视图。

[SwitchA-pkey-public-key] peer-public-key end

# 指定服务器192.168.0.51对应的主机公钥名称为key1。

[SwitchA] ssh client authentication server 192.168.0.51 assign publickey key1

[SwitchA] quit

1.5.4  验证配置

·     SSH客户端首次认证功能开启

# 建立Switch A到Switch B的SSH连接,输入正确的密码之后,即可成功登录到Switch B上。

<SwitchA> ssh 192.168.0.51                                                     

Username: client001                                                            

Trying 192.168.0.51 ...                                                        

Press CTRL+K to abort                                                           

Connected to 192.168.0.51 ...                                                  

                                                                               

The Server is not authenticated. Continue? [Y/N]:y                             

Do you want to save the server public key? [Y/N]:n                             

Enter password:                                                                

                                                                                

****************************************************************************** 

* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.* 

* Without the owner's prior written consent,                                 * 

* no decompiling or reverse-engineering shall be allowed.                    * 

****************************************************************************** 

                                                                               

<SwitchB>             

·     SSH客户端首次认证功能关闭

# 建立Switch A到Switch B的SSH连接,输入正确的密码之后,即可成功登录到Switch B上。

<SwitchA> ssh2 192.168.0.51

Username: client001

Trying 192.168.0.51

Press CTRL+K to abort

Connected to 192.168.0.51...

Enter password:

****************************************************************************** 

* Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.* 

* Without the owner's prior written consent,                                 * 

* no decompiling or reverse-engineering shall be allowed.                    * 

****************************************************************************** 

                                                                                

<SwitchB>             

1.5.5  配置文件

·     Switch A

#

vlan 1

#

 public-key peer key1                                                          

  public-key-code begin                                                        

   3082033B3082022E06072A8648CE380401308202210282010100F13ACC1693AFD04B9E1E8D  

   2A9DEA6DE8DE4C276BE2BF15B6CFF6E269B0169378CB0DDDE23D187827015DC67E67681939  

   14B823BDF215D0DAD7A151E434F9E128DAFB9DEFAE07874621E70D7FC4577D2851C707BC86  

   AC0FD3829B862C5CD7003334E3BBF36FD48D54766638788B790AAC6451407281A3694D6B74  

   DA31DA0415264F3FA3E1A6E0F57002C0FAEF46F15545242D323BF0ED85A3365F00702CBDE7  

   94C09A6C7DDE05F1E0E928E82EEA31DB2454CD2E6866599DDF2381163734AD5C6F8A98A791  

   BAD8942A5D12D674FCA42EA93FF7FDD23E4EE29C35F75C8E52EF1B132073679EE2E62DF435  

   CE35BB7F0FB756DF92A95C3652F979BD03F8D2BB62018B021500C773218C737EC8EE993B4F  

   2DED30F48EDACE915F0282010100D43E90A700F70A4EE08C728A297DA04566A0A112DC49AB  

   F51A37BBB56BFE518BBDCD71359EACE98712BEC58A261FC6D5FE78B9A67ED494288CB5A198  

   4CA67037A16BFC75B889829C92465BA094460D7EEF918969C0ADAE4841D14A880142151C39  

   4C28F2731304C456350479D62014C81F07A0BA5FD0F9301D8F9AF9F30C6D21471F00B65714  

   991F96E34328798FBFBAAA1A64A74EA05DFA2CA0035F2A94C2EBCE7D283D144D4F5B5B61B4  

   ED74E9A10E375FFE2FA9D2D41B889D36620183637A77D328C67C2196ABA36E3DAE08B77483  

   6A3B5D3BFD059A967F95A00863A1660EB59F9AAD7F470D14F3D174DB51885E6B430B003ACD  

   EB6C9B213A8749765992E40382010500028201005B7C602A155775741EAAC552562B46D766  

   D9917946D9C66E09509BBB26E6A05EA5E45B95A797ED59E7BA6F06E15B3355A472DF734D62  

   5F4BFD41D9F3FF52F48D0ED17285E70EF203D4EB97C915D5AEF2EE32F3F00BC742D080E763  

   5AB49EF3624F6AB27E3270E082B8C7FD5E0610259993D931719F5D6A8165A62E209A173424  

   2C5E161AC68B5670F8CA58BF7C6ED25E79812DAE633EB94C5A9E9614777FB7038A20096526  

   6E46145173C8EA9EB91C35550A335F6E7E4C1FBD2D43E67CC7422E3D4D6AE931A4AD817335  

   600BD76642196568013BDCC98973E57EE281004BEC75398559E27FE893A6F3BC1E11ACDB1D   

   B4453343B0219A8C6D15AB280EFFB05F37                                          

  public-key-code end                                                          

 peer-public-key end                                                           

#

interface Vlan-interface1

 ip address 192.168.0.105 255.255.255.0

#

 ssh client authentication server 192.168.0.51 assign publickey key1

#

·     Switch B

#

vlan 1

#

local-user client001

 password cipher $c$3$G+xmuBmDrurppAOsyNcYNzNqB+C/NSFsPg==

 authorization-attribute level 3

 service-type ssh

#

interface Vlan-interface1

 ip address 192.168.0.51 255.255.255.0

#

 ssh server enable

 ssh user client001 service-type stelnet authentication-type password

#

user-interface vty 0 15

 authentication-mode scheme

 user privilege level 3

 protocol inbound ssh

#

1.6  设备作为SFTP客户端配置举例(publickey认证)

1.6.1  组网需求

图12所示,通过将Switch A配置为SFTP客户端,Switch B配置为SFTP服务器,在二者之间建立SSH连接,使用户能够从Switch A安全地登录到Switch B上进行文件管理和文件传送操作。为了提高认证强度,要求Switch B通过SSH的publickey认证方式对客户端进行认证,使用的公钥算法为DSA。

图12 设备作为SFTP客户端配置组网图

 

1.6.2  配置思路

为实现SSH的publickey认证方式,Switch A首先要生成DSA密钥对;而后将生成的DSA主机公钥导出到指定文件中,并上传给Switch B。Switch B也要生成DSA密钥对,并使用本地保存的客户端公钥,与报文中携带的客户端公钥进行比较,完成客户端持有公钥的正确性的验证。如果公钥验证成功,Switch A继续使用自己本地密钥对的私钥部分,对特定报文进行摘要运算,将所得的结果(即数字签名)发送给Switch B,向其证明自己的身份;Switch B使用预先配置的该用户的公钥,对Switch A发送过来的数字签名进行验证,验证成功后,建立安全的SSH连接。

1.6.3  配置步骤

1. 配置SwitchA作为SFTP客户端

# 配置VLAN接口1的IP地址。

<SwitchA> system-view

[SwitchA] interface vlan-interface 1

[SwitchA-Vlan-interface1] ip address 192.168.0.105 255.255.255.0

[SwitchA-Vlan-interface1] quit

# 生成DSA密钥对。

[SwitchA] public-key local create dsa

The range of public key size is (512 ~ 2048).                                  

NOTES: If the key modulus is greater than 512,                                 

It will take a few minutes.                                                     

Press CTRL+C to abort.                                                         

Input the bits of the modulus[default = 1024]:2048                             

Generating Keys...                                                             

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*                

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++.++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++

# 将生成的DSA主机公钥导出到指定文件key2.pub中。

[SwitchA] public-key local export dsa ssh2 key2.pub

..

[SwitchA] quit

客户端生成密钥对后,需要将保存的公钥文件key2.pub通过FTP/TFTP方式上传到服务器,具体请参见3. 配置客户端上传公钥文件

2. 配置Switch B作为FTP服务器

# 配置VLAN接口1的IP地址。

<SwitchB> system-view

[SwitchB] interface vlan-interface 1

[SwitchB-Vlan-interface1] ip address 192.168.0.51 255.255.255.0

[SwitchB-Vlan-interface1] quit

# 在SwitchB上创建一个ftp类型的本地用户,用户名和密码均为“ftp”。

[SwitchB] local-user ftp

New local user added.

[SwitchB-luser-ftp] password simple ftp

[SwitchB-luser-ftp] authorization-attribute level 3

[SwitchB-luser-ftp] authorization-attribute work-directory flash:/

[SwitchB-luser-ftp] service-type ftp

[SwitchB-luser-ftp] quit

# 开启SwitchB的FTP服务器功能。

[SwitchB] ftp server enable

[SwitchB] quit

3. 配置客户端上传公钥文件

# SwitchA登录FTP服务器,并上传公钥文件。

<SwitchA> ftp 192.168.0.51                                                     

Trying 192.168.0.51 ...                                                        

Press CTRL+K to abort                                                           

Connected to 192.168.0.51.                                                     

220 FTP service ready.                                                         

User(192.168.0.51:(none)):ftp                                                  

331 Password required for ftp.                                                 

Password:                                                                      

230 User logged in.                                                            

                                                                                

[ftp] put key2.pub                                                              

227 Entering Passive Mode (192,168,0,51,8,157).                                

125 ASCII mode data connection already open, transfer starting for /key2.pub.  

226 Transfer complete.                                                         

FTP: 1187 byte(s) sent in 0.206 second(s), 5.00Kbyte(s)/sec.                   

                                                                                

[ftp] quit                                                   

4. 配置SwitchB作为SFTP服务器

# 生成DSA密钥对,并开启SSH服务器功能。

[SwitchB] public-key local create dsa

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Press CTRL+C to abort.

Input the bits of the modulus[default = 1024]:2048

Generating Keys...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

+++++++++++++++++++++++++++++++++++

# 使能SSH服务器功能。

[SwitchB] ssh server enable

# 启动SFTP服务器。

[SwitchB] sftp server enable

# 设置SSH客户端登录用户界面的认证方式为AAA认证,远程用户登录协议为SSH,用户能访问的命令级别为3。

[SwitchB] user-interface vty 0 15

[SwitchB-ui-vty0-15] authentication-mode scheme

[SwitchB-ui-vty0-15] protocol inbound ssh

[SwitchB-ui-vty0-15] user privilege level 3

[SwitchB-ui-vty0-15] quit

# 从文件key2.pub中导入远端的公钥。

[SwitchB] public-key peer Switch001 import sshkey key2.pub

# 创建本地用户client002,服务类型为SSH,并授权用户访问的命令级别为3。

[SwitchB] local-user client002

New local user added.

[SwitchB-luser-client002] service-type ssh

[SwitchB-luser-client002] authorization-attribute level 3

[SwitchB-luser-client002] quit

# 设置SSH用户client002的服务类型为SFTP,认证方式为publickey,并指定公钥为Switch001,工作目录为flash:/。

[SwitchB] ssh user client002 service-type sftp authentication-type publickey assign publickey Switch001 work-directory flash:/

1.6.4  验证配置

# 与远程SFTP服务器建立连接,进入SFTP客户端视图。

<SwitchA> sftp 192.168.0.51 identity-key dsa

Input Username: client002

Trying 192.168.0.51 ...

Press CTRL+K to abort

Connected to 192.168.0.51 ...

 

The Server is not authenticated. Continue? [Y/N]:y

Do you want to save the server public key? [Y/N]:n

 

sftp-client>

# 显示服务器的当前目录。

sftp-client> dir                                                                

-rwxrwxrwx   1 noone    nogroup      5268 Apr 26 23:50 startup.cfg             

-rwxrwxrwx   1 noone    nogroup  13138750 Apr 26 13:52 switchB.bin      

drwxrwxrwx   1 noone    nogroup         0 Apr 26 12:00 seclog                  

-rwxrwxrwx   1 noone    nogroup    466612 Apr 26 14:25 switchB.btm         

-rwxrwxrwx   1 noone    nogroup       287 Apr 26 23:50 system.xml              

-rwxrwxrwx   1 noone    nogroup      1187 Apr 26 15:06 key2.pub

sftp-client>

# 新增目录new1,并检查新目录是否创建成功。

sftp-client> mkdir new1

New directory created

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      5268 Apr 26 23:50 startup.cfg             

-rwxrwxrwx   1 noone    nogroup  13138750 Apr 26 13:52 switchB.bin      

drwxrwxrwx   1 noone    nogroup         0 Apr 26 12:00 seclog                  

-rwxrwxrwx   1 noone    nogroup    466612 Apr 26 14:25 switchB.btm         

-rwxrwxrwx   1 noone    nogroup       287 Apr 26 23:50 system.xml              

-rwxrwxrwx   1 noone    nogroup      1187 Apr 26 15:06 key2.pub

drwxrwxrwx   1 noone    nogroup         0 Apr 26 15:16 new1

# 将目录名new1更名为new2,并查看是否更名成功。

sftp-client> rename new1 new2

File successfully renamed

sftp-client> dir

-rwxrwxrwx   1 noone    nogroup      5268 Apr 26 23:50 startup.cfg             

-rwxrwxrwx   1 noone    nogroup  13138750 Apr 26 13:52 switchB.bin      

drwxrwxrwx   1 noone    nogroup         0 Apr 26 12:00 seclog                  

-rwxrwxrwx   1 noone    nogroup    466612 Apr 26 14:25 switchB.btm         

-rwxrwxrwx   1 noone    nogroup       287 Apr 26 23:50 system.xml              

-rwxrwxrwx   1 noone    nogroup      1187 Apr 26 15:06 key2.pub

drwxrwxrwx   1 noone    nogroup         0 Apr 26 15:16 new2

# 退出SFTP客户端视图。

sftp-client> quit

Bye

Connection closed.

<SwitchA>

1.6.5  配置文件

·     SwitchA

#

vlan 1

#                                                                              

 public-key peer Switch001                                                     

  public-key-code begin                                                        

   3082033B3082022E06072A8648CE380401308202210282010100F13ACC1693AFD04B9E1E8D  

   2A9DEA6DE8DE4C276BE2BF15B6CFF6E269B0169378CB0DDDE23D187827015DC67E67681939  

   14B823BDF215D0DAD7A151E434F9E128DAFB9DEFAE07874621E70D7FC4577D2851C707BC86  

   AC0FD3829B862C5CD7003334E3BBF36FD48D54766638788B790AAC6451407281A3694D6B74  

   DA31DA0415264F3FA3E1A6E0F57002C0FAEF46F15545242D323BF0ED85A3365F00702CBDE7  

   94C09A6C7DDE05F1E0E928E82EEA31DB2454CD2E6866599DDF2381163734AD5C6F8A98A791  

   BAD8942A5D12D674FCA42EA93FF7FDD23E4EE29C35F75C8E52EF1B132073679EE2E62DF435  

   CE35BB7F0FB756DF92A95C3652F979BD03F8D2BB62018B021500C773218C737EC8EE993B4F  

   2DED30F48EDACE915F0282010100D43E90A700F70A4EE08C728A297DA04566A0A112DC49AB  

   F51A37BBB56BFE518BBDCD71359EACE98712BEC58A261FC6D5FE78B9A67ED494288CB5A198  

   4CA67037A16BFC75B889829C92465BA094460D7EEF918969C0ADAE4841D14A880142151C39  

   4C28F2731304C456350479D62014C81F07A0BA5FD0F9301D8F9AF9F30C6D21471F00B65714  

   991F96E34328798FBFBAAA1A64A74EA05DFA2CA0035F2A94C2EBCE7D283D144D4F5B5B61B4  

   ED74E9A10E375FFE2FA9D2D41B889D36620183637A77D328C67C2196ABA36E3DAE08B77483  

   6A3B5D3BFD059A967F95A00863A1660EB59F9AAD7F470D14F3D174DB51885E6B430B003ACD  

   EB6C9B213A8749765992E40382010500028201001CBCFC26EBDF618121FA5B4934E0A591EC  

   B11954AE88AE577A87866D2861B1DB8629B65BE2E2892455EF125A936528338375BF0CEA85  

   F502FA2D0AA22675AE7908D06F34334FFE550B3D30EC28ABB668B0CAC9F8D26A198F4C8A0A  

   DC086E9F8A30E8F8035B3949F6004F18A6DA21E7A1DBAE52F56ABFD5B9A32A52C6F43A272C  

   9CAA7C751F0711BCECBE86BB16F0FC3939BD262B8732C6859156C456C01989EB37A275E8C9  

   D4A2091433205693760557E3CA8A3CDA432856026C2F6279CC516CA84265CA63621DFB97A7  

   2A40BC3C6DAD3A7D6DEDD3550293A81A36767C41501E7ECB217C85EC3779CAF0514C479A8D  

   D476C2D4D1BE2A9D29F0206006CED45675                                          

  public-key-code end                                                          

 peer-public-key end                                                            

#

interface Vlan-interface1

 ip address 192.168.0.105 255.255.255.0

#

 ssh user client002 service-type sftp authentication-type publickey

assign publickey Switch001

·     Switch B

#                                                                               

 ftp server enable                                                             

#

vlan 1

#

local-user client002

 authorization-attribute level 3

 service-type ssh

#

local-user ftp                                                                 

 password cipher $c$3$1KhhVXwJ6k3Ms0RMDqHOYCEKHzhULw==                         

 authorization-attribute work-directory flash:/                                

 authorization-attribute level 3                                               

 service-type ftp 

#

interface Vlan-interface1

 ip address 192.168.0.51 255.255.255.0

#

user-interface vty 0 15

 authentication-mode scheme

 user privilege level 3

 protocol inbound ssh

#

不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!

新华三官网
联系我们