Stelnet(ssh)登陆华为交换机配置教程

1、Stelnet(ssh)登陆华为交换机配置教程使用STelnet V1协议存在安全风险，建议使用 STelnet V2登录设备通过STelnet登录设备的缺省值参数缺省值STelnet服务器功能关闭SSH服务器端口号22SSH服务器密钥对的更新周期0小时，表示永不更新SSH连接认证超时时间60秒SSH连接的认证重试次数3SSH服务器兼容低版本功能使能VTY用户界面的认证方式没有配置认证方式VTY用户界面所支持的协议Tel net协议SSH用户的认证方式认证方式是空，即不支持任何认证方式SSH用户的服务方式服务方式是空，即不支持任何服务方式SSH服务器为用户分配公钥没有为用户分配公钥用户级别VT

2、Y用户界面对应的默认命令访问级别是 01、生成本地密钥对密钥保存在交换机中单不保存在配置文件中Huaweirsa ?key-pairRSA key pairlocal-key-pair Local RSA public key pair operatio nspeer-public-key Remote peer RSA public key con figurati onHuaweirsa local-key-pair ?create Create new local public key pairs destroy Destroy the local public key pairsHua

3、weirsa local-key-pair createThe key n ame will be: Huawei_HostThe range of public key size is (512 2048).NOTES: If the key modulus is greater than 512, it will take a few mi nu tes.Input the bits in the modulusdefault = 512:1024钥对安全性就越好，建议使用最大的密钥对长度Gen erat ing keys.+.+或Huaweidsa local-key-pair ?cre

4、ate Create a new local key-pair#销毁本地密钥对#密钥对长度越大，密destroy Destroy the local key-pairHuaweidsa local-key-pair createInfo: The key n ame will be: Huawei_Host_DSA.Info: The key modulus can be any one of the following : 512, 1024, 2048.Info: If the key modulus is greater than 512, it may take a few minut

5、es.Please in put the modulus default=512:1024Info: Gen erat ing keys.Info: Succeeded in creat ing the DSA host keys. 查看密钥对Huaweidisplay dsa local-key-pair publicTime of Key pair created: 11:37:322016/3/30Key n ame:Huawei_Host_DSAKey modulus:1024Key type:DSA en crypti on KeyKey code:3082019F028180A49

6、C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C 9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC 54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E 7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898 43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368 9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4 0B752AC7 817E877F0214CBC5C0BC 2D7

7、B6DFE 15A7F9A3 6F6ED15B 6ECC9F27 0281806D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B 264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328 C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1A

8、DB79E F459F826 B9A5CF6D0281807F379C46 85328DCE F9603A92 2EF0FF48 84C7560ED3E0660C B7ED2F84 39219FEB 61BDE65A F9B55D45AEE8445F FA3F36AD 3A5310D2 36214AF1 619F61CB31980AEE E4D6BD98 8003E903 8FD54933 26948C87CD3F7EBC E7BEAB90 9E4A3FCA D92AF70F 24E69611 2D2573C7 1A19AA43 A9AAF80B 3A6F3B37 CB737102744D0A

9、49 F9636680Host public key for PEM format code:- BEGIN SSH2 PUBLIC KEY -AAAAB3NzaC1kc3MAAACBAKScXq+QblCxxHTMsNR8aWUi3888lgK62P zo9+N6ab4YjLfYWGtQ7rxUv7CJYaDdMV9/MIDw20fk7NzBD n7BjTE1zXj34AL7a0y1m6 XizbiYQ/rQWZi47qj nO V/Hyp0WVUeSc2iZFK8JbP3BJWzloH/d3mA78xxOpAt1K seBfod/AAAAFQDLxcC8LXtt/hWn+aNvbtFbbs

10、yfJwAAAIBtMgL nTcrF25cDQwWN ef2ydtXKosjQDD1mb2HU8uNkRUA n/QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWb FWuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUu n88oNGYs+2UNoRbpe ifGtt570WfgmuaXPbQAAAIB/N5xGhTKNzvlgOplu8P9lhMdWDtPgZgy37 S+EOSGf62G95lr5tV1FruhEX/o/Nq06UxDSNiFK8WGfYcsxmAru5Na9mlAD6QOP1UkzJpSMh80

11、/frz nv quQ nko/ytkq9w8k5pYRLSVzxxoZqkOpqvgLOm87N8tzcQJOTQpJ+WNmgA=- END SSH2 PUBLIC KEY -Public key code for pasting into OpenSSH authorized_keys file : ssh-dssAAAAB3NzaC1kc3MAAACBAKScXq+QblCxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4YjLfYWGtQ7rxUv7CJYaDdMV9/MIDw20fk7NzBD n7BjTE1zXj34AL7a0y1m6XizbiYQ/rQWZi47q

12、j nO V/Hyp0WVUeSc2iZFK8JbP3BJWzloH/d3mA78xxOpAt1KseBfod/AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBtMgL nTcrF25cDQwWNef2ydtXKosjQDD1mb2HU8uNkRUA n/QQNYbKjrzz ta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun 88oNGYs+2UNoRbpeifGtt570WfgmuaXPbQAAAIB/N5xGhTKNzvlgOplu8P9lhMdW

13、DtPgZgy37S+EOSG f62G95lr5tV1FruhEX/o/Nq06UxDSNiFK8WGfYcsxmAru5Na9mlAD6QOP1UkzJpSMh80/frz nvquQ nko/ ytkq9w8k5pYRLSVzxxoZqkOpqvgLOm87N8tzcQJ0TQpJ+WNmgA= dsa-keyHuawei2、打开STelnet服务器功能Huaweiste Inet server en able3、配置SSH服务器端口号Huaweissh server port ?INTEGER Set the port number, the default value is224、配

14、置密钥对更新时间Huaweissh server rekey-i nterval ?INTEGERSet the in terval (i n hours), the default value is 0,which means the server will not gen erate the new key automatically5、配置SSH认证超时时间Huaweissh server timeout ?INTEGER Set the authe ntication timeout, the default value is60 seconds6、配置SSH认证重试次数配置SSH认证

15、重试次数用来设置SSH用户请求连接的认证重试次数，防止非 法用户登录。Huaweissh server authe nticatio n-retries ?INTEGER Set the authe nticati on times, the default value is 3 times7、使能兼容低版本SSH协议Huaweissh server compatible-ssh1x ?en able En able or disable the compatibility with SSH1, the defaultvalue is en abled8、配置SSH服务器的源接口指定SSH服务

16、器端的源接口前，必须已经成功创建LoopBack接口，否则会导致本配置无法成功执行。Huaweissh server-source -i ? Not exists loopback in terface9、配置访问控制列表Huaweissh server acl 200110、配置通过SSH登陆的帐号密码具体配置见VTY配置11、配置VTY用户界面支持SSH协议 Huawei-ui-vty0-4protocol inbound ?all All protocolsssh SSH protocoltelnet Telnet protocol12、创建SSH用户Huaweissh user ?ST

17、RING The specified user nameHuaweissh user 1Info: Succeeded in add ing a new SSH user. Huawei13、配置SSH用户的认证方式Huaweissh user 1 ?assig nSet the keyauthe nticati on-typeAuthe nticatio n typeauthorizati on-cmdAuthorizati on modeservice-typeSet service typesftp-directorySet SFTP directoryHuaweissh user 1

18、authentication-type ?allAny authe nticati on mode, any one of password, RSA, andDSAdsaDSA authe nticatio npassword Password authe nticati onpassword-dsa Both password and DSA authe nticati on modespassword-rsa Both password and RSA authe nticati on modesrsaRSA authe nticatio n如果没有使用ssh user命令配置相应的SS

19、H用户，则可以直接执行sshauthentication-type default password命令为用户配置 SSH认证缺省采用密码认证，在用户数量比较多时，对用户使用缺省密码认证方式可以简化配置， 此时只需再配置AAA用户即可。14、配置SSH用户的服务类型Huaweissh user 1 service-type ?all Set all service typesftp Set SFTP service typestel net Set Stelnet service typeHuaweissh user 1 service-type ste Inet15、配置SSH用户按命令行授

20、权，即只能通过命令行使用Huaweissh user 1 authorizatio n-cmd ?aaa Set the AAA authorizati on modepassword 认证依靠 AAA 实现，当用户使用 password、password-rsa 或 password-dsa 认证方式登录设备时，需要在AAA视图下创建同名的本地用户。如果SSH用户使用password认证，则只需要在SSH服务器端生成本地RSA 或DSA密钥。如果SSH用户使用RSA或DSA认证，则在服务器端和客户端都需要生成本 地RSA或DSA密钥对，并且服务器端和客户端都需要将对方的公钥配置到本地。16、

21、对 SSH 用户进行 password 、password-dsa 或 password-rsa 认证时 在AAA下创建同名用户名Huawei-aaalocal-user 1 password irreversible-cipher 17、对 SSH 用户进行 dsa、rsa、password-dsa 或 password-rsa 认证时配 置方法17.1、进入RSA或DSA公共密钥视图Huaweirsa peer-public-key En ter RSA public key view, return system view with peer-public-key en d.Huawei

22、-rsa-public-key或Huaweidsa peer-public-key ?STRING Name of the peer public keyHuaweidsa peer-public-key 1 ?en codi ng-typeEn cod ing type of the remote peers public keyHuaweidsa peer-public-key 1 en codi ng-type ?der DER encoded public key # DER 编码的公钥pem PEM encoded public key # PEM 编码的公钥Huaweidsa peer-public-key 1 en codi ng-type der ?Huaweidsa peer-public-key 1 en codi ng-type derInfo: En ter DSA public key view, return system view with peer-public-key endHuawei-dsa-public-key17.2、编辑公共密钥 Huawei-rsa-public-keypublic-key-code ?begi nBeg in to in put public key codeHuawei-rsa-public-ke