Login
- Table of Contents
-
- H3C WX3000 Series Unified Switches Switching Engine Command Reference-6W103
- 00-Preface
- 01-CLI Command
- 02-Login Command
- 03-Configuration File Management Command
- 04-VLAN Command
- 05-Auto Detect Command
- 06-Voice VLAN Command
- 07-GVRP Command
- 08-Basic Port Configuration Command
- 09-Link Aggregation Command
- 10-Port Isolation Command
- 11-Port Security-Port Binding Command
- 12-DLDP Command
- 13-MAC Address Table Management Command
- 14-MSTP Command
- 15-802.1x and System Guard Command
- 16-AAA Command
- 17-MAC Address Authentication Command
- 18-IP Address and Performance Command
- 19-DHCP Command
- 20-ACL Command
- 21-QoS-QoS Profile Command
- 22-Mirroring Command
- 23-ARP Command
- 24-SNMP-RMON Command
- 25-Multicast Command
- 26-NTP Command
- 27-SSH Command
- 28-File System Management Command
- 29-FTP-SFTP-TFTP Command
- 30-Information Center Command
- 31-System Maintenance and Debugging Command
- 32-VLAN-VPN Command
- 33-HWPing Command
- 34-DNS Command
- 35-Smart Link-Monitor Link Command
- 36-PoE-PoE Profile Command
- 37-Routing Protocol Command
- 38-UDP Helper Command
- 39-Index
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 27-SSH Command | 168.15 KB |
Table of Contents
display rsa local-key-pair public
rsa peer-public-key import sshkey
ssh authentication-type default
ssh server authentication-retries
ssh server compatible-ssh1x enable
SSH Commands
display public-key local
Syntax
display public-key local { dsa | rsa } public
View
Any view
Parameters
dsa: Specifies the local key pair type as DSA.
rsa: Specifies the local key pair type as RSA.
Description
Use the display public-key local command to display the public key of the local RSA or DSA key pair.
Examples
# Display the public key of the local RSA key pair.
<device> display public-key local rsa public
=====================================================
Time of Key pair created: 02:43:19 2000/04/02
Key name: HOST_KEY
Key type: RSA encryption Key
=====================================================
Key code:
30819F300D06092A864886F70D010101050003818D0030818902818100DA643BE191FC0769CD00C2
9227213B24C34F307FBFB4475591A3DF770EAE78916C1FC45A5333017057298C3DFDCDAD3040D297
78793AB668DBCC3AD9802052E767824C7C4F83DDC7F170CA374CC3E566287E4107FEE585C149EC16
45C4D6B7DAF666F198014CC3DDBDBD4B90423966849933770BD6DB4EDFA0964977D2AB5259020301
0001
=====================================================
Time of Key pair created: 15:57:53 2006/04/22
Key name: SERVER_KEY
Key type: RSA encryption Key
=====================================================
Key code:
307C300D06092A864886F70D0101010500036B003068026100C57E697413FDD86D30DF9ED1C98ACC
34794F5662F352C085EC0DBD8C7540B653AE71B174FE95D8147AB4E958FF5033E0F51E8A0EB55B73
EF6575221D0D17D1585301A26AD8DEE9FCFF4345AF4AFAF5E4FBA9A5234C553C7D81EA67710344B2
E90203010001
# Display the public key of local DSA key pair.
<device> display public-key local dsa public
=====================================================
Time of Key pair created: 02:46:43 2000/04/02
Key name: HOST_KEY
Key type: DSA encryption Key
=====================================================
Key code:
308201B73082012C06072A8648CE3804013082011F02818100D757262C4584C44C211F18BD96E5F0
61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE65BE6C265854889DC1EDBD13EC8B274
DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B06FD60FE01941DDD77FE6B12893DA76E
EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B368950387811C7DA33021500C773218C
737EC8EE993B4F2DED30F48EDACE915F0281810082269009E14EC474BAF2932E69D3B1F18517AD95
94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02492B3959EC6499625BC4FA5082E22C5
B374E16DD00132CE71B020217091AC717B612391C76C1FB2E88317C1BD8171D41ECB83E210C03CC9
B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC9B09EEF038184000281804A87838ABF
D6BE1F766B3395BA4073B3AF648C0548A26A80B236F17D16ED4A0B037607374ED3DF6153D1F383AB
7CBA91D5450F1E9ECD4D6A4E5E52224BF7AC5F25FCB2CEDE773199CC2EA4599CDCC12DFB2478ECC8
C16E8661C79869F0CD29C4DA7DF69E8F1F26B688142332BDD429C8B4ED42D6CA3695D28B32305B9E
AFBACA
display public-key peer
Syntax
display public-key peer [ brief | name pubkey-name ]
View
Any view
Parameters
brief: Displays the brief information about the public keys of all users.
pubkey-name: Name of the public key, a string of 1 to 64 characters.
Description
Use the display public-key peer command to display the information about the public keys of users. If no public key name is specified, the brief information about the public keys of all users is displayed. If a public key name is specified, the information about the specified public key is displayed.
Sometimes the public key modulo displayed with the display public-key peer command is one bit smaller than the actual modulo. This is because the actually generated key pair is one bit smaller than specified. For example, when you specify a 1024-bit key pair, the actually generated key pair may have 1024 or 1023 bits.
Examples
# Display the brief information about the public keys of all users.
<device> display public-key peer brief
Type Module Name
---------------------------
RSA 1024 idrsa
DSA 1024 127.0.0.1
RSA 1024 18
# Display the information about the public key named pubkey-name.
<device> display public-key peer name pubkey-name
=====================================
Key name : pubkey-name
Key type : RSA
Key module: 1024
=====================================
Key Code:
30819D300D06092A864886F70D010101050003818B00308187028181009C46A8710216CEC0C01C7CE136BA76
C79AA6040E79F9E305E453998C7ADE8276069410803D5974F708496947AB39B3F39C5CE56C95B6AB7442D563
93BF241F99A639DD02D9E29B1F5C1FD05CC1C44FBD6CFFB58BE6F035FAA2C596B27D1231D159846B7CB9A775
7C5800FADA9FD72F65672F4A549EE99F63095E11BD37789955020123
display rsa local-key-pair public
Syntax
display rsa local-key-pair public
View
Any view
Parameters
None
Description
Use the display rsa local-key-pair public command to display the public keys of the RSA host key pair and server key pair on the server. If no key pair has been generated, the system prompts “% RSA keys not found”.
Related commands: rsa local-key-pair create.
Examples
# Display the public keys of the host key pair and server key pair on the server.
<device> display rsa local-key-pair public
=====================================================
Time of Key pair created: 20:08:35 2000/04/02
Key name: device_Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
DE99B540 87B666B9 69C948CD BBCC2B60 997F9C18
9AA6651C 6066EF76 242DEAD1 DEFEA162 61677BD4
1A7BFAE7 668EDAA9 FB048C37 A0F1354D 5798C202
2253F4F5
0203
010001
=====================================================
Time of Key pair created: 20:08:46 2000/04/02
Key name: device_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
D6D70AE4 D2A900BE AC21B4E7 617CBEFA 2BAED61F
B637070C 093F43AF 9DB9D644 BCD921EF D056EF36
26825C2A 1FC0EFC3 E27B5110 3F20F790 6C83274B
D0FC303F 51072D6C B5D0054D 3673EBA0 A4748984
5EBF6EBE CF6A13B1 C7858241 A2A9AA79
0203
010001
After the rsa local-key-pair create command is executed, you can execute the display rsa local-key-pair public command, which will display:
l Two public keys (the host public key and server public key) if the device works in SSH1.x-compatible mode.
l Only one public key (the host public key) if the device works in SSH2.0 mode.
display rsa peer-public-key
Syntax
display rsa peer-public-key [ brief | name keyname ]
View
Any view
Parameters
brief: Displays brief information about all client public keys.
keyname: Name of a client public key, a string of 1 to 64 characters.
Description
Use the display rsa peer-public-key command to display the public key in the RSA key pair of a specific client. If no key name is specified, the command displays all client public keys.
Sometimes the public key modulo displayed with the display rsa peer-public-key command is one bit smaller than the actual modulo. This is because the actually generated key pair is one bit smaller than specified. For example, when you specify a 1024-bit key pair, the actually generated key pair may have 1024 or 1023 bits.
Examples
# Display all client public keys in brief.
<device> display rsa peer-public-key brief
Type Module Name
---------------------------
DSA 1024 2
DSA 1024 a
# Display the client public key named "abcd".
<device> display rsa peer-public-key name abcd
=====================================
Key name : abcd
Key type : RSA
Key module: 1024
=====================================
Key Code:
30819F300D06092A864886F70D010101050003818D0030818902818100B0EEC8768E310AE2EE44D6
5A2F944E2E6F32290D1ECBBFFF22AA11712151FC29F1C1CD6D7937723F77103576C41A03DB32F32C
46DEDA68566E89B53CD4DF8F9899B138C578F7666BFB5E6FE1278A84EC8562A12ACBE2A43AF61394
276CE5AAF5AF01DA8B0F33E08335E0C3820911B90BF4D19085CADCE0B50611B9F6696D3193020301
0001
display ssh server
Syntax
display ssh server { session | status }
View
Any view
Parameters
status: Displays SSH status information.
session: Displays SSH session information.
Description
Use the display ssh server command to display status or session information about the SSH Server.
Related commands: ssh server authentication-retries, ssh server timeout.
Examples
# Display status information about the SSH Server.
<device> display ssh server status
SSH version : 1.99
SSH connection timeout : 60 seconds
SSH server key generating interval : 0 hours
SSH Authentication retries : 3 times
SFTP Server: Disable
SFTP idle timeout : 10 minutes
l If you use the ssh server compatible-ssh1x enable command to configure the server to be compatible with SSH1.x clients, the SSH version will be displayed as 1.99.
l If you use the undo ssh server compatible-ssh1x command to configure the server to be not compatible with SSH1.x clients, the SSH version will be displayed as 2.0.
# Display session information about the SSH Server.
<device> display ssh server session
Conn Ver Encry State Retry SerType Username
VTY 0 2.0 AES started 0 stelnet kk
VTY 1 2.0 AES started 0 sFTP abc
Table 1-1 display ssh server session command output description
|
Field |
Description |
|
Conn |
Number of VTY interface used for user login |
|
Ver |
SSH version |
|
Encry |
Encryption algorithm used by SSH |
|
State |
Session status |
|
Retry |
Number of connection retries |
|
SerType |
Service type |
|
Username |
User name |
display ssh server-info
Syntax
display ssh server-info
View
Any view
Parameters
None
Description
Use the display ssh server-info command to display the association between the server public keys configured on the client and the servers.
Examples
# Display the association between the server public keys and the servers.
<device> display ssh server-info
Server Name(IP) Server public key name
_________________________________________________________________________
192.168.0.90 192.168.0.90
display ssh user-information
Syntax
display ssh user-information [ username ]
View
Any view
Parameters
username: SSH user name, a string of 1 to 184 characters.
Description
Use the display ssh user-information command to display information about the current SSH users, including user name, authentication type, corresponding public key name and authorized service type. If the username argument is specified, the command displays information about the specified user.
Examples
# Display information about the current SSH users.
<device> display ssh user-information
Username Authentication-type User-public-key-name Service-type
kk publickey test sftp
display ssh2 source-ip
Syntax
display ssh2 source-ip
View
Parameters
None
Description
Use the display ssh2 source-ip command to display the current source IP address or the IP address of the source interface specified for the SSH client. If neither source IP address nor source interface is specified, the command displays 0.0.0.0.
Examples
# Display the current source IP address specified for the SSH Client.
<device> display ssh2 source-ip
The source IP you specified is 192.168.0.1
display ssh-server source-ip
Syntax
display ssh-server source-ip
View
Parameters
None
Description
Use the display ssh-server source-ip command to display the current source IP address or the IP address of the source interface specified for the SSH server. If neither source IP address nor source interface is specified, the command displays 0.0.0.0.
Examples
# Display the current source IP address specified for the SSH Server.
<device> display ssh-server source-ip
The source IP you specified is 192.168.1.1
peer-public-key end
Syntax
peer-public-key end
View
Public key view
Parameters
None
Description
Use the peer-public-key end command to return from public key view to system view.
Related commands: rsa peer-public-key, public-key-code begin.
Examples
# Exit public key view.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] rsa peer-public-key Switch003
RSA public key view: return to System View with "peer-public-key end".
[device-rsa-public-key] peer-public-key end
[device]
protocol inbound
Syntax
protocol inbound { all | ssh | telnet }
View
VTY user interface view
Parameters
all: Supports both Telnet and SSH.
ssh: Supports only SSH.
telnet: Supports only Telnet.
Description
Use the protocol inbound command to configure specific user interface(s) to support specified protocol(s). The configuration will take effect at next user login.
By default, both SSH and Telnet are supported.
l If you have configured a user interface to support SSH protocol, to ensure a successful login to the user interface, you must configure AAA authentication for the user interface by using the authentication-mode scheme command.
l For a user interface, if you have executed the authentication-mode password or authentication-mode none command, the protocol inbound ssh command cannot be executed; if you have executed the protocol inbound ssh command, neither of the authentication-mode password and authentication-mode none commands can be executed.
Examples
# Configure vty0 through vty4 to support SSH only.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] user-interface vty 0 4
[device-ui-vty0-4] authentication-mode scheme
[device-ui-vty0-4] protocol inbound ssh
public-key local create
Syntax
public-key local create { dsa | rsa }
View
System view
Parameters
dsa: Specifies the local key pair type as DSA.
rsa: Specifies the local key pair type as RSA.
Description
Use the public-key local create command to create a local DSA key pair or RSA key pair.
Note that:
l After entering this command, you will be prompted to provide the length of the key pair. The length of a server/host key must be in the range 512 to 2048 bits and defaults to 1024. If the key pair already exists, the system will ask you whether you want to overwrite it.
l The configuration of this command can survive a reboot. You only need to configure it once.
Examples
# Create a local RSA key pair.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] public-key local create rsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 1024]:
Generating keys...
...++++++
...................................................................++++++
...........................++++++++
.....++++++++
......
# Create a local DSA key pair.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] public-key local create dsa
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 1024]:
Generating keys...
.++++++++++++++++++++++++++++++++++++++++++++++++++*
........+......+.....+......................................+..+................
.......+..........+..............+.............+...+.....+...............+..+...
...+.................+..........+...+....+.......+.....+............+.........+.
........................+........+..........+..............+.....+...+..........
..............+.........+..........+...........+........+....+..................
.....+++++++++++++++++++++++++++++++++++++++++++++++++++*
......
public-key local destroy
Syntax
public-key local destroy { dsa | rsa }
View
System view
Parameters
dsa: Specifies the local key pair type as DSA.
rsa: Specifies the local key pair type as RSA.
Description
Use the public-key local destroy command to destroy the local DSA key pair or RSA key pair.
Examples
# Destroy the local RSA key pair.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] public-key local destroy dsa
% Confirm to destroy these keys? [Y/N]:y
......
# Destroy the local DSA key pair.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] public-key local destroy dsa
% Confirm to destroy these keys? [Y/N]:y
......
public-key local export rsa
Syntax
public-key local export rsa { openssh | ssh1 | ssh2 } [ filename ]
View
System view
Parameters
rsa: Specifies the key type as RSA.
openssh: Specifies the format of the exported file as OpenSSH.
ssh1: Specifies the format of the exported file as SSH1.
ssh2: Specifies the format of the exported file as SSH2.
filename: Name of the exported public key file, a string of 1 to 142 characters.
Description
Use the public-key local export rsa command to display the RSA local public key on the screen or export it to a specified file.
Related commands: public-key local create, public-key local destroy.
Examples
# Export the public key of the local RSA key pair in the format of OpenSSH and save the public key file as pub_ssh_file2.
<device> system-view
[device] public-key local export rsa openssh pub_ssh_file2
# Export the public key of the local RSA key pair in the format of SSH1 and save the public key file as pub_ssh_file3.
<device> system-view
[device] public-key local export rsa ssh1 pub_ssh_file3
# Export the public key of the local RSA key pair in the format of OpenSSH and display it on the screen.
<device> system-view
[device] public-key local export rsa openssh
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgJp9xSd08CLsjJSP2ns9BezJpbBiT0e62hmPyUdFJXS+ZYywnZ2oofy9lZAm
QrGEqJtkifWpI1gqboM0LAqtGxS145Nlyz+MnVME+NH0XbuMEIa2zI2l3XmwgyEOcMMaJ0RAQ4ui3O3ijAs4Vuec
gANyMy9ShSsvkNluru3ZrW1Z rsa-key
public-key local export dsa
Syntax
public-key local export dsa { openssh | ssh2 } [ filename ]
View
System view
Parameters
openssh: Uses the format of OpenSSH.
ssh2: Uses the format of SSH2.
filename: Name of the exported public key file, a string of 1 to 142 characters.
Description
Use the public-key local export dsa command to display the DSA local public key on the screen or export it to a specified file.
Related commands: public-key local create, public-key local destroy.
Examples
# Export the DSA local public key in OpenSSH format.
<device> system-view
[device] public-key local export dsa openssh key.pub
# Display the DSA local public key in SSH2 format.
<device> system-view
[device] public-key local export dsa ssh2
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "dsa-key-20000410"
AAAAB3NzaC1kc3MAAACA11cmLEWExEwhHxi9luXwYcTwpCP3/mtrhbNM73LOFKDTpSIv4Izs5lvmwmWF
SIncHtvRPsiydNqfdbomzLmHcjYCeH6SK6hEIfIsPInLmwb9YP4BlB3dd/5rEok9p27rwdEo2X8GeNdy
K1NByFBvNYIUsWovrEs2iVA4eBHH2jMAAAAUx3MhjHN+yO6ZO08t7TD0jtrOkV8AAACAgiaQCeFOxHS6
8pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3ThbdABMs5x
sCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlxjMmwnu8A
AACAbH2183/ZK8VFW+Auiqwdf9yZEAzrfIsJV5j6znydPocwnDxZUjJmQw0hO3s2+kz5BaHQxG6aouJ9
G1mIY3spBP70ZxjujUblgNpfZIraVUuQbt0Pyvm7vXgk9QD5qAdUtGFDo+QcR7FQ3iiArORC9CrF0ooS
0TOuG4anQ3py2Fk=
---- END SSH2 PUBLIC KEY ----
# Display the DSA local public key in OpenSSH format.
<device> system-view
[device] public-key local export dsa openssh
ssh-dss AAAAB3NzaC1kc3MAAACA11cmLEWExEwhHxi9luXwYcTwpCP3/mtrhbNM73LOFKDTpSIv4Izs
5lvmwmWFSIncHtvRPsiydNqfdbomzLmHcjYCeH6SK6hEIfIsPInLmwb9YP4BlB3dd/5rEok9p27rwdEo
2X8GeNdyK1NByFBvNYIUsWovrEs2iVA4eBHH2jMAAAAUx3MhjHN+yO6ZO08t7TD0jtrOkV8AAACAgiaQ
CeFOxHS68pMuadOx8YUXrZWUGEzN/OrpbsTV75MTPoS0cJPFKyDNNdAkkrOVnsZJliW8T6UILiLFs3Th
bdABMs5xsCAhcJGscXthI5HHbB+y6IMXwb2BcdQey4PiEMA8ybMugQVhwhYhxz1tqsAo9LFYXaf0JRlx
jMmwnu8AAACAbH2183/ZK8VFW+Auiqwdf9yZEAzrfIsJV5j6znydPocwnDxZUjJmQw0hO3s2+kz5BaHQ
xG6aouJ9G1mIY3spBP70ZxjujUblgNpfZIraVUuQbt0Pyvm7vXgk9QD5qAdUtGFDo+QcR7FQ3iiArORC
9CrF0ooS0TOuG4anQ3py2Fk= dsa-key
public-key peer
Syntax
public-key peer keyname
undo public-key peer keyname
View
System view
Parameters
keyname: Name of the public key, a string of 1 to 64 characters.
Description
Use the public-key peer command to enter public key view.
Use the undo public-key peer command to delete the configuration of peer public key.
After configuring this command, you enter public key view. You can use this command together with the public-key-code begin command to configure the peer public key .
Only the public key whose module is of 512 to 2,048 bits can be configured on the device currently.
Examples
# Enter public key view
<device>system-view
System View: return to User View with Ctrl+Z.
[device]public-key peer pub.ppk
PKEY public key view: return to System View with "peer-public-key end".
[device-peer-public-key]
public-key peer import sshkey
Syntax
public-key peer keyname import sshkey filename
undo public-key peer keyname
View
System view
Parameters
keyname: Name of the public key , a string of 1 to 64 characters.
filename: Name of the file used to save the public key , a string of 1 to 142 characters.
Description
Use the public-key peer import sshkey command to import a peer public key from the public key file.
Use the undo public-key peer command to remove the setting.
l Public key files only support the format of SSH1, SSH2, or OpenSSH.
l Only the public key whose module is of 512 to 2,048 bits can be imported to the server from the public key file of the user.
Examples
# Import the public key of the user from the public key file named pub.ppk and name it as peer.pk.
<device>system-view
System View: return to User View with Ctrl+Z.
[device] public-key peer peek_pk import sshkey pub.ppk
public-key-code begin
Syntax
public-key-code begin
View
Public key view
Parameters
None
Description
Use the public-key-code begin command to enter public key edit view .
After entering public key code view, you can input the key data. It must be a hexadecimal string and coded compliant to PKCS.
Related commands: rsa peer-public-key, public-key-code end.
Examples
# Enter public key edit view and input a public key.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] rsa peer-public-key Switch003
RSA public key view: return to System View with "peer-public-key end".
[device-rsa-public-key] public-key-code begin
RSA key code view: return to last view with "public-key-code end".
[device-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463
[device-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913
[device-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4
[device-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC
[device-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16
[device-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125
[device-rsa-key-code] public-key-code end
[device-rsa-public-key]
public-key-code end
Syntax
public-key-code end
View
Public key edit view
Parameters
None
Description
Use the public-key-code end command to return from public key edit view to public key view and save the public key you input.
After you use this command to end editing the public key, the system will check the validity of the public key before saving the key.
l If there is any illegal character in the key, your configuration fails. In this case, a prompt is displayed and the key is discarded.
l If the key is valid, it is saved in the local public key list.
Related commands: rsa peer-public-key, public-key-code begin.
Examples
# Exit public key edit view and save the public key you input.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] rsa peer-public-key Switch003
RSA public key view: return to System View with "peer-public-key end".
[device-rsa-public-key] public-key-code begin
RSA key code view: return to last view with "public-key-code end".
[device-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463
[device-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913
[device-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4
[device-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC
[device-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16
[device-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125
[device-rsa-key-code] public-key-code end
[device-rsa-public-key]
rsa local-key-pair create
Syntax
rsa local-key-pair create
View
System view
Parameters
None
Description
Use the rsa local-key-pair create command to generate an RSA host key pair and an RSA server key pair, which are respectively named in the format of device name plus "_Host", and device name plus "_Server", for example, device_Host and device_Server.
Note that:
l After entering this command, you will be prompted to provide the length of the key pair. The length of a server/host key must be in the range 512 to 2048 bits and defaults to 1024. If the key pair already exists, the system will ask you whether you want to overwrite it.
l The configuration of this command can survive a reboot. You only need to configure it once.
After the rsa local-key-pair create command is executed, you can execute the display rsa local-key-pair public command, which will display:
l Two public keys (device_Host and device_Server) if the device works in SSH1.x-compatible mode.
l Only one public key (device_Host) if the device works in SSH2 mode.
Related commands: rsa local-key-pair destroy, display rsa local-key-pair public.
Examples
# Generate a local RSA key pair.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] rsa local-key-pair create
The local-key-pair will be created.
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 1024]:
Generating keys...
........................++++++
.......++++++
.................................++++++++
...++++++++
........Done!
rsa local-key-pair destroy
Syntax
rsa local-key-pair destroy
View
System view
Parameters
None
Description
Use the rsa local-key-pair destroy command to destroy the RSA host key pair and server key pair.
Related commands: rsa local-key-pair create.
Examples
# Destroy the RSA host key pair and server key pair..
<device> system-view
System View: return to User View with Ctrl+Z.
[device] rsa local-key-pair destroy
% The local-key-pair will be destroyed.
% Confirm to destroy these keys? [Y/N]:y
.............Done!
rsa peer-public-key
Syntax
rsa peer-public-key keyname
undo rsa peer-public-key keyname
View
System view
Parameters
keyname: Name of the public key to be configured , a string of 1 to 64 characters.
Description
Use the rsa peer-public-key command to enter public key view.
Use the undo rsa peer-public-key command to remove the setting.
After using this command, you can use the public-key-code begin command to configure the peer public key .
Related commands: public-key-code begin, public-key-code end, rsa local-key-pair create.
Examples
# Enter Switch002 public key view.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] rsa peer-public-key Switch002
RSA public key view: return to System View with "peer-public-key end".
[device-rsa-public-key]
rsa peer-public-key import sshkey
Syntax
rsa peer-public-key keyname import sshkey filename
undo rsa peer-public-key keyname
View
System view
Parameters
keyname: Name of the public key to be configured, a string of 1 to 64 characters.
filename: Name of a public key file, a string of 1 to 142 characters.
Description
Use the rsa peer-public-key import sshkey command to import a peer public key from the public key file.
Use the undo rsa peer-public-key command to remove the setting.
After execution of this command, the system automatically transforms the public key file into PKCS format, and imports the peer public key. This requires that you get a copy of the public key file from the peer through FTP/TFTP.
The rsa peer-public-key import sshkey command can transform only RSA public keys. If you need to transform DSA public keys, use the public-key peer import sshkey command.
Examples
# Transform the format of client public key file abc and configure a public key named 123.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] rsa peer-public-key 123 import sshkey abc
ssh authentication-type default
Syntax
ssh authentication-type default { all | password | password-publickey | publickey | rsa }
undo ssh authentication-type default
View
System view
Parameters
all: Specifies either the password authentication or the public key authentication for SSH users.
password: Specifies the authentication mode for SSH users as password authentication.
password-publickey: Specifies that both the password and the public key must be authenticated for SSH users.
publickey: Specifies the authentication mode for the SSH user as public key (RSA key or DSA key ) authentication.
rsa: Specifies the authentication mode for the SSH user as public key (RSA key or DSA key ) authentication.
Description
Use the ssh authentication-type default command to specify a default authentication mode for SSH users. After this command is configured, when an SSH user is added by using the ssh user command, the default authentication mode is adopted for the user if no authentication mode is specified by using the ssh user authentication-type command.
Use the undo ssh authentication-type default command to remove the specified default authentication mode. That is, no default authentication mode is specified for SSH users. In this case, when an SSH user is added, you must specify an authentication mode for the user at the same time.
By default, no default authentication mode is specified.
Examples
# Specify the public key authentication as the default authentication mode.
<device>system-view
System View: return to User View with Ctrl+Z.
[device]ssh authentication-type default publickey
ssh client assign
Syntax
ssh client { server-ip | server-name } assign { publickey | rsa-key } keyname
undo ssh client { server-ip | server-name } assign { publickey | rsa-key }
View
System view
Parameters
server-ip: IP address of the server.
server-name: Name of the server, a string of 1 to 184 characters.
keyname: Name of the public key of the server, a string of 1 to 64 characters.
Both publickey and rsa-key indicate specifying the publickey key. They are implemented with the same method.
Description
Use the ssh client assign command to specify the name of the public key of the server on the client so that the client can authenticate whether the server to be accessed is reliable.
Use the undo ssh client assign command to remove the mapping between the client and the public key of the server.
Examples
# Specify the name of the RSA public key of the server (whose IP address is 192.168.0.1) as pub.ppk on the client.
<device>system-view
System View: return to User View with Ctrl+Z.
[device] ssh client 192.168.0.1 assign rsa-key pub.ppk
ssh client first-time enable
Syntax
ssh client first-time enable
undo ssh client first-time
View
System view
Parameters
None
Description
Use the ssh client first-time enable command to enable the client to run initial authentication for the SSH server it accesses for the first time.
Use the undo ssh client first-time command to disable the client from running initial authentication.
If an SSH client is enabled to run initial authentication, when the SSH client accesses an SSH server for the first time and it does not have the public key of the server, the client allows you to select to continue the access and save the public key of the server to local device; when the client accesses the server at the next time, it will authenticate the server against the public key saved locally.
When an SSH client is disabled from running initial authentication, the SSH client cannot access an SSH server if it does not have the public key of the server. In this case, you need first to save the public key of the target server to the client in another way.
By default, the client is enabled to run initial authentication.
Examples
# Enable the client to run initial authentication.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] ssh client first-time enable
ssh server authentication-retries
Syntax
ssh server authentication-retries times
undo ssh server authentication-retries
View
System view
Parameters
times: Authentication retry times, in the range of 1 to 5.
Description
Use the ssh server authentication-retries command to set the authentication retry times for SSH connections.
Use the undo ssh server authentication-retries command to restore the default authentication retry times.
By default, the number of authentication retry times is 3.
The configuration here will take effect at next user login.
Related commands: display ssh server.
If you have used the ssh user authentication-type command to configure the authentication type of a user to password-publickey, you must set the authentication retry times to a number greater than or equal to 2 (so that the user can access the device).
Examples
# Set the authentication retry times to four.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] ssh server authentication-retries 4
ssh server compatible-ssh1x enable
Syntax
ssh server compatible-ssh1x enable
undo ssh server compatible-ssh1x
View
Parameters
None
Description
Use the ssh server compatible-ssh1x enable command to make the server compatible with SSH1.x clients.
Use the undo ssh server compatible-ssh1x command to make the server incompatible with SSH1.x clients.
By default, the server is compatible with SSH1.x clients.
Examples
# Make the server compatible with SSH1.x clients.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] ssh server compatible-ssh1x enable
ssh server rekey-interval
Syntax
ssh server rekey-interval hours
undo ssh server rekey-interval
View
System view
Parameters
hours: Interval to update the server keys, ranging from 1 to 24 (in hours).
Description
Use the ssh server rekey-interval command to set the interval to update the server keys regularly.
Use the undo ssh server rekey-interval command to cancel the current configuration.
By default, the update interval is zero, which indicates the system does not update the server keys.
This command only takes effect on users whose client version is SSH1.x.
Examples
# Configure to update the server's keys every 3 hours.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] ssh server rekey-interval 3
ssh server timeout
Syntax
ssh server timeout seconds
undo ssh server timeout
View
System view
Parameters
seconds: Authentication timeout time, ranging from 1 to 120 (in seconds).
Description
Use the ssh server timeout command to set the authentication timeout time for SSH connections.
Use the undo ssh server timeout command to restore the default timeout time (that is, 60 seconds).
The configuration here will take effect at next login.
Related commands: display ssh server.
Examples
# Set the authentication timeout time to 80 seconds.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] ssh server timeout 80
ssh user
Syntax
ssh user username
undo ssh user username
View
System view
Parameters
username: Valid SSH user name, a string of 1 to 184 characters.
Description
Use the ssh user command to create an SSH user.
Use the undo ssh user to delete a specified SSH user.
For an SSH user created by using this command, if you do not specify an authentication type by using the ssh user authentication-type command for this user, this SSH user adopts the default authentication type. On the other hand, if the default authentication type is not specified, you need to specify an authentication type for this SSH user.
An SSH user is created on an SSH server for the purpose of specifying the authentication type, the SSH service type, and the public key for the SSH user. An existing SSH user will be removed automatically if it has none of the authentication type, the SSH service type, and the public key configured.
Examples
# Specify the default authentication type as password authentication. Create an SSH user with the name “abc”.
<device> system-view
Enter system view, return to user view with Ctrl+Z.
[device] ssh authentication-type default password
[device] ssh user abc
ssh user assign
Syntax
ssh user username assign { publickey | rsa-key } keyname
undo ssh user username assign { publickey | rsa-key }
View
System view
Parameters
username: Valid SSH user name, a string of 1 to 184 characters.
keyname: Name of a public key, a string of 1 to 64 characters.
Description
Use the ssh user assign command to assign an existing public key to a specified SSH user.
Use the undo ssh user assign command to remove the association..
The public key of the client is subject to the one assigned last time.
The new public key takes effect when the user logs in next time.
Both publickey and rsa-key indicate specifying the publickey key. They are implemented with the same method.
Examples
# Assign a public key named 127.0.0.1 to SSH client 1.
<device>system-view
System View: return to User View with Ctrl+Z.
[device]ssh user 1 assign publickey 127.0.0.1
ssh user authentication-type
Syntax
ssh user username authentication-type { all | password | password-publickey | publickey | rsa }
undo ssh user username authentication-type
View
System view
Parameters
username: Valid SSH user name, a string of 1 to 184 characters.
all: Specifies that the authentication mode for the SSH user can be either password authentication or public key authentication.
password: Specifies the authentication mode for the SSH user as password authentication.
password-publickey: Specifies the authentication mode for the SSH user as password and public key. The SSH user passing the password authentication and public key authentication can log in successfully.
publickey: Specifies the authentication mode for the SSH user as public key (RSA key or DSA key ) authentication.
rsa: Specifies the authentication mode for the SSH user as public key (RSA key or DSA key ) authentication.
For the password-publickey authentication type:
l SSH1 client users can access the device as long as they pass one of the two authentications.
l SSH2 client users can access the device only when they pass both the authentications.
Description
Use the ssh user authentication-type command to specify the authentication mode for SSH users on the server.
Use the undo ssh user authentication-type command to remove any authentication type for users so that users cannot log in to the server.
By default, no authentication type is specified for an SSH user, and the user can not access the device. For a new user, you must specify the authentication type.
Examples
# Specify the public key authentication for SSH users.
<device>system-view
System View: return to User View with Ctrl+Z.
[device]ssh user guest authentication-type publickey
ssh user service-type
Syntax
ssh user username service-type { stelnet | sftp | all }
undo ssh user username service-type
View
System view
Parameters
username: SSH user name, a string of 1 to 184 characters.
stelnet: Specifies that the user can access the secure Telnet service.
sftp: Specifies that the user can access the SFTP service.
all: Specifies that the user can access both services (secure Telnet and SFTP).
Description
Use the ssh user service-type command to configure service type for a user so that the user can access specified service(s).
Use the undo ssh user service-type command to remove the service type specified for an SSH user.
The default service type for an SSH user is stelnet.
Related commands: display ssh user-information.
Examples
# Specify that user kk can access SFTP service.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] ssh user kk service-type sftp
ssh2
Syntax
ssh2 { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] *
View
System view
Parameters
host-ip: Server IP address.
host-name: Server name, a string of 1 to 20 characters.
port-num: Server port number. It is in the range of 0 to 65,535 and defaults to 22.
identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is rsa.
prefer_kex: Specifies the preferred key exchange algorithm. You can select one from the following two algorithms.
l dh_group1: Diffie-Hellman-group1-sha1 key exchange algorithm. It is the default algorithm.
l dh_exchange_group: Diffie-Hellman-group-exchange-sha1 key exchange algorithm.
prefer_ctos_cipher: Specifies the preferred client-to-server encryption algorithm, which is AES128 by default.
prefer_stoc_cipher: Specifies the preferred server-to-client encryption algorithm, which is AES128 by default.
l des: DES_cbc encryption algorithm.
l aes128: AES_128 encryption algorithm.
prefer_ctos_hmac: Specifies the preferred client-to-server HMAC (Hash-based message authentication code) algorithm, which is SHA1_96 by default.
prefer_stoc_hmac: Specifies the preferred server-to-client HMAC algorithm, which is SHA1_96 by default.
l sha1: HMAC-SHA1 algorithm.
l sha1_96: HMAC-SHA1-96 algorithm.
l md5: HMAC-MD5 algorithm.
l md5_96: HMAC-MD5-96 algorithm.
l DES (data encryption standard) is a standard data encryption algorithm.
l AES (advanced encryption standard) is an advanced encryption standard algorithm.
Description
Use the ssh2 command to start the SSH client to establish a connection with an SSH server, and at the same time specify the preferred key exchange algorithm, encryption algorithms and HMAC algorithms between the server and client.
Note that when logging into the SSH server using public key authentication, an SSH client needs to read the local private key for authentication. As two algorithms (RSA or DSA) are available, the identity-key keyword must be used to specify one algorithm in order to get the correct private key.
Examples
# Log into SSH server 10.214.50.51 with:
l dh_exchange_group as the preferred key exchange algorithm,
l aes128 as the preferred server-to-client encryption algorithm,
l md5 as the preferred client-to-server HMAC algorithm, and
l sha1_96 as the preferred server-to-client HMAC algorithm.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] ssh2 10.214.50.51 prefer_kex dh_exchange_group prefer_stoc_cipher aes128 prefer_ctos_hmac md5 prefer_stoc_hmac sha1_96
ssh2 source-interface
Syntax
ssh2 source-interface interface-type interface-number
undo ssh2 source-interface
View
Parameters
interface-type: Source interface type.
interface-number: Source interface number.
Description
Use the ssh2 source-interface command to specify a source interface for the SSH client. If the specified interface does not exist, the command fails.
Use the undo ssh2 source-interface command to cancel the source interface setting. Then, a local device address determined by the system is used to access an SSH server.
Examples
# Specify source interface Vlan-interface 1 for the SSH client.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] ssh2 source-interface Vlan-interface 1
ssh2 source-ip
Syntax
ssh2 source-ip ip-address
undo ssh2 source-ip
View
System view
Parameters
ip-address: Source IP address.
Description
Use the ssh2 source-ip command to specify a source IP address for the SSH client. If the specified IP address is not an address of the device, the command fails.
Use the undo ssh2 source-ip command to cancel the source IP address setting. Then, a local device address determined by the system is used to access an SSH server.
Examples
# Specify source IP address 192.168.1.1 for the SSH client.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] ssh2 source-ip 192.168.1.1
ssh-server source-interface
Syntax
ssh-server source-interface interface-type interface-number
undo ssh-server source-interface
View
Parameters
interface-type: Source interface type.
interface-number: Source interface number.
Description
Use the ssh-server source-interface command to specify a source interface for the SSH server. If the specified interface does not exist, the command fails.
Use the undo ssh-server source-interface command to cancel the source interface setting. Then, a local device address determined by the system can be used by SSH users to access the server.
Examples
# Specify Vlan-interface 1 as the source interface of the SSH server.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] ssh-server source-interface Vlan-interface 1
ssh-server source-ip
Syntax
ssh-server source-ip ip-address
undo ssh-server source-ip
View
System view
Parameters
ip-address: IP address to be set as the source IP address.
Description
Use the ssh-server source-ip command to specify a source IP address for the SSH server. If the specified IP address is not an IP address of the device, the command fails.
Use the undo ssh-server source-ip command to cancel the source IP address setting. Then, a local device address determined by the system can be used by users to access the device.
Examples
# Specify source IP address 192.168.0.1 for the SSH server.
<device> system-view
System View: return to User View with Ctrl+Z.
[device] ssh-server source-ip 192.168.0.1
