Stelnet(ssh)登陸華為交換機(jī)配置教程

1、 Stelnet(ssh)登陸華為交換機(jī)配置教程使用STelnet V1協(xié)議存在安全風(fēng)險(xiǎn)，建議使用STelnet V2登錄設(shè)備。通過STelnet登錄設(shè)備的缺省值參數(shù)缺省值STelnet服務(wù)器功能關(guān)閉SSH服務(wù)器端口號(hào)22SSH服務(wù)器密鑰對(duì)的更新周期0小時(shí)，表示永不更新SSH連接認(rèn)證超時(shí)時(shí)間60秒SSH連接的認(rèn)證重試次數(shù)3SSH服務(wù)器兼容低版本功能使能VTY用戶界面的認(rèn)證方式?jīng)]有配置認(rèn)證方式VTY用戶界面所支持的協(xié)議Telnet協(xié)議SSH用戶的認(rèn)證方式認(rèn)證方式是空，即不支持任何認(rèn)證方式SSH用戶的服務(wù)方式服務(wù)方式是空，即不支持任何服務(wù)方式SSH服務(wù)器為用戶分配公鑰沒有為用戶分配公鑰用戶級(jí)別VT

2、Y用戶界面對(duì)應(yīng)的默認(rèn)命令訪問級(jí)別是01、生成本地密鑰對(duì)   密鑰保存在交換機(jī)中單不保存在配置文件中Huaweirsa ?  key-pair         RSA key pair  local-key-pair   Local RSA public key pair operations  peer-public-key  Remote peer RSA public key configuration Huaw

3、eirsa local-key-pair ?  create   Create new local public key pairs  destroy  Destroy the local public key pairs   # 銷毀本地密鑰對(duì) Huaweirsa local-key-pair createThe key name will be: Huawei_HostThe range of public key size is (512 2048).NOTES: If the key modulu

4、s is greater than 512,       it will take a few minutes.Input the bits in the modulusdefault = 512:1024  # 密鑰對(duì)長度越大，密鑰對(duì)安全性就越好，建議使用最大的密鑰對(duì)長度Generating keys.+.+.+.+或Huaweidsa local-key-pair ?  create   Create a new local key-pair  destroy 

5、 Destroy the local key-pair Huaweidsa local-key-pair createInfo: The key name will be: Huawei_Host_DSA.Info: The key modulus can be any one of the following : 512, 1024, 2048.Info: If the key modulus is greater than 512, it may take a few minutes.Please input the modulus default=512:1024Info: G

6、enerating keys.Info: Succeeded in creating the DSA host keys. -查看密鑰對(duì)-Huaweidisplay dsa local-key-pair public =Time of Key pair created: 11:37:32  2016/3/30Key name    : Huawei_Host_DSAKey modulus : 1024Key type    : DSA encryption Key=Key code:3082019F

7、60; 028180    A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C    9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC    54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E    7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898    43FAD059 98B8EEA8 E

8、7395FC7 CA9D1655 47927368    9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4    0B752AC7 817E877F  0214    CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27  028180    6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2    C8D00C3

9、D 666F61D4 F2E36445 4027FD04 0D61B2A3    AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66    C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B    264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328    C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E  

10、;  F459F826 B9A5CF6D  028180    7F379C46 85328DCE F9603A92 2EF0FF48 84C7560E    D3E0660C B7ED2F84 39219FEB 61BDE65A F9B55D45    AEE8445F FA3F36AD 3A5310D2 36214AF1 619F61CB    31980AEE E4D6BD98 8003E903 8FD54933 26948C87 

11、0;  CD3F7EBC E7BEAB90 9E4A3FCA D92AF70F 24E69611    2D2573C7 1A19AA43 A9AAF80B 3A6F3B37 CB737102    744D0A49 F9636680  Host public key for PEM format code:- BEGIN SSH2 PUBLIC KEY -AAAAB3NzaC1kc3MAAACBAKScXq+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4YjLfYWGtQ7rx

12、Uv7CJYaDdMV9/MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiYQ/rQWZi47qjnOV/Hyp0WVUeSc2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXKosjQDD1mb2HU8uNkRUAn/QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun88oNGYs

13、+2UNoRbpeifGtt570WfgmuaXPbQAAAIB/N5xGhTKNzvlgOpIu8P9IhMdWDtPgZgy37S+EOSGf62G95lr5tV1FruhEX/o/Nq06UxDSNiFK8WGfYcsxmAru5Na9mIAD6QOP1UkzJpSMh80/frznvquQnko/ytkq9w8k5pYRLSVzxxoZqkOpqvgLOm87N8tzcQJ0TQpJ+WNmgA=- END SSH2 PUBLIC KEY - Public key code for pasting into OpenSSH authorized_keys file :ssh-

14、dss AAAAB3NzaC1kc3MAAACBAKScXq+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4YjLfYWGtQ7rxUv7CJYaDdMV9/MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiYQ/rQWZi47qjnOV/Hyp0WVUeSc2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXKosjQDD1mb2HU8uNkRUAn/QQNYbKjrzzta8Nsxo3o

15、3zX5+vgC7XO8vWbFWuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun88oNGYs+2UNoRbpeifGtt570WfgmuaXPbQAAAIB/N5xGhTKNzvlgOpIu8P9IhMdWDtPgZgy37S+EOSGf62G95lr5tV1FruhEX/o/Nq06UxDSNiFK8WGfYcsxmAru5Na9mIAD6QOP1UkzJpSMh80/frznvquQnko/ytkq9w8k5pYRLSVzxxoZqkOpqvgLOm87N8tzcQJ0TQpJ+WNmgA= dsa-key Hua

16、wei 2、打開STelnet服務(wù)器功能Huaweistelnet server enable 3、配置SSH服務(wù)器端口號(hào)Huaweissh server port ?  INTEGER<22,1025-55535>  Set the port number, the default value is 22 4、配置密鑰對(duì)更新時(shí)間Huaweissh server rekey-interval ?  INTEGER<0-24>  Set the interval (in hours), the defa

17、ult value is 0, which means the server will not generate the new key automatically 5、配置SSH認(rèn)證超時(shí)時(shí)間Huaweissh server timeout ?  INTEGER<1-120>  Set the authentication timeout, the default value is 60 seconds 6、配置SSH認(rèn)證重試次數(shù)    配置SSH認(rèn)證重試次數(shù)用來設(shè)置SSH用戶請(qǐng)求連接的認(rèn)證重試次數(shù)，防

18、止非法用戶登錄。Huaweissh server authentication-retries ?  INTEGER<1-5>  Set the authentication times, the default value is 3 times 7、使能兼容低版本SSH協(xié)議Huaweissh server compatible-ssh1x ?  enable  Enable or disable the compatibility with SSH1, the default value is enabled 8、配置S

19、SH服務(wù)器的源接口    指定SSH服務(wù)器端的源接口前，必須已經(jīng)成功創(chuàng)建LoopBack接口，否則會(huì)導(dǎo)致本配置無法成功執(zhí)行。Huaweissh server-source -i ?  <NULL>  Not exists loopback interface 9、配置訪問控制列表Huaweissh server acl 2001 10、配置通過SSH登陸的帳號(hào)密碼具體配置見VTY配置 11、配置VTY用戶界面支持SSH協(xié)議Huawei-ui-vty0-4protocol inbound ?&#

20、160; all     All protocols  ssh     SSH protocol  telnet  Telnet protocol 12、創(chuàng)建SSH用戶Huaweissh user ?  STRING<1-64>  The specified user name Huaweissh user 1Info: Succeeded in adding a new SSH user.Huawei 13、配置SSH用戶

21、的認(rèn)證方式Huaweissh user 1 ?  assign               Set the key  authentication-type  Authentication type  authorization-cmd    Authorization mode  service-type      

22、   Set service type  sftp-directory       Set SFTP directory  <cr>                 Huaweissh user 1 authentication-type ?  all    

23、0;      Any authentication mode, any one of password, RSA, and DSA  dsa           DSA authentication  password      Password authentication  password-dsa  Both password and DSA aut

24、hentication modes  password-rsa  Both password and RSA authentication modes  rsa           RSA authentication     如果沒有使用ssh user命令配置相應(yīng)的SSH用戶，則可以直接執(zhí)行ssh authentication-type default password命令為用戶配置SSH認(rèn)證缺省采用密碼認(rèn)證，在

25、用戶數(shù)量比較多時(shí)，對(duì)用戶使用缺省密碼認(rèn)證方式可以簡化配置，此時(shí)只需再配置AAA用戶即可。 14、配置SSH用戶的服務(wù)類型Huaweissh user 1 service-type ?  all      Set all service type  sftp     Set SFTP service type  stelnet  Set Stelnet service type  Huaweissh user 1 service-type

26、 stelnet 15、配置SSH用戶按命令行授權(quán)，即只能通過命令行使用Huaweissh user 1 authorization-cmd ?  aaa  Set the AAA authorization mode     password認(rèn)證依靠AAA實(shí)現(xiàn)，當(dāng)用戶使用password、password-rsa或password-dsa認(rèn)證方式登錄設(shè)備時(shí)，需要在AAA視圖下創(chuàng)建同名的本地用戶。    如果SSH用戶使用password認(rèn)證，則只需要在SSH服務(wù)器端生成本地RSA或D

27、SA密鑰。    如果SSH用戶使用RSA或DSA認(rèn)證，則在服務(wù)器端和客戶端都需要生成本地RSA或DSA密鑰對(duì)，并且服務(wù)器端和客戶端都需要將對(duì)方的公鑰配置到本地。 16、對(duì)SSH用戶進(jìn)行password、password-dsa或password-rsa認(rèn)證時(shí)在AAA下創(chuàng)建同名用戶名Huawei-aaalocal-user 1 password irreversible-cipher  17、對(duì)SSH用戶進(jìn)行dsa、rsa、password-dsa或password-rsa認(rèn)證時(shí)配置方法17.1、進(jìn)入RSA或DSA公共密鑰視圖Huaw

28、eirsa peer-public-key Enter "RSA public key" view, return system view with "peer-public-key end".Huawei-rsa-public-key或Huaweidsa peer-public-key ?  STRING<1-30>  Name of the peer public key Huaweidsa peer-public-key 1 ?  encoding-type  Encoding type

29、 of the remote peer's public key Huaweidsa peer-public-key 1 encoding-type ?  der  DER encoded public key  # DER編碼的公鑰  pem  PEM encoded public key  # PEM編碼的公鑰  Huaweidsa peer-public-key 1 encoding-type der ?  <cr>  Huaweidsa peer-public-key 1 encoding-type derInfo: Enter "DSA public key" view, return system view with "peer-public-key end".Huawe