Stelnet(ssh)登陸華為交換機配置教程

1、膆Stelnet(ssh)登陸華為交換機配置教程蒅使用STelnet V1協(xié)議存在安全風險，建議使用 STelnet V2登錄設備裊通過STeInet登錄設備的缺省值蒀參數(shù)薀缺省值祎STelnet服務器功能芃關閉蒃SSH服務器端口號蝕22芇SSH服務器密鑰對的更新周期羅0小時，表示永不更新節(jié)SSH連接認證超時時間蝕60秒蚈SSH連接的認證重試次數(shù)蒂3肁SSH服務器兼容低版本功能螀使能螅VTY用戶界面的認證方式膄沒有配置認證方式衿VTY用戶界面所支持的協(xié)議袀TeInet協(xié)議膅SSH用戶的認證方式螞認證方式是空，即不支持任何認證方式袂SSH用戶的服務方式羀服務方式是空，即不支持任何服務方式薆SSH

2、服務器為用戶分配公鑰莄沒有為用戶分配公鑰蟻用戶級別肀VTY用戶界面對應的默認命令訪問級別是 0羇1、生成本地密鑰對螂 密鑰保存在交換機中單不保存在配置文件中莀Huaweirsa腿 key-pairRSA key pair膄 local-key-pair Local RSA public key pair operations蒄 peer-public-key Remote peer RSA public key configuration艿Huaweirsa local-key-pair ?薅 create Create new local public key pairs羂 destroy

3、Destroy the local public key pairs膂艿Huaweirsa local-key-pair create羆 The key n ame will be: Huawei_Host蚄 The range of public key size is (512 2048).羈 NOTES: If the key modulus is greater than 512, 荿 it will take a few mi nutes.莇 In put the bits in the modulusdefault = 512:1024鑰對安全性就越好，建議使用最大的密鑰對長度賺

4、Gen erati ng keys.螀+#銷毀本地密鑰對#密鑰對長度越大，密葿.+螈+袃+螃或蕿Huaweidsa local-key-pair ?襖 create Create a new local key-pair薅 destroy Destroy the local key-pair蠆Huaweidsa local-key-pair create芅 Info: The key n ame will be: Huawei_Host_DSA.肅Info: The key modulus can be any one of the following : 512, 1024, 2048.芀

5、Info: If the key modulus is greater than 512, it may take a few minutes.蝿 Please in put the modulus default=512:1024蚆 Info: Generating keys.螅 Info: Succeeded in creating the DSA host keys.螈 查看密鑰對肇Huaweidisplay dsa local-key-pair public袈 Time of Key pair created: 11:37:322016/3/30膄 Key n ame: Huawei_

6、Host_DSA羅 Key modulus : 1024袁 Key type : DSA en crypti on Key薅 Key code:莃3082019F蝕 028180肇 A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C羆 9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC肅 54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E蚃 7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898膈 43FAD059 98B8EEA8 E7395FC

7、7 CA9D1655 47927368 莇 9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4薂 0B752AC7 817E877F蒁 0214羋 CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27螇 028180芄 6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2芀 C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3莈 AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66羄 C55AE0F6 69530C

8、14 1B33A5A1 CF77D636 75A5EF3B螞 264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328罿 C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E莈 F459F826 B9A5CF6D蒞 028180蒄 7F379C46 85328DCE F9603A92 2EF0FF48 84C7560E肂 D3E0660C B7ED2F84 39219FEB 61BDE65A F9B55D45蕆 AEE8445F FA3F36AD 3A5310D2 36214AF1 619F61CB螆 31980AEE E4D

9、6BD98 8003E903 8FD54933 26948C87袂 CD3F7EBC E7BEAB90 9E4A3FCA D92AF70F 24E69611螁 2D2573C7 1A19AA43 A9AAF80B 3A6F3B37 CB737102薇 744D0A49 F9636680薄 Host public key for PEM format code:薀BEGIN SSH2 PUBLIC KEY 蚇AAAAB3NzaC1kc3MAAACBAKScXq+QblCxxHTMsNR8aWUi3888lgK62P zo9+N6ab4Y薈jLfYWGtQ7rxUv7CJYaDdMV9/MIDw2

10、0fk7NzBD n7BjTE1zXj34AL7a0y1m6XizbiY肂Q/rQWZi47qj nO V/Hyp0WVUeSc2iZFK8JbP3BJWzloH/d3mA78xxOpAt1K seBfod/薃AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBtMgL nTcrF25cDQwWNef2ydtXK螇osjQDD1mb2HU8uNkRUA n/QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUu n88oNGYs+2UNoRbp

11、e螄ifGtt57OWfgmuaXPbQAAAIB/N5xGhTKNzvlgOplu8P9lhMdWDtPgZgy37S+EOSGf莂62G95lr5tV1FruhEX/o/Nq06UxDSNiFK8WGfYcsxmAru5Na9mlAD6QOP1UkzJpSM袇h80/frz nv quQ nko/ytkq9w8k5pYRLSVzxxoZqkOpqvgLOm87N8tzcQJ0TQ pJ+WNm肆 gA=蒅- END SSH2 PUBLIC KEY -膀羇 Public key code for pasting into OpenSSH authorized_keys file :蒆 ssh

12、-dssAAAAB3NzaC1kc3MAAACBAKScXq+QblCxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4YjLfYWGtQ羃7rxUv7CJYaDdMV9/MIDw20fk7NzBD n7BjTE1zXj34AL7a0y1m6XizbiYQ/rQWZi47qj nO V/Hyp0WVUeS衿c2iZFK8JbP3BJWzloH/d3mA78xxOpAt1KseBfod/AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBt羇MgL nTcrF25cDQwWNef2ydtXKosjQDD1mb2HU8uNkRUA n/QQNYbKjrzzt

13、a8Nsxo3o3zX5+vgC7XO8vWbF袇WuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun 88oNGYs+2UNoRbpeifGtt570蚅WfgmuaXPbQAAAIB/N5xGhTKNzvlgOplu8P9lhMdWDtPgZgy37S+EOSGf62G95lr5tV1FruhEX/o/Nq06UxDSNiFK8WGfYcsxmAru5Na9mlAD6QOP1UkzJpSMh80/frz nvquQ nko/ytkq9w8k5pYRLSVzxxoZqkOp肇 qvgLOm87N8tzcQJ0TQpJ+WNmgA= d

14、sa-key肄肅Huawei蟻膆2、打開STelnet服務器功能蒅Huaweistel net server en able裊蒀3、配置SSH服務器端口號薀Huaweissh server port 祎 INTEGER Set the port number, the default value is22芃蒃4、配置密鑰對更新時間蝕Huaweissh server rekey-i nterval ?芇 INTEGERSet the interval (in hours), the default value is 0,which means the server will not gen er

15、ate the new key automatically羅節(jié)5、配置SSH認證超時時間蝕Huaweissh server timeout ?蚈 INTEGER Set the authentication timeout, the default value is60 seconds蒂肁6、配置SSH認證重試次數(shù)螀 配置SSH認證重試次數(shù)用來設置 SSH用戶請求連接的認證重試次數(shù)，防止 非法用戶登錄。螅Huaweissh server authentication-retries ?膄 INTEGER Set the authentication times, the default val

16、ue is 3 times衿袀7、使能兼容低版本SSH協(xié)議膅Huaweissh server compatible-ssh1x ?螞 enable Enable or disable the compatibility with SSH1, the default value is en abled羀8、配置SSH服務器的源接口薆 指定SSH服務器端的源接口前，必須已經(jīng)成功創(chuàng)建LoopBack接口，否則會導致本配置無法成功執(zhí)行。莄Huaweissh server-source -i ?蟻 Not exists loopback in terface肀羇9、配置訪問控制列表螂Huaweissh

17、server acl 2001莀腿10、配置通過SSH登陸的帳號密碼膄具體配置見VTY配置蒄腿11、配置VTY用戶界面支持SSH協(xié)議艿Huawei-ui-vty0-4protocol inbound薅 all All protocols羂 ssh SSH protocol膂 telnet Telnet protocol羆12、創(chuàng)建SSH用戶蚄Huaweissh user羈 STRING The specified user name莇Huaweissh user 1賺 Info: Succeeded in add ing a new SSH user.螀Huawei螈13、配置SSH用戶的認證

18、方式袃Huaweissh user 1螃 assignSet the key蕿 authentication-typeAuthe nticati on type襖 authorization-cmdAuthorizati on mode薅 service-typeSet service type薁 sftp-directorySet SFTP directory蠆 肅Huaweissh user 1 authe nticatio n-type ?芀 allAny authentication mode, any one of password, RSA, andDSA蝿 dsaDSA auth

19、entication蚆 password Password authentication螅 password-dsa Both password and DSA authentication modes聿 password-rsa Both password and RSA authentication modes螈 rsaRSA authentication肇膃 如果沒有使用ssh user命令配置相應的SSH用戶，則可以直接執(zhí)行sshauthentication-type default password命令為用戶配置 SSH認證缺省采用 密碼認證，在用戶數(shù)量比較多時，對用戶使用缺省密碼認

20、證方式可以簡化配置, 此時只需再配置AAA用戶即可。肂袈14、配置SSH用戶的服務類型膄Huaweissh user 1 service-type ?羅 all Set all service type袁 sftp Set SFTP service type羈 steInetSet Stelnet service type薅莃Huaweissh user 1 service-type ste Inet蝕肇15、配置SSH用戶按命令行授權，即只能通過命令行使用羆Huaweissh user 1 authorizati on-cmd肅 aaa Set the AAA authorization m

21、ode蚃膈 password 認證依靠 AAA 實現(xiàn)，當用戶使用 password、password-rsa 或 password-dsa 認證方式登錄設備時，需要在AAA視圖下創(chuàng)建同名的本地用戶。莇 如果SSH用戶使用password認證，則只需要在SSH服務器端生成本地RSA 或DSA密鑰。薂 如果SSH用戶使用RSA或DSA認證，則在服務器端和客戶端都需要生成本 地RSA或DSA密鑰對，并且服務器端和客戶端都需要將對方的公鑰配置到本地。蒁羋 16、對 SSH 用戶進行 password、password-dsa 或 password-rsa 認證時在AAA下創(chuàng)建同名用戶名螇Huawei-

22、aaalocal-user 1 password irreversible-cipher 023認證時芀 17、對 SSH 用戶進行 dsa、rsa、password-dsa 或 password-rsa配置方法莈17.1、進入RSA或DSA公共密鑰視圖羄Huaweirsa peer-public-key 023螞 En ter RSA public key view, return system view with peer-public-key en d.罿Huawei-rsa-public-key莈或蒞Huaweidsa peer-public-key ?蒄 ST

23、RING Name of the peer public key肂蕆Huaweidsa peer-public-key 1螆 en cod in g-typeEn cod ing type of the remote peers public key螁Huaweidsa peer-public-key 1 en cod in g-type薇 der DER encoded public key# DER 編碼的公鑰腿 pem PEM encoded public key # PEM 編碼的公鑰薀Huaweidsa peer-public-key 1 en cod in g-type der蚇

24、肂Huaweidsa peer-public-key 1 en cod in g-type der 薃 Info: Enter DSA public key view, return system view withpeer-public-key end螇.蚅Huawei-dsa-public-key螄莂17.2、編輯公共密鑰袇Huawei-rsa-public-keypublic-key-code ?肆 beg in Beg in to in put public key code蒅膀Huawei-rsa-public-keypublic-key-code beg in ?羇 蒆羃Huawe

25、i-rsa-public-keypublic-key-code beg in衿 Enter RSA key code view, return last view with public-key-code end.羇Huawei-rsa-key-code袇17.3、編輯公共密鑰鍵入的公共密鑰必須是按公鑰格式編碼的十六進制字符串，由支持 SSH的 客戶端軟件生成。請將獲取的 RSA或DSA公鑰輸入到作為SSH服務端的設備 上。Huawei-rsa-key-code30820108 02820101 00DD8904 1A5E30AA 976F384B 5DB366A7Huawei-rsa-key

26、-code048C0E79 06EC6B08 8BB9567D 75914B5B 4EA7B2E5 1938D118Huawei-rsa-key-code4B863A38 BA7E0F0D BE5C5AE4 CA55B192 B531AC48 B07D21E3Huawei-rsa-key-code1B020125Huawei-rsa-key-code17.4、退出公共密鑰編輯視圖 Huawei-rsa-key-codepublic-key-code end% Fail to decode key string, the key string may be invalid.Huawei-rsa-public-key17.5、退出公共密鑰