概要
由于Telnet缺少安全的认证方式,且传输过程采用明文传输,存在很大安全隐患(FTP也采用明文传输密码和数据)。
STelnet是Secure Telnet 的简称,服务器通过对客户端的认证以及双向数据加密,为网络终端提供安全的Telnet服务。
SSH(Secure Shell)是一个网络安全协议,通过认证功能和数据加密,保护设备不受IP地址欺诈、明文密码截取等攻击。
场景及实施流程
由于eNSP软件自带PC没有SSH客户端,本实验采用两台路由器模拟。R1为客户端,R2为服务器。
图1
1、配置互联接口
[Huawei]sys R1
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 1.1.1.1 24
[Huawei]sys R2
[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip add 1.1.1.2 24
2、开启服务器端SSH功能(默认关闭)
[R2]stelnet server enable
Info: Succeeded in starting the STELNET server.
3、在SSH服务器端生成本地RSA密钥对,配合后期验证登录
[R2]rsa local-key-pair create
The key name will be: Host
% RSA keys defined for Host already exist.
Confirm to replace them? (y/n)[n]:y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
..++++++++++++
...................++++++++++++
..............................................++++++++
.++++++++
[R2]dis rsa local-key-pair public
=====================================================
Time of Key pair created: 2024-02-21 14:57:11-08:00
Key name: Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
C4D3F662 41482AFE A51CE29A E688F2B1 89778E41
59FE9C84 9547F622 CBB355FB 7D03A802 4BDEB381
880476FD EC42BCE9 782F53D2 2364F565 8343516F
B15AA441
0203
010001
=====================================================
Time of Key pair created: 2024-02-21 14:57:17-08:00
Key name: Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
C38BCDC6 FF7A8ED9 6E2F6EC3 6BE6D801 22078E73
A8F7DC24 03F43E7B 32777922 C61A4AAD 53D1EF91
D42C7348 AD92C321 A4BF7C2A C90BE34C 429907AD
A1C1E810 1B31E0A7 70C3CF69 4499297E E6668B45
18DD6809 C906A517 24C8FC0A E6C5E429
0203
010001
4、配置aaa视图
[R2]aaa
[R2-aaa]local-user Admin password cipher huawei privilege level 15
[R2-aaa]local-user Admin service-type ssh
5、配置vty用户界面参数
[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode aaa
[R2-ui-vty0-4]protocol inbound ssh
6、创建SSH用户
[R2]ssh user Admin authentication-type password
7、使用Stelnet命令连接SSH服务器
<R1>sys
Enter system view, return user view with Ctrl+Z.
[R1]stelnet 1.1.1.2
Please input the username:Admin
Trying 1.1.1.2 ...
Press CTRL+K to abort
Connected to 1.1.1.2 ...
Error: Failed to verify the server's public key.
Please run the command "ssh client first-time enable"to enable the first-time ac
cess function and try again.
[R1]ssh client first-time enable
[R1]stelnet 1.1.1.2
Please input the username:Admin
Trying 1.1.1.2 ...
Press CTRL+K to abort
Connected to 1.1.1.2 ...
The server is not authenticated. Continue to access it? (y/n)[n]:y
Feb 21 2024 14:55:37-08:00 R1 %%01SSH/4/CONTINUE_KEYEXCHANGE(l)[0]:The server ha
d not been authenticated in the process of exchanging keys. When deciding whethe
r to continue, the user chose Y.
[R1]
Save the server's public key? (y/n)[n]:y
The server's public key will be saved with the name 1.1.1.2. Please wait...
Feb 21 2024 14:55:44-08:00 R1 %%01SSH/4/SAVE_PUBLICKEY(l)[1]:When deciding wheth
er to save the server's public key 1.1.1.2, the user chose Y.
[R1]
Enter password:
<R2>sys
Enter system view, return user view with Ctrl+Z
注:第一次登录时,客户端需要开启首次认证功能,本次将不会验证SSH服务器端的RSA公钥;登录后系统将自动分配并保存RSA公钥,在下次登录时验证。
技术细节
SSH基于TCP协议22端口传输数据,支持Password认证。客户端向服务器发送Password认证请求,将用户名和密码加密后发送给服务器,服务器解密后与自身保存的用户名和密码进行比对,并返还认证成功或失败消息。
小结
在SSH技术中,客户端开启首次认证功能后会提示你对服务器公钥进行确认,确保连接到正确的服务器,防止中间人攻击。