Table of Contents

1 SSH Configuration· 1-1

SSH Overview· 1-1

Introduction to SSH· 1-1

Algorithm and Key· 1-1

Asymmetric Key Algorithm·· 1-2

SSH Operating Process· 1-2

Configuring the SSH Server 1-4

SSH Server Configuration Tasks· 1-4

Configuring the Protocol Support for the User Interface· 1-5

Generating/Destroying a RSA or DSA Key Pair 1-5

Exporting the RSA or DSA Public Key· 1-6

Creating an SSH User and Specify an Authentication Type· 1-7

Specifying a Service Type for an SSH User 1-8

Configuring SSH Management 1-8

Configuring the Client Public Key on the Server 1-9

Assigning a Public Key to an SSH User 1-10

Specifying a Source IP Address/Interface for the SSH Server 1-11

Configuring the SSH Client 1-11

SSH Client Configuration Tasks· 1-11

Configuring the SSH Client Using an SSH Client Software· 1-12

Configuring the SSH Client on an SSH2-Capable Device· 1-18

Specifying a Source IP address/Interface for the SSH client 1-20

Displaying and Maintaining SSH Configuration· 1-20

SSH Configuration Examples· 1-20

When the Device Acts as the SSH Server and the Authentication Type is Password· 1-20

When the Device Acts as an SSH Server and the Authentication Type is Publickey· 1-23

When the Switch Acts as an SSH Client and the Authentication Type is Password· 1-29

When the Device Acts as an SSH Client and the Authentication Type is Publickey· 1-30

When the Device Acts as an SSH Client and First-time authentication is not Supported· 1-32

 

 

 

SSH Overview

Introduction to SSH

Secure Shell (SSH) is a protocol that provides secure remote login and other security services in insecure network environments. In an SSH connection, data are encrypted before being sent out and decrypted after they reach the destination. This prevents attacks such as plain text password interception. Besides, SSH also provides powerful user authentication functions that prevent attacks such as DNS and IP spoofing.

SSH adopts the client-server model. The device can be configured as an SSH client or an SSH server. In the former case, the device establishes a remote SSH connection to an SSH server. In the latter case, the device provides connections to multiple clients.

Furthermore, SSH can also provide data compression to increase transmission speed, take the place of Telnet or provide a secure “channel” for FTP.

 

 

Algorithm and Key

Algorithm is a set of transformation rules for encryption and decryption. Information without being encrypted is known as plain text, while information that is encrypted is known as cipher text. Encryption and decryption are performed using a string of characters called a key, which controls the transformation between plain text and cipher text, for example, changing the plain text into cipher text or cipher text into plain text.

Figure 1-1 Encryption and decryption

 

Key-based algorithm is usually classified into symmetric key algorithm and asymmetric key algorithm.

Asymmetric Key Algorithm

Asymmetric key algorithm means that a key pair exists at both ends. The key pair consists of a private key and a public key. The public key is effective for both ends, while the private key is effective only for the local end. Normally you cannot use the private key through the public key.

Asymmetric key algorithm encrypts data using the public key and decrypts the data using the private key, thus ensuring data security.

You can also use the asymmetric key algorithm for data signature. For example, user 1 adds his signature to the data using the private key, and then sends the data to user 2. User 2 verifies the signature using the public key of user 1. If the signature is correct, this means that the data originates from user 1.

Both Revest-Shamir-Adleman Algorithm (RSA) and Digital Signature Algorithm (DSA) are asymmetric key algorithms. RSA is used for data encryption and signature, whereas DSA is used for adding signature.

 

 

SSH Operating Process

The session establishment between an SSH client and the SSH server involves the following five stages:

Table 1-1 Stages in establishing a session between the SSH client and server

Stages	Description
Version negotiation	SSH1 and SSH2 are supported. The two parties negotiate a version to use.
Key and algorithm negotiation	SSH supports multiple algorithms. The two parties negotiate an algorithm for communication.
Authentication	The SSH server authenticates the client in response to the client’s authentication request.
Session request	This client sends a session request to the server.
Data exchange	The client and the server start to communicate with each other.

 

Version negotiation

l          The server opens port 22 to listen to connection requests from clients.

l          The client sends a TCP connection request to the server. After the TCP connection is established, the server sends the first packet to the client, which includes a version identification string in the format of “SSH-<primary protocol version number>.<secondary protocol version number>-<software version number>”. The primary and secondary protocol version numbers constitute the protocol version number, while the software version number is used for debugging.

l          The client receives and resolves the packet. If the protocol version of the server is lower but supportable, the client uses the protocol version of the server; otherwise, the client uses its own protocol version.

l          The client sends to the server a packet that contains the number of the protocol version it decides to use. The server compares the version carried in the packet with that of its own to determine whether it can cooperate with the client.

l          If the negotiation is successful, the server and the client go on to the key and algorithm negotiation. If not, the server breaks the TCP connection.

 

 

Key negotiation

l          The server and the client send algorithm negotiation packets to each other, which contain public key algorithm lists supported by the server and the client, encrypted algorithm list, message authentication code (MAC) algorithm list, and compressed algorithm list.

l          The server and the client calculate the final algorithm according to the algorithm lists supported.

l          The server and the client generate the session key and session ID based on the Diffie-Hellman (DH) exchange algorithm and the host key pair.

l          Then, the server and the client get the same session key and use it for data encryption and decryption to secure data communication.

Authentication negotiation

The negotiation steps are as follows:

l          The client sends an authentication request to the server. The authentication request contains username, authentication type, and authentication-related information. For example, if the authentication type is password, the content is the password.

l          The server starts to authenticate the user. If authentication fails, the server sends an authentication failure message to the client, which contains the list of methods used for a new authentication process.

l          The client selects an authentication type from the method list to perform authentication again.

l          The above process repeats until the authentication succeeds, or the connection is torn down when the authentication times reach the upper limit.

SSH provides two authentication methods: password authentication and publickey authentication.

l          In password authentication, the client encrypts the username and password, encapsulates them into a password authentication request, and sends the request to the server. Upon receiving the request, the server decrypts the username and password, compares them with those it maintains, and then informs the client of the authentication result.

l          The publickey authentication method authenticates clients using digital signatures. Currently, the device supports two publickey algorithms to implement digital signatures: RSA and DSA. The client sends to the server a publickey authentication request containing its user name, public key and algorithm. The server verifies the public key. If the public key is invalid, the authentication fails; otherwise, the server generates a digital signature to authenticate the client, and then sends back a message to inform the success or failure of the authentication.

Session request

After passing authentication, the client sends a session request to the server, while the server listens to and processes the request from the client. If the client passes authentication, the server sends back to the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the client. Otherwise, the server sends back to the client an SSH_SMSG_FAILURE packet, indicating that the processing fails or it cannot resolve the request. The client sends a session request to the server, which processes the request and establishes a session.

Data exchange

In this stage, the server and the client exchanges data in this way:

l          The client encrypts and sends the command to be executed to the server.

l          The server decrypts and executes the command, and then encrypts and sends the result to the client.

l          The client decrypts and displays the result on the terminal.

Configuring the SSH Server

You must perform necessary configurations on the SSH server for SSH clients to access.

SSH Server Configuration Tasks

Complete the following tasks to configure SSH server:

Task		Remark
Configuring the SSH server	Configuring the Protocol Support for the User Interface	Required
	Generating/Destroying a RSA or DSA Key Pair	Required
	Exporting the RSA or DSA Public Key	Optional
	Creating an SSH User and Specify an Authentication Type	Required
	Specifying a Service Type for an SSH User	Optional
	Configuring SSH Management	Optional
	Configuring the Client Public Key on the Server	Required for pubilckey authentication; unnecessary for password authentication
	Assigning a Public Key to an SSH User	Required for pubilckey authentication; unnecessary for password authentication
	Specifying a Source IP Address/Interface for the SSH Server	Optional

 

Configuring the Protocol Support for the User Interface

You must configure the supported protocol(s) for SSH remote login. Note that the configuration does not take effect immediately, but will be effective for subsequent login requests.

Follow these steps to configure the protocol(s) that a user interface supports:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter the view of one or multiple user interfaces	user-interface [ type ] first-number [ last-number ]	—
Configure the authentication mode as scheme	authentication-mode scheme [ command-authorization ]	Required By default, the user interface authentication mode is password
Specify the supported protocol(s)	protocol inbound { all |ssh | telnet }	Optional By default, both Telnet and SSH are supported.

 

 

Generating/Destroying a RSA or DSA Key Pair

This configuration task lets you generate or destroy a key pair. You must generate an RSA or DSA key pair on the server for an SSH client to log in successfully. When generating a key pair, you will be prompted to enter the key length in bits, which is between 512 and 2048. In case a key pair already exists, the system will ask whether to replace the existing key pair.

Follow these steps to create or destroy a key pair:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Generate an RSA key pair	rsa local-key-pair create	Required Use either command By default, no RSA key pair is created.
	public-key local create rsa
Destroy the RSA key pair	rsa local-key-pair destroy	Optional Use either command to destroy the configured RSA key pair.
	public-key local destroy rsa
Generate a DSA key pair	public-key local create dsa	Required By default, no DSA key pair is created.
Destroy the DSA key pair	public-key local destroy dsa	Optional Use the command to destroy the configured DSA key pair.

 

 

Exporting the RSA or DSA Public Key

You can display the generated RSA or DSA key pair on the screen in a specified format, or export it to a specified file for configuring the key at a remote end.

Follow these steps to export the RSA public key:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Display the RSA key on the screen in a specified format or export it to a specified file	public-key local export rsa { openssh | ssh1 | ssh2 } [ filnename ]	Required

 

Follow these steps to export the DSA public key:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Display the DSA key on the screen in a specified format or export it to a specified file	public-key local export dsa { openssh | ssh2 } [ filnename ]	Required

 

 

Creating an SSH User and Specify an Authentication Type

This task is to create an SSH user and specify an authentication type for it. Specifying an authentication type for a new user is a must to get the user login.

Follow these steps to configure an SSH user and specify an authentication type for it:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Specify the default authentication type for all SSH users	ssh authentication-type default { all | password | password-publickey | publickey | rsa }	Use either command. By default, no SSH user is created and no authentication type is specified. Note that: If both commands are used and different authentication types are specified, the authentication type specified with the ssh user authentication-type command takes precedence.
	ssh user username
Create an SSH user, and specify an authentication type for it	ssh user username authentication-type { all | password | password-publickey | publickey | rsa }

 

 

Specifying a Service Type for an SSH User

Follow these steps to specify the service type of an SSH user:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Specify a service type for an SSH user	ssh user username service-type { stelnet | sftp | all }	Required stelnet by default

 

 

Configuring SSH Management

The SSH server provides a number of management functions that prevent illegal operations such as malicious password guess, to further guarantee the security of SSH connections.

Follow these steps to configure SSH management:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Set SSH authentication timeout time	ssh server timeout seconds	Optional By default, the timeout time is 60 seconds.
Set SSH authentication retry times	ssh server authentication-retries times	Optional By default, the number of retry times is 3.
Set RSA server key update interval	ssh server rekey-interval hours	Optional By default, the system does not update RSA server keys.
Configure SSH server to be compatible with SSH1.x clients	ssh server compatible-ssh1x enable	Optional By default, SSH server is compatible with SSH1.x clients.
Configure a login header	header shell text	Optional By default, no login header is configured.

 

 

Configuring the Client Public Key on the Server

 

 

With the publickey authentication mode configured for an SSH client, you must configure the client’s RSA or DSA host public key(s) on the server for authentication.

You can manually configure the public key or import it from a public key file. In the former case, you can manually copy the client’s public key to the server. In the latter case, the system automatically converts the format of the public key generated by the client to complete the configuration on the server, but the client’s public key should be transferred from the client to the server beforehand through FTP/TFTP.

Follow these steps to configure the client’s public key manually:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter public key view	public-key peer keyname	Required
Enter public key edit view	public-key-code begin	—
Configure a public key for the client	Enter the content of the public key	When you input the key data, spaces are allowed between the characters you input (because the system can remove the spaces automatically); you can also press <Enter> to continue your input at the next line. But the key you input should be a hexadecimal digit string coded in the public key format.
Return to public key view from public key edit view	public-key-code end	—
Exit public key view and return to system view	peer-public-key end	—

 

Follow these steps to import the RSA public key from a public key file:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Import the public key from a public key file	public-key peer keyname import sshkey filename	Required

 

You can also use the following commands to configure the client’s RSA public key on the server.

Follow these steps to configure the client RSA public key manually:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enter public key view	rsa peer-public-key keyname	Required
Enter public key edit view	public-key-code begin	—
Configure the client RSA public key	Enter the content of the RSA public key	The content must be a hexadecimal string that is generated randomly by the SSH-supported client software and coded compliant to PKCS. Spaces and carriage returns are allowed between characters.
Return from public key code view to public key view	public-key-code end	— When you exit public key code view, the system automatically saves the public key.
Return from public key view to system view	peer-public-key end	—

 

Follow these steps to import the RSA public key from a public key file:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Import the RSA public key from a public key file	rsa peer-public-key keyname import sshkey filename	Required

 

 

Assigning a Public Key to an SSH User

 

 

For the publickey authentication mode, you must specify the client’s public key on the server for authentication.

Follow these steps to assign a public key for an SSH user:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Assign a public key to an SSH user	ssh user username assign { publickey | rsa-key } keyname	Required If you issue this command multiple times, the last command overrides the previous ones.

 

 

Specifying a Source IP Address/Interface for the SSH Server

This configuration task allows you to specify a source IP address or interface for the SSH server, which is used by clients as the destination.

Follow these steps to specify a source IP address/interface for the SSH server:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Specify a source IP address for the SSH server	ssh-server source-ip ip-address	Required By default, the system determines the IP address for clients to access.
Specify a source interface for the SSH server	ssh-server source-interface interface-type interface-number	Required By default, the system determines the IP address for clients to access.

 

Configuring the SSH Client

An SSH client software or SSH2-capable device can serve as an SSH client to access the SSH server.

SSH Client Configuration Tasks

Complete the following tasks to configure SSH client:

Task		Remarks
Configuring the SSH client	Using an SSH client software	Use either approach
	On an SSH2-capable device

 

Configuring the SSH Client Using an SSH Client Software

A variety of SSH client software are available, such as PuTTY and OpenSSH. For an SSH client to establish a connection with an SSH server, use the following commands:

Complete the following tasks to configure SSH client using a client software:

Task	Remarks
Generate a client key	Required for publickey authentication; unnecessary for password authentication
Specify the IP address of the Server	Required
Select a protocol for remote connection	Required
Select an SSH version	Required
Open an SSH connection with publickey authentication	Required for publickey authentication; unnecessary for password authentication
Open an SSH connection with password authentication	Required for publickey authentication; unnecessary for password authentication

 

 

The following takes the client software of PuTTY, PuTTYGen and SSHKEY as examples to illustrate how to configure the SSH client:

Generate a client key

To generate a client key, run PuTTYGen.exe, and select from the Parameters area the type of key you want to generate, either SSH-2 RSA or SSH-2 DSA, then click Generate.

Figure 1-2 Generate a client key (1)

 

Note that while generating the key pair, you must move the mouse continuously and keep the mouse off the green process bar in the blue box of shown in Figure 1-3. Otherwise, the process bar stops moving and the key pair generating process is stopped.

Figure 1-3 Generate the client keys (2)

After the key pair is generated, click Save public key and enter the name of the file for saving the public key (public in this case) to save the public key.

Figure 1-4 Generate the client keys (3)

 

Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any precaution. Click Yes and enter the name of the file for saving the private key (“private” in this case) to save the private key.

Figure 1-5 Generate the client keys (4)

 

To generate RSA public key in PKCS format, run SSHKEY.exe, click Browse and select the public key file, and then click Convert.

Figure 1-6 Generate the client keys (5)

 

Specify the IP address of the Server

Launch PuTTY.exe. The following window appears.

Figure 1-7 SSH client configuration interface 1

 

In the Host Name (or IP address) text box, enter the IP address of the server. Note that there must be a route available between the IP address of the server and the client.

Select a protocol for remote connection

As shown in Figure 1-7, select SSH under Protocol.

Select an SSH version

From the category on the left pane of the window, select SSH under Connection. The window as shown in Figure 1-8 appears.

Figure 1-8 SSH client configuration interface 2

 

Under Protocol options, select 2 from Preferred SSH protocol version.

 

 

Open an SSH connection with publickey authentication

If a user needs to be authenticated with a public key, the corresponding private key file must be specified. A private key file is not required for password-only authentication.

From the category on the left of the window, select Connection/SSH/Auth. The following window appears.

Figure 1-9 SSH client configuration interface 3

 

Click Browse… to bring up the file selection window, navigate to the private key file and click Open to enter the following SSH client interface. If the connection is normal, a user will be prompted for a username. Once passing the authentication, the user can log onto the server.

Figure 1-10 SSH client interface (1)

 

Open an SSH connection with password authentication

From the window shown in Figure 1-9, click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 1-11.

Figure 1-11 SSH client interface (2)

 

Enter the username and password to establish an SSH connection.

To log out, enter the quit command.

Configuring the SSH Client on an SSH2-Capable Device

Complete the following tasks to configure SSH client on an SSH2-capable device:

Task	Remarks
Configure whether first-time authentication is supported	Optional
Establish the connection between the SSH client and server	Required

 

Configure whether first-time authentication is supported

When the device connects to the SSH server as an SSH client, you can configure whether the device supports first-time authentication.

l          First-time authentication means that when the SSH client accesses the server for the first time and is not configured with the server host public key, the user can continue accessing the server, and will save the host public key on the client for use in subsequent authentications.

l          When first-time authentication is not supported, a client, if not configured with the server host public key, will be denied of access to the server. To access the server, a user must configure in advance the server host public key locally and specify the public key name for authentication.

Follow these steps to enable the device to support first-time authentication:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Enable the device to support first-time authentication	ssh client first-time enable	Optional By default, the client is enabled to run initial authentication.

 

Follow these steps to disable first-time authentication support:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Disable first-time authentication support	undo ssh client first-time	Required By default, the client is enabled to run first-time authentication.
Configure server public key	Refer to Configuring the Client Public Key on the Server	Required The method of configuring server public key on the client is similar to that of configuring client public key on the server.
Specify the host key name of the server	ssh client { server-ip | server-name } assign { publickey | rsa-key } keyname	Required

 

Establish the connection between the SSH client and server

The client’s method of establishing an SSH connection to the SSH server varies with authentication types. See the table below for details.

Follow these steps to establish an SSH connection:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Start the client to establish a connection with an SSH server	ssh2 { host-ip | host-name } [ port-num ] [ identity-key { dsa | rsa } | prefer_kex { dh_group1 | dh_exchange_group } | prefer_ctos_cipher { des | aes128 } | prefer_stoc_cipher { des | aes128 } | prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 } | prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] *	Required In this command, you can also specify the preferred key exchange algorithm, encryption algorithms and HMAC algorithms between the server and client. HMAC: Hash-based message authentication code Note that: The identity-key keyword is unnecessary in password authentication and optional in public key authentication.

 

Specifying a Source IP address/Interface for the SSH client

This configuration task allows you to specify a source IP address or interface for the client to access the SSH server, improving service manageability.

Follow these steps to specify a source IP address/interface for the SSH client:

To do…	Use the command…	Remarks
Enter system view	system-view	—
Specify a source IP address for the SSH client.	ssh2 source-ip ip-address	Required By default, the system determines a source IP address.
Specify a source interface for the SSH client	ssh2 source-interface interface-type interface-number	Required By default, the system determines a source IP address.

 

Displaying and Maintaining SSH Configuration

To do…	Use the command…	Remarks
Display host and server public keys	display rsa local-key-pair public	Available in any view
Display client RSA public key(s)	display rsa peer-public-key [ brief | name keyname ]
Display local public key(s)	display public-key local { dsa | rsa } public
Display remote public key(s)	display public-key peer [ brief | name pubkey-name ]
Display SSH status and session information	display ssh server { session | status }
Display SSH user information	display ssh user-information [ username ]
Display the current source IP address or the IP address of the source interface specified for the SSH server.	display ssh-server source-ip
Display the current source IP address specified for the SSH Client.	display ssh2 source-ip
Display the mappings between host public keys and SSH servers saved on a client	display ssh server-info

 

SSH Configuration Examples

When the Device Acts as the SSH Server and the Authentication Type is Password

Network requirements

As shown in Figure 1-12, establish an SSH connection between the host (SSH Client) and the device (SSH Server) for secure data exchange. The host runs SSH2.0 client software. Password authentication is required.

Figure 1-12 Network diagram of SSH server configuration using password authentication

 

Configuration procedure

l          Configure the SSH server

# Create a VLAN interface on the device and assign an IP address, which the SSH client will use as the destination for SSH connection.

<device> system-view

[device] interface vlan-interface 1

[device-Vlan-interface1] ip address 192.168.0.1 255.255.255.0

[device-Vlan-interface1] quit

# Generate RSA and DSA key pairs.

[device] public-key local create rsa

[device] public-key local create dsa

# Set the authentication mode for the user interfaces to AAA.

[device] user-interface vty 0 4

[device-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[device-ui-vty0-4] protocol inbound ssh

[device-ui-vty0-4] quit

# Create local client “client001”, and set the authentication password to “abc”, protocol type to SSH, and command privilege level to 3 for the client.

[device] local-user client001

[device-luser-client001] password simple abc

[device-luser-client001] service-type ssh level 3

[device-luser-client001] quit

# Specify the authentication method of user client001 as password.

[device] ssh user client001 authentication-type password

l          Configure the SSH client

# Configure an IP address (192.168.0.2 in this case) for the SSH client. This IP address and that of the VLAN interface on the device must be in the same network segment.

# Configure the SSH client software to establish a connection to the SSH server.

Take SSH client software “Putty” (version 0.58) as an example:

1)        Run PuTTY.exe to enter the following configuration interface.

Figure 1-13 SSH client configuration interface

 

In the Host Name (or IP address) text box, enter the IP address of the SSH server.

2)        As shown in Figure 1-13, click Open to enter the following interface. If the connection is normal, you will be prompted to enter the user name “client001” and password “abc”. Once authentication succeeds, you will log onto the server.

Figure 1-14 SSH client interface

 

When the Device Acts as an SSH Server and the Authentication Type is Publickey

Network requirements

As shown in Figure 1-15, establish an SSH connection between the host (SSH client) and the device (SSH Server) for secure data exchange. The host runs SSH2.0 client software. Publickey authentication is required.

Figure 1-15 Network diagram of SSH server configuration

 

Configuration procedure

 

 

l          Configure the SSH server

# Create a VLAN interface on the device and assign an IP address, which the SSH client will use as the destination for SSH connection.

<device> system-view

[device] interface vlan-interface 1

[device-Vlan-interface1] ip address 192.168.0.1 255.255.255.0

[device-Vlan-interface1] quit

# Generate RSA and DSA key pairs.

[device] public-key local create rsa

[device] public-key local create dsa

# Set the authentication mode for the user interfaces to AAA.

[device] user-interface vty 0 4

[device-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[device-ui-vty0-4] protocol inbound ssh

# Set the client’s command privilege level to 3

[device-ui-vty0-4] user privilege level 3

[device-ui-vty0-4] quit

# Configure the authentication type of the SSH client named client 001 as publickey.

[device] ssh user client001 authentication-type publickey

 

 

# Import the client’s public key named “Switch001” from file “public”.

[device] public-key peer Switch001 import sshkey public

# Assign the public key “Switch001” to client “client001”.

[device] ssh user client001 assign rsa-key Switch001

l          Configure the SSH client

# Generate an RSA key pair, taking PuTTYGen as an example.

Run PuTTYGen.exe, choose SSH2(RSA) and click Generate.

Figure 1-16 Generate a client key pair (1)

 

 

Figure 1-17 Generate a client key pair (2)

 

After the key pair is generated, click Save public key and enter the name of the file for saving the public key (“public” in this case).

Figure 1-18 Generate a client key pair (3)

 

Likewise, to save the private key, click Save private key. A warning window pops up to prompt you whether to save the private key without any protection. Click Yes and enter the name of the file for saving the private key (“private” in this case).

Figure 1-19 Generate a client key pair (4)

 

 

# Establish a connection with the SSH server

The following takes the SSH client software Putty (version 0.58) as an example.

1)        Launch PuTTY.exe to enter the following interface.

Figure 1-20 SSH client configuration interface 1

 

In the Host Name (or IP address) text box, enter the IP address of the server.

2)        Select Connection/SSH/Auth. The following window appears.

Figure 1-21 SSH client configuration interface (2)

 

Click Browse… to bring up the file selection window, navigate to the private key file and click OK.

3)        From the window shown in Figure 1-21, click Open. The following SSH client interface appears. If the connection is normal, you will be prompted to enter the username and password, as shown in Figure 1-22.

Figure 1-22 SSH client interface

 

When the Switch Acts as an SSH Client and the Authentication Type is Password

Network requirements

As shown in Figure 1-23, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. The user name for login is client001 and the SSH server’s IP address is 10.165.87.136. Password authentication is required.

Figure 1-23 Network diagram of SSH client configuration when using password authentication

 

Configuration procedure

l          Configure Switch B

# Create a VLAN interface on the device and assign an IP address, which the SSH client will use as the destination for SSH connection.

<device> system-view

[device] interface vlan-interface 1

[device-Vlan-interface1] ip address 10.165.87.136 255.255.255.0

[device-Vlan-interface1] quit

# Generate RSA and DSA key pairs.

[device] public-key local create rsa

[device] public-key local create dsa

# Set the authentication mode for the user interfaces to AAA.

[device] user-interface vty 0 4

[device-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[device-ui-vty0-4] protocol inbound ssh

[device-ui-vty0-4] quit

# Create local user “client001”, and set the authentication password to abc, the login protocol to SSH, and user command privilege level to 3.

[device] local-user client001

[device-luser-client001] password simple abc

[device-luser-client001] service-type ssh level 3

[device-luser-client001] quit

# Configure the authentication type of user client001 as password.

[device] ssh user client001 authentication-type password

l          Configure Switch A

# Create a VLAN interface on the device and assign an IP address, which serves as the SSH client’s address in an SSH connection.

<device> system-view

[device] interface vlan-interface 1

[device-Vlan-interface1] ip address 10.165.87.137 255.255.255.0

[device-Vlan-interface1] quit

# Establish a connection to the server 10.165.87.136.

[device] ssh2 10.165.87.136

Username: client001

Trying 10.165.87.136 ...

Press CTRL+K to abort

Connected to 10.165.87.136 ...

 

The Server is not authenticated. Do you continue to access it?(Y/N):y

Do you want to save the server's public key?(Y/N):n

Enter password:

 

**************************************************************************

* Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *

* Without the owner's prior written consent,                              *

* no decompiling or reverse-engineering shall be allowed.                 *

**************************************************************************

 

<device>

When the Device Acts as an SSH Client and the Authentication Type is Publickey

Network requirements

As shown in Figure 1-24, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. The user name is client001 and the SSH server’s IP address is 10.165.87.136. Publickey authentication is required.

Figure 1-24 Network diagram of SSH client configuration when using publickey authentication

 

Configuration procedure

 

 

l          Configure Switch B

# Create a VLAN interface on the device and assign an IP address, which the SSH client will use as the destination for SSH connection.

<device> system-view

[device] interface vlan-interface 1

[device-Vlan-interface1] ip address 10.165.87.136 255.255.255.0

[device-Vlan-interface1] quit

# Generate RSA and DSA key pairs.

[device] public-key local create rsa

[device] public-key local create dsa

# Set the authentication mode for the user interfaces to AAA.

[device] user-interface vty 0 4

[device-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[device-ui-vty0-4] protocol inbound ssh

# Set the user command privilege level to 3.

[device-ui-vty0-4] user privilege level 3

[device-ui-vty0-4] quit

# Specify the authentication type of user client001 as publickey.

[device] ssh user client001 authentication-type publickey

 

 

# Import the client public key pair named Switch001 from the file Switch001.

[device] public-key peer Switch001 import sshkey Switch001

# Assign the public key Switch001 to user client001.

[device] ssh user client001 assign rsa-key Switch001

l          Configure Switch A

# Create a VLAN interface on the device and assign an IP address, which serves as the SSH client’s address in an SSH connection.

<device> system-view

[device] interface vlan-interface 1

[device-Vlan-interface1] ip address 10.165.87.137 255.255.255.0

[device-Vlan-interface1] quit

# Generate a DSA key pair

[device] public-key local create dsa

# Export the generated DSA key pair to a file named Switch001.

[device] public-key local export dsa ssh2 Switch001

 

 

# Establish an SSH connection to the server 10.165.87.136.

[device] ssh2 10.165.87.136 identity-key dsa

Username: client001

Trying 10.165.87.136 ...

Press CTRL+K to abort

Connected to 10.165.87.136 ...

 

The Server is not authenticated. Do you continue to access it?(Y/N):y

Do you want to save the server's public key?(Y/N):n

 

**************************************************************************

* Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *

* Without the owner's prior written consent,                              *

* no decompiling or reverse-engineering shall be allowed.                 *

**************************************************************************

 

<device>

When the Device Acts as an SSH Client and First-time authentication is not Supported

Network requirements

As shown in Figure 1-25, establish an SSH connection between Switch A (SSH Client) and Switch B (SSH Server) for secure data exchange. The user name is client001 and the SSH server’s IP address is 10.165.87.136. The publickey authentication mode is used to enhance security.

Figure 1-25 Network diagram of SSH client configuration

 

Configuration procedure

l          Configure Switch B

# Create a VLAN interface on the device and assign an IP address for it to serve as the destination of the client.

<device> system-view

[device] interface vlan-interface 1

[device-Vlan-interface1] ip address 10.165.87.136 255.255.255.0

[device-Vlan-interface1] quit

# Generate RSA and DSA key pairs.

[device] public-key local create rsa

[device] public-key local create dsa

# Set AAA authentication on user interfaces.

[device] user-interface vty 0 4

[device-ui-vty0-4] authentication-mode scheme

# Configure the user interfaces to support SSH.

[device-ui-vty0-4] protocol inbound ssh

# Set the user command privilege level to 3.

[device-ui-vty0-4] user privilege level 3

[device-ui-vty0-4] quit

# Specify the authentication type for user client001 as publickey.

[device] ssh user client001 authentication-type publickey

 

 

# Import the client’s public key file Switch001 and name the public key as Switch001.

[device] public-key peer Switch001 import sshkey Switch001

# Assign public key Switch001 to user client001

[device] ssh user client001 assign rsa-key Switch001

# Export the generated DSA host public key pair to a file named Switch002.

[device] public-key local export dsa ssh2 Switch002

 

 

l          Configure Switch A

# Create a VLAN interface on the device and assign an IP address, which serves as the SSH client’s address in an SSH connection.

<device> system-view

[device] interface vlan-interface 1

[device-Vlan-interface1] ip address 10.165.87.137 255.255.255.0

[device-Vlan-interface1] quit

# Generate a DSA key pair

[device] public-key local create dsa

# Export the generated DSA key pair to a file named Switch001.

[device] public-key local export dsa ssh2 Switch001

 

 

# Disable first-time authentication on the device.

[device] undo ssh client first-time

 

 

# Import the public key pair named Switch002 from the file Switch002.

[device] public-key peer Switch002 import sshkey Switch002

# Specify the host public key pair name of the server.

[device] ssh client 10.165.87.136 assign rsa-key Switch002

# Establish the SSH connection to server 10.165.87.136.

[device] ssh2 10.165.87.136 identity-key dsa

Username: client001

Trying 10.165.87.136 ...

Press CTRL+K to abort

Connected to 10.165.87.136 ...

 

**************************************************************************

* Copyright(c) 2004-2007 Hangzhou H3C Tech. Co., Ltd. All rights reserved. *

* Without the owner's prior written consent,                              *

* no decompiling or reverse-engineering shall be allowed.                 *

**************************************************************************

 

<device>