Related commands: ssh server authentication-retries, ssh server rekey-interval, ssh server authentication-timeout, ssh server enable, and ssh server compatible-ssh1x enable.

Examples

# Display the SSH server status information.

<Sysname> display ssh server status

SSH server: Disable

SSH version : 1.99

SSH authentication-timeout : 60 second(s)

SSH server key generating interval : 0 hour(s)

SSH authentication retries : 3 time(s)

SFTP server: Disable

SFTP server Idle-Timeout: 10 minute(s)

Table 1 Output description

Field	Description
SSH server	Whether the SSH server function is enabled.
SSH version	SSH protocol version. When the SSH supports SSH1, the protocol version is 1.99. Otherwise, the protocol version is 2.
SSH authentication-timeout	Authentication timeout period.
SSH server key generating interval	SSH server key pair update interval.
SSH authentication retries	Maximum number of SSH authentication attempts.
SFTP server	Whether the SFTP server function is enabled.
SFTP server Idle-Timeout	SFTP connection idle timeout period.

# Display the SSH server session information.

<Sysname> display ssh server session

Conn Ver Encry State Retry SerType Username

VTY 0 2.0 DES Established 0 SFTP client001

Table 2 Output description

Field	Description
Conn	Connected VTY channel
Ver	SSH server protocol version
Encry	Encryption algorithm
State	Status of the session, including: Init, Ver-exchange, Keys-exchange, Auth-request, Serv-request, Established, Disconnected
Retry	Number of authentication failures
SerType	Service type (SFTP, Stelnet)
Username	Name of a user during login

display ssh user-information

Syntax

display ssh user-information [ username ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

username: Specifies an SSH username, a string of 1 to 80 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ssh user-information command on an SSH server to display information about one or all SSH users.

The users displayed by this command are only those configured by the ssh user command on the SSH server.

With the username argument not specified, the command displays information about all SSH users.

Related commands: ssh user.

Examples

# Display information about all SSH users.

<Sysname> display ssh user-information

Total ssh users : 2

Username Authentication-type User-public-key-name Service-type

yemx password null stelnet|sftp

test publickey pubkey sftp

Table 3 Output description

Field	Description
Username	Name of the user.
Authentication-type	Authentication method. If this field has a value of password, the next field will have a value of null.
User-public-key-name	Public key of the user.
Service-type	Service type.

sftp server enable

Syntax

sftp server enable

undo sftp server enable

View

System view

Default level

3: Manage level

Parameters

None

Description

Use the sftp server enable command to enable the SFTP server function.

Use the undo sftp server enable command to disable the SFTP server function.

By default, the SFTP server function is disabled.

You can use the display ssh server command to view the status or session information of the SFTP server.

Related commands: display ssh server.

Examples

# Enable SFTP server.

<Sysname> system-view

[Sysname] sftp server enable

sftp server idle-timeout

Syntax

sftp server idle-timeout time-out-value

undo sftp server idle-timeout

View

System view

Default level

3: Manage level

Parameters

time-out-value: Specifies the timeout period in minutes, in the range of 1 to 35,791.

Description

Use the sftp server idle-timeout command to set the idle timeout period for SFTP user connections.

Use the undo sftp server idle-timeout command to restore the default.

By default, the idle timeout period is 10 minutes.

If an SFTP connection is idle for a period of time that exceeds the specified idle timeout period, the system automatically terminates the connection. If many SFTP connections are established, you can set a small value so that the connection resources can be timely released.

Related commands: display ssh server.

Examples

# Set the idle timeout period for SFTP user connections to 500 minutes.

<Sysname> system-view

[Sysname] sftp server idle-timeout 500

ssh server authentication-retries

Syntax

ssh server authentication-retries times

undo ssh server authentication-retries

View

System view

Default level

3: Manage level

Parameters

times: Specifies the maximum number of authentication attempts, in the range 1 to 5.

Description

Use the ssh server authentication-retries command to set the maximum number of SSH connection authentication attempts, which takes effect at next login.

Use the undo ssh server authentication-retries command to restore the default.

By default, the maximum number of SSH connection authentication attempts is 3.

You can set this limit to prevent malicious hacking of usernames and passwords.

This configuration takes effect only for the users that try to log in after the configuration.

Authentication fails if the number of authentication attempts (including both publickey and password authentication) exceeds the upper limit configured by the ssh server authentication-retries command.

If the authentication method of SSH users is password-publickey, the maximum number of SSH connection authentication attempts must be no less than 2. This is because SSH users must pass both password and publickey authentication. Related commands: display ssh server.

Examples

# Set the maximum number of SSH connection authentication attempts to 4.

<Sysname> system-view

[Sysname] ssh server authentication-retries 4

ssh server authentication-timeout

Syntax

ssh server authentication-timeout time-out-value

undo ssh server authentication-timeout

View

System view

Default level

3: Manage level

Parameters

time-out-value: Specifies the authentication timeout period in seconds, in the range 1 to 120.

Description

Use the ssh server authentication-timeout command to set the SSH user authentication timeout period on the SSH server. If a user does not finish the authentication when the timer expires, the connection is down.

Use the undo ssh server authentication-timeout command to restore the default.

By default, the authentication timeout period is 60 seconds.

You can set a small value for this timer to prevent malicious occupation of TCP connections.

Related commands: display ssh server.

Examples

# Set the SSH user authentication timeout period to 10 seconds.

<Sysname> system-view

[Sysname] ssh server authentication-timeout 10

ssh server compatible-ssh1x enable

Syntax

ssh server compatible-ssh1x enable

undo ssh server compatible-ssh1x

View

System view

Default level

3: Manage level

Parameters

None

Description

Use the ssh server compatible-ssh1x enable command to enable the SSH server to support SSH1 clients.

Use the undo ssh server compatible-ssh1x command to disable the SSH server from supporting SSH1 clients.

By default, the SSH server supports SSH1 clients.

This configuration takes effect only for only the users that log in after the configuration.

Related commands: display ssh server.

Examples

# Enable the SSH server to support SSH1 clients.

<Sysname> system-view

[Sysname] ssh server compatible-ssh1x enable

ssh server enable

Syntax

ssh server enable

undo ssh server enable

View

System view

Default level

3: Manage level

Parameters

None

Description

Use the ssh server enable command to enable SSH server so that the SSH clients use SSH to communicate with the server.

Use the undo ssh server enable command to disable SSH server.

By default, SSH server is disabled.

Related commands: display ssh server.

Examples

# Enable SSH server.

<Sysname> system-view

[Sysname] ssh server enable

ssh server rekey-interval

Syntax

ssh server rekey-interval hours

undo ssh server rekey-interval

View

System view

Default level

3: Manage level

Parameters

hours: Specifies the server key update interval in hours, in the range 1 to 24.

Description

Use the ssh server rekey-interval command to set the interval for updating the RSA server key.

Use the undo ssh server rekey-interval command to remove the configuration.

By default, the update interval of the RSA server key is 0, that is, the system does not update the RSA server key pair.

Updating the RSA server key periodically can prevent malicious hacking of the key and enhance security of the SSH connections.

Related commands: display ssh server.

CAUTION:

· This command is only available to SSH users that use SSH1 client software.

· The system does not update any DSA key pair periodically.

Examples

# Set the RSA server key pair update interval to 3 hours.

<Sysname> system-view

[Sysname] ssh server rekey-interval 3

ssh user

Syntax

ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname }

ssh user username service-type { all | sftp } authentication-type { password | { any | password-publickey | publickey } assign publickey keyname work-directory directory-name }

undo ssh user username

View

System view

Default level

3: Manage level

Parameters

username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters.

service-type: Specifies the service type of an SSH user, which can be one of the following:

· all: Specifies both secure Telnet and secure FTP.

· sftp: Specifies the service type as secure FTP.

· stelnet: Specifies the service type of secure Telnet.

authentication-type: Specifies the authentication method of an SSH user, which can be one the following:

· password: Specifies password authentication. This authentication method features easy and fast encryption, but it is vulnerable. It can work with AAA to implement user authentication, authorization, and accounting.

· any: Specifies either password authentication or publickey authentication.

· password-publickey: Specifies both password authentication and publickey authentication (featuring higher security) if the client runs SSH2, and specifies either type of authentication if the client runs SSH1.

· publickey: Specifies publickey authentication. This authentication method has complicated and slow encryption, but it provides strong authentication that can defend against brute-force attacks. This authentication method is easy to use. If this method is configured, the authentication process completes automatically without the need of entering any password.

assign publickey keyname: Assigns an existing public key to an SSH user. The keyname argument is a string of 1 to 64 characters.

work-directory directory-name: Specifies the working folder for an SFTP user. The directory-name argument is a string of 1 to 135 characters.

Description

Use the ssh user command to create an SSH user and specify the service type and authentication method.

Use the undo ssh user command to delete an SSH user.

If the SSH server uses publickey authentication, you must create an SSH user account on the device. If the SSH server uses password authentication, you do not need to create the user account on the device, but you must configure the user account information on the device for local authentication, or on the remote authentication server (such as a RADIUS server) for remote authentication.

If you use the ssh user command to configure a public key for a user who has already had a public key, the new one overwrites the old one.

You can change the authentication method, service type, and host public key for an SSH user when the user is communicating with the SSH server, However, your changes does not affect the user that has logged in but the user that tries to log in after your configuration.

If an SFTP user has been assigned a public key, it is necessary to set a working folder for the user.

· The working directory of an SFTP user depends on the authentication method. If only password authentication is used, the working folder is authorized by AAA.

· If publickey authentication, whether with password authentication or not, is used, the working folder is set by using the ssh user command.

Related commands: display ssh user-information.

Examples

# Create an SSH user named user1, setting the service type as sftp, the authentication method as publickey, assigning a public key named key1 to the client, and the work folder of the SFTP server as flash:.

<Sysname> system-view

[Sysname] ssh user user1 service-type sftp authentication-type publickey assign publickey key1 work-directory flash:

SSH client configuration commands

bye

Syntax

bye

View

SFTP client view

Default level

3: Manage level

Parameters

None

Description

Use the bye command to terminate the connection with the SFTP server and return to user view.

This command functions as the exit and quit commands.

Examples

# Terminate the connection with the SFTP server.

sftp-client> bye

Bye

Connection closed.

cd

Syntax

cd [ remote-path ]

View

SFTP client view

Default level

3: Manage level

Parameters

remote-path: Name of a path on the server.

Description

Use the cd command to change the working path on an SFTP server. If the argument is not specified, the command displays the current working path.

NOTE:

· You can use the cd .. command to return to the upper-level directory.

· You can use the cd / command to return to the root directory of the system.

Examples

# Change the working path to new1.

sftp-client> cd new1

Current Directory is:/new1

cdup

Syntax

cdup

View

SFTP client view

Default level

3: Manage level

Parameters

None

Description

Use the cdup command to return to the upper-level directory.

Examples

# Return to the upper-level directory from the current working directory /new1.

sftp-client> cdup

Current Directory is:

delete

Syntax

delete remote-file&<1-10>

View

SFTP client view

Default level

3: Manage level

Parameters

remote-file&<1-10>: Specifies the name of a file on the server. &<1-10> means that you can provide up to 10 filenames, which are separated by space.

Description

Use the delete command to delete the specified file(s) from a server.

This command functions as the remove command.

Examples

# Delete the file temp.c from the server.

sftp-client> delete temp.c

The following files will be deleted:

/temp.c

Are you sure to delete it? [Y/N]:y

This operation may take a long time. Please wait...

File successfully Removed

dir

Syntax

dir [ -a | -l ] [ remote-path ]

View

SFTP client view

Default level

3: Manage level

Parameters

-a: Displays the filenames or the folder names of the specified directory.

-l: Displays detailed information about the files and sub-directories of the specified directory in the form of a list.

remote-path: Specifies the name of the directory to be queried.

Description

Use the dir command to display file and folder information under a specified directory.

If the –a and –l keywords are not specified, the command displays detailed information about the files and sub-directories under the specified working directory.

If the remote-path argument is not specified, the command displays information about the files and sub-directories under the current working directory. This command functions as the ls command.

Examples

# Display detailed information about the files and sub-directories under the current working directory in the form of a list.

sftp-client> dir

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

display sftp client source

Syntax

display sftp client source [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display sftp client source command to display the source IP address or source interface set for the SFTP client.

If neither source IP address nor source interface is specified for the SFTP client, the system will prompt you to specify the source information.

Related commands: sftp client source.

Examples

# Display the source IP address set for the SFTP client.

<Sysname> display sftp client source

The source IP address you specified is 192.168.0.1

display ssh client source

Syntax

display ssh client source [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ssh client source command to display the source IP address or source interface information set for an Stelnet client.

If neither source IP address nor source interface is specified for the Stelnet client, the system displays the message “Neither source IP address nor source interface was specified for the Stelnet client.”

Related commands: ssh client source.

Examples

# Display the source IP address or source interface set for the Stelnet client.

<Sysname> display ssh client source

The source IP address you specified is 192.168.0.1

display ssh server-info

Syntax

display ssh server-info [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ssh server-info command on a client to display mappings between SSH servers and their host public keys saved on the client.

When an SSH client needs to authenticate the SSH server, it uses the locally saved public key of the server for the authentication. If the authentication fails, you can use this command to check the public key of the server saved on the client.

Related commands: ssh client authentication server.

NOTE:

This command is also available on an SFTP client.

Examples

# Display the mappings between SSH servers and their host public keys on the client.

<Sysname> display ssh server-info

Server Name(IP) Server public key name

______________________________________________________

192.168.0.1 abc_key01

192.168.0.2 abc_key02

Table 4 Output description

Field	Description
Server Name(IP)	Name or IP address of the server
Server public key name	Name of the host public key of the server

exit

Syntax

exit

View

SFTP client view

Default level

3: Manage level

Parameters

None

Description

Use the exit command to terminate the connection with the SFTP server and return to user view.

This command functions as the bye and quit commands.

Examples

# Terminate the connection with the SFTP server.

sftp-client> exit

Bye

Connection closed.

get

Syntax

get remote-file [ local-file ]

View

SFTP client view

Default level

3: Manage level

Parameters

remote-file: Specifies the name of a file on the SFTP server.

local-file: Specifies the name for the local file.

Description

Use the get command to download a file from the SFTP server and save it locally.

If no local filename is specified, the file is saved locally with the same name as that on the SFTP server.

Examples

# Download the file temp1.c and save it as temp.c locally.

sftp-client> get temp1.c temp.c

Remote file:/temp1.c ---> Local file: temp.c

Downloading file successfully ended

help

Syntax

help [ all | command-name ]

View

SFTP client view

Default level

3: Manage level

Parameters

all: Displays all commands.

command-name: Specifies the name of a command.

Description

Use the help command to display all commands or the help information of an SFTP client command.

If the option is not specified, the command displays a list of all commands.

Examples

# Display the help information of the get command.

sftp-client> help get

get remote-path [local-path] Download file Default local-path is the same with remote-path

ls

Syntax

ls [ -a | -l ] [ remote-path ]

View

SFTP client view

Default level

3: Manage level

Parameters

-a: Displays the filenames or the folder names of the specified directory.

-l: Displays detailed information about the files and sub-directories of the specified directory in the form of a list.

remote-path: Specifies the name of the directory to be queried.

Description

Use the ls command to display the names of the files and sub-directories under a specified directory.

If the –a and –l keywords are not specified, the command displays detailed information of files and sub-directories under the specified directory in the form of a list.

If the remote-path argument is not specified, the command displays information about the files and sub-directories under the current working directory.

This command functions as the dir command.

Examples

# Display detailed information about files and sub-directories under the current working directory in the form of a list.

sftp-client> ls

-rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg

-rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2

-rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey1

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:28 pub1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:24 new1

drwxrwxrwx 1 noone nogroup 0 Sep 28 08:18 new2

-rwxrwxrwx 1 noone nogroup 225 Sep 28 08:30 pub2

mkdir

Syntax

mkdir remote-path

View

SFTP client view

Default level

3: Manage level

Parameters

remote-path: Specifies the name for the directory on the SFTP server.

Description

Use the mkdir command to create a directory on the SFTP server.

Examples

# Create a directory named test on the SFTP server.

sftp-client> mkdir test

New directory created

put

Syntax

put local-file [ remote-file ]

View

SFTP client view

Default level

3: Manage level

Parameters

local-file: Specifies the name of a local file.

remote-file: Specifies the name for the file on an SFTP server.

Description

Use the put command to upload a local file to an SFTP server.

If the remote-file argument is not specified, the file will be saved remotely with the same name as the local one.

Examples

# Upload the local file temp.c to the SFTP server and save it as temp1.c.

sftp-client> put temp.c temp1.c

Local file:temp.c ---> Remote file: /temp1.c

Uploading file successfully ended

pwd

Syntax

pwd

View

SFTP client view

Default level

3: Manage level

Parameters

None

Description

Use the pwd command to display the current working directory of an SFTP server.

Examples

# Display the current working directory of the SFTP server.

sftp-client> pwd

quit

Syntax

quit

View

SFTP client view

Default level

3: Manage level

Parameters

None

Description

Use the quit command to terminate the connection with an SFTP server.

This command functions as the bye and exit commands.

Examples

# Terminate the connection with the SFTP server.

sftp-client> quit

Bye

Connection closed.

remove

Syntax

remove remote-file&<1-10>

View

SFTP client view

Default level

3: Manage level

Parameters

remote-file&<1-10>: Specifies the name of a file on an SFTP server. &<1-10> means that you can provide up to 10 filenames, which are separated by space.

Description

Use the remove command to delete the specified file(s) from a remote server.

This command functions as the delete command.

Examples

# Delete the file temp.c from the server.

sftp-client> remove temp.c

The following files will be deleted:

/temp.c

Are you sure to delete it? [Y/N]:y

This operation may take a long time.Please wait...

File successfully Removed

rename

Syntax

rename oldname newname

View

SFTP client view

Default level

3: Manage level

Parameters

oldname: Specifies the name of an existing file or directory.

newname: Specifies the new name for the file or directory.

Description

Use the rename command to change the name of a specified file or directory on an SFTP server.

Examples

# Change the name of a file on the SFTP server from temp1.c to temp2.c.

sftp-client> rename temp1.c temp2.c

File successfully renamed

rmdir

Syntax

rmdir remote-path&<1-10>

View

SFTP client view

Default level

3: Manage level

Parameters

remote-path&<1-10>: Specifies the name of the directory on the SFTP server. &<1-10> means that you can provide up to 10 directory names that are separated by space.

Description

Use the rmdir command to delete the specified directories from an SFTP server.

Examples

#Delete the directory temp1 in the current directory on the SFTP server.

sftp-client> rmdir temp1

Directory successfully removed

sftp

Syntax

sftp server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

View

User view

Default level

3: Manage level

Parameters

server: Specifies the IPv4 address or host name of the server, a case-insensitive string of 1 to 20 characters.

port-number: Specifies the port number of the server, in the range 0 to 65535. The default is 22.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN that the server belongs to, where vpn-instance-name is a case-sensitive string of 1 to 31 characters. If the server is on the public network, do not specify this option.

identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.

prefer-ctos-cipher: Specifies the preferred encryption algorithm from client to server, defaulted to aes128.

· 3des: Specifies the encryption algorithm 3des-cbc.

· aes128: Specifies the encryption algorithm aes128-cbc.

· des: Specifies the encryption algorithm des-cbc.

prefer-ctos-hmac: Specifies the preferred HMAC algorithm from client to server, defaulted to sha1-96.

· md5: Specifies the HMAC algorithm hmac-md5.

· md5-96: Specifies the HMAC algorithm hmac-md5-96.

· sha1: Specifies the HMAC algorithm hmac-sha1.

· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm, defaulted to dh-group-exchange.

· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.

· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.

· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred encryption algorithm from server to client, defaulted to aes128.

prefer-stoc-hmac: Specifies the preferred HMAC algorithm from server to client, defaulted to sha1-96.

Description

Use the sftp command to establish a connection to an IPv4 SFTP server and enter SFTP client view.

When the server adopts publickey authentication to authenticate a client, the client must get the local private key for digital signature. Because publickey authentication involves RSA and DSA algorithms, you must specify the public key algorithm of the client (by using the identity-key keyword) in order to get the correct local private key. By default, the public key algorithm is DSA.

Examples

# Connect to SFTP server 10.1.1.2, using the following connection scheme:

· The preferred key exchange algorithm is dh-group1.

· The preferred encryption algorithm from server to client is aes128.

· The preferred HMAC algorithm from client to server is md5.

· The preferred HMAC algorithm from server to client is sha1-96.

<Sysname> sftp 10.1.1.2 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96

Input Username:

sftp client ipv6 source

Syntax

sftp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }

undo sftp client ipv6 source

View

System view

Default level

3: Manage level

Parameters

interface interface-type interface-number: Specifies a source interface by its type and number.

ipv6 ipv6-address: Specifies a source IPv6 address.

Description

Use the sftp client ipv6 source command to specify the source IPv6 address or source interface for the SFTP client.

Use the undo sftp client ipv6 source command to remove the configuration.

By default, the client uses the interface address specified by the route of the switch to access the SFTP server.

To make sure that the SFTP client and the SFTP server can communicate with each other, and to improve the manageability of SFTP clients in the authentication service, H3C recommends you to specify a loopback interface as the source interface.

Related commands: display sftp client source.

Examples

# Specify the source IPv6 address of the SFTP client as 2:2::2:2.

<Sysname> system-view

[Sysname] sftp client ipv6 source ipv6 2:2::2:2

sftp client source

Syntax

sftp client source { interface interface-type interface-number | ip ip-address }

undo sftp client source

View

System view

Default level

3: Manage level

Parameters

interface interface-type interface-number: Specifies a source interface by its type and number.

ip ip-address: Specifies a source IPv4 address.

Description

Use the sftp client source command to specify the source IPv4 address or interface of an SFTP client.

Use the undo sftp source-interface command to remove the configuration.

By default, a client uses the IP address of the interface specified by the route to access the SFTP server.

Related commands: display sftp client source.

Examples

# Specify the source IP address of the SFTP client as 192.168.0.1.

<Sysname> system-view

[Sysname] sftp client source ip 192.168.0.1

sftp ipv6

Syntax

sftp ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

View

User view

Default level

3: Manage level

Parameters

server: Specifies the IPv6 address or host name of the server, a case-insensitive string of 1 to 46 characters.

port-number: Specifies the port number of the server, in the range 0 to 65535. The default is 22.

identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.

prefer-ctos-cipher: Specifies the preferred encryption algorithm from client to server, defaulted to aes128.

· 3des: Specifies the encryption algorithm 3des-cbc.

· aes128: Specifies the encryption algorithm aes128-cbc.

· des: Specifies the encryption algorithm des-cbc.

prefer-ctos-hmac: Specifies the preferred HMAC algorithm from client to server, defaulted to sha1-96.

· md5: Specifies the HMAC algorithm hmac-md5.

· md5-96: Specifies the HMAC algorithm hmac-md5-96.

· sha1: Specifies the HMAC algorithm hmac-sha1.

· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm, defaulted to dh-group-exchange.

· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.

· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.

· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred encryption algorithm from server to client, defaulted to aes128.

prefer-stoc-hmac: Specifies the preferred HMAC algorithm from server to client, defaulted to sha1-96.

Description

Use the sftp ipv6 command to establish a connection to an IPv6 SFTP server and enter SFTP client view.

Examples

# Connect to server 2:5::8:9, using the following connection scheme:

· The preferred key exchange algorithm is dh-group1.

· The preferred encryption algorithm from server to client is aes128.

· The preferred HMAC algorithm from client to server is md5.

· The preferred HMAC algorithm from server to client is sha1-96.

<Sysname> sftp ipv6 2:5::8:9 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96

Input Username:

ssh client authentication server

Syntax

ssh client authentication server server assign publickey keyname

undo ssh client authentication server server assign publickey

View

System view

Default level

2: System level

Parameters

server: Specifies the IP address or name of the server, a string of 1 to 80 characters.

keyname: Specifies the name of the host public key of the server, a string of 1 to 64 characters.

Description

Use the ssh client authentication server command on the client to configure the host public key of a specified server so that the client can determine whether the server is trustworthy.

Use the undo ssh authentication server command to remove the configuration.

By default, no host public key of a server is configured. When the client logs into a server, it uses the IP address or host name of the server as the public key name.

If the client does not support first authentication, it will reject unauthenticated servers. In this case, you need to configure the public keys of the servers and specify the mappings between public keys and servers on the client, so that the client uses the correct public key of a server to authenticate the server.

The specified host public key of the server must already exist.

Related commands: ssh client first-time enable.

Examples

# Configure the public key of the server at 192.168.0.1 to be key1.

<Sysname> system-view

[Sysname] ssh client authentication server 192.168.0.1 assign publickey key1

ssh client first-time enable

Syntax

ssh client first-time enable

undo ssh client first-time

View

System view

Default level

2: System level

Parameters

None

Description

Use the ssh client first-time enable command to enable the first authentication function.

Use the undo ssh client first-time command to disable the function.

By default, the function is enabled.

With first-time authentication, when an SSH client not configured with the server’s host public key accesses the server for the first time, the user can continue accessing the server, and save the server’s host public key on the client. When accessing the server again, the client uses the saved host public key to authenticate the server.

Without first-time authentication, a client not configured with the server’s host public key does not access the server. To access the server, a user must configure in advance the server’s host public key locally and specify the public key name for authentication.

Because the server might update its key pairs periodically, a client must obtain the most recent host public key of the server for successful authentication of the server.

Examples

# Enable the first authentication function.

<Sysname> system-view

[Sysname] ssh client first-time enable

ssh client ipv6 source

Syntax

ssh client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }

undo ssh client ipv6 source

View

System view

Default level

3: Manage level

Parameters

interface interface-type interface-number: Specifies a source interface by its type and number.

ipv6 ipv6-address: Specifies a source IPv6 address.

Description

Use the ssh client ipv6 source command to specify the source IPv6 address or source interface for the Stelnet client.

Use the undo ssh client ipv6 source command to remove the configuration.

By default, an Stelnet client uses the IPv6 address of the interface specified by the route of the device to access the Stelnet server.

To make sure that the Stelnet client and the Stelnet server can communicate with each other, and to improve the manageability of Stelnet clients in the authentication service, H3C recommends you to specify a loopback interface as the source interface.

Related commands: display ssh client source.

Examples

# Specify the source IPv6 address of the Stelnet client as 2:2::2:2.

<Sysname> system-view

[Sysname] ssh client ipv6 source ipv6 2:2::2:2

ssh client source

Syntax

ssh client source { interface interface-type interface-number | ip ip-address }

undo ssh client source

View

System view

Default level

3: Manage level

Parameters

interface interface-type interface-number: Specifies a source interface by its type and number.

ip ip-address: Specifies a source IPv4 address.

Description

Use the ssh client source command to specify the source IPv4 address or source interface of the Stelnet client.

Use the undo ssh client source command to remove the configuration.

By default, an Stelnet client uses the IP address of the interface specified by the route of the device to access the Stelnet server.

Related commands: display ssh client source.

Examples

# Specify the source IPv4 address of the Stelnet client as 192.168.0.1.

<Sysname> system-view

[Sysname] ssh client source ip 192.168.0.1

ssh2

Syntax

ssh2 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

View

User view

Default level

0: Visit level

Parameters

server: Specifies the IPv4 address or host name of the server, a case-insensitive string of 1 to 20 characters.

port-number: Specifies the port number of the server, in the range 0 to 65535. The default is 22.

identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.

prefer-ctos-cipher: Specifies the preferred encryption algorithm from client to server, defaulted to aes128.

· 3des: Specifies the encryption algorithm 3des-cbc.

· aes128: Specifies the encryption algorithm aes128-cbc.

· des: Specifies the encryption algorithm des-cbc.

prefer-ctos-hmac: Specifies the preferred HMAC algorithm from client to server, defaulted to sha1-96.

· md5: Specifies the HMAC algorithm hmac-md5.

· md5-96: Specifies the HMAC algorithm hmac-md5-96.

· sha1: Specifies the HMAC algorithm hmac-sha1.

· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm, defaulted to dh-group-exchange.

· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.

· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.

· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1.

prefer-stoc-cipher: Specifies the preferred encryption algorithm from server to client, defaulted to aes128.

prefer-stoc-hmac: Specifies the preferred HMAC algorithm from server to client, defaulted to sha1-96.

Description

Use the ssh2 command to establish a connection to an IPv4 Stelnet server and specify the public key algorithm, the preferred key exchange algorithm, and the preferred encryption algorithms and preferred HMAC algorithms between the client and server.

Examples

# Log in to Stelnet server 10.214.50.51, using the following connection scheme:

· The preferred key exchange algorithm is dh-group1.

· The preferred encryption algorithm from server to client is aes128.

· The preferred HMAC algorithm from client to server is md5.

· The preferred HMAC algorithm from server to client is sha1-96.

<Sysname> ssh2 10.214.50.51 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96

ssh2 ipv6

Syntax

ssh2 ipv6 server [ port-number ] [ vpn-instance vpn-instance-name ] [ identity-key { dsa | rsa } | prefer-ctos-cipher { 3des | aes128 | des } | prefer-ctos-hmac { md5 | md5-96 | sha1 | sha1-96 } | prefer-kex { dh-group-exchange | dh-group1 | dh-group14 } | prefer-stoc-cipher { 3des | aes128 | des } | prefer-stoc-hmac { md5 | md5-96 | sha1 | sha1-96 } ] *

View

User view

Default level

0: Visit level

Parameters

server: Specifies the IPv6 address or host name of the server, a case-insensitive string of 1 to 46 characters.

port-number: Specifies the port number of the server, in the range 0 to 65535. The default is 22.

identity-key: Specifies the algorithm for publickey authentication, either dsa or rsa. The default is dsa.

prefer-ctos-cipher: Specifies the preferred encryption algorithm from client to server, defaulted to aes128.

· 3des: Specifies the encryption algorithm 3des-cbc.

· aes128: Specifies the encryption algorithm aes128-cbc.

· des: Specifies the encryption algorithm des-cbc.

prefer-ctos-hmac: Specifies the preferred HMAC algorithm from client to server, defaulted to sha1-96.

· md5: Specifies the HMAC algorithm hmac-md5.

· md5-96: Specifies the HMAC algorithm hmac-md5-96.

· sha1: Specifies the HMAC algorithm hmac-sha1.

· sha1-96: Specifies the HMAC algorithm hmac-sha1-96.

prefer-kex: Specifies the preferred key exchange algorithm, default to dh-group-exchange.

· dh-group-exchange: Specifies the key exchange algorithm diffie-hellman-group-exchange-sha1.

· dh-group1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.

· dh-group14: Specifies the key exchange algorithm diffie-hellman-group14-sha1

prefer-stoc-cipher: Specifies the preferred encryption algorithm from server to client, defaulted to aes128.

prefer-stoc-hmac: Specifies the preferred HMAC algorithm from server to client, defaulted to sha1-96.

Description

Use the ssh2 ipv6 command to establish a connection to an IPv6 Stelnet server and specify public key algorithm, the preferred key exchange algorithm, and the preferred encryption algorithms and preferred HMAC algorithms between the client and server.

Examples

# Login to Stelnet server 2000::1, using the following connection scheme:

· The preferred key exchange algorithm is dh-group1.

· The preferred encryption algorithm from server to client is aes128.

· The preferred HMAC algorithm from client to server is md5.

· The preferred HMAC algorithm from server to client is sha1-96.

<Sysname> ssh2 ipv6 2000::1 prefer-kex dh-group1 prefer-stoc-cipher aes128 prefer-ctos-hmac md5 prefer-stoc-hmac sha1-96

11-Security Command Reference

SSH configuration commands

SSH server configuration commands

display ssh server

display ssh user-information

sftp server enable

SSH client configuration commands

ssh2 ipv6

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us