华为交换机stelnet示例
组网需求
配置思路
采用如下的思路配置通过STelnet登录其他设备:
1、在SSH服务器端生成本地密钥对,实现在服务器端和客户端进行安全的数据交互。
2、在SSH服务器端配置SSH用户admin。
3、在SSH服务器端开启STelnet服务功能。
4、在SSH服务器端配置SSH用户admin的服务方式为STelnet。
5、用户admin以STelnet方式实现登录SSH服务器。
操作步骤
在服务器端生成本地密钥对 (可选)
system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create //可以省略该步骤
Info: The key name will be: SSH Server_Host_DSA.
Info: The DSA host key named SSH Server_Host_DSA already exists.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys…
Info: Succeeded in creating the DSA host keys.
在服务器端创建SSH用户
1.配置VTY用户界面。
[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound all
[SSH Server-ui-vty0-4] quit
2.新建用户名为admin的SSH用户,且认证方式为password
[SSH Server] aaa
[SSH Server-aaa] local-user admin password irreversible-cipher Huawei@123
[SSH Server-aaa] local-user admin privilege level 3
[SSH Server-aaa] local-user admin service-type ssh terminal http
[SSH Server-aaa] quit
SSH服务器端开启STelnet服务功能
1.开启STelnet服务功能
[SSH Server] stelnet server enable //使能STelnet服务器功能。
[SSH Server] ssh server-source -i vlanif xx (XX代表管理vlan) V200R020及之后版本您还需要执行ssh
server-source -i xxx | server-source all interface |
---|---|
-i 提供ssh服务的是某物理或逻辑接口 | all interface 提供ssh服务的是所有物理和逻辑接口 |
2.配置SSH用户admin 的服务方式为STelnet
[SSH Server] ssh user admin service-type stelnet
[SSH Server] undo ssh server publickey //命令用来恢复SSH服务器所有公钥算法为缺省配置 不配置的话CRT连接因为算法问题无法连接
[SSH Server]ssh server cipher aes256_ctr aes128_ctr //配置SSH服务器端的加密算法为CTR加密算法
STelnet客户端连接SSH服务器
1.使能SSH客户端首次认证功能
[client001] ssh client first-time enable
2.验证配置是否正常
STelnet客户端admin用password认证方式连接SSH服务器,输入配置的用户名和密码。
2.1本地验证 stelnet 127.0.0.1 验证
登录交换机验证本地的ssh功能
stelnet 127.0.0.1
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server’s public key? [Y/N] :y
The server’s public key will be saved with the name 10.1.1.1. Please wait…
Enter password:
2.2 配置Mth接口 PC连接Mth验证(拓扑图中client01假设PC)
实现业务和管理平面的隔离(给单独的ETH管理口加入VPN实例后,基于VPN实例配置一条默认路由)
[SSH Server]ip vpn-instance MGT
[SSH Server]ipv4-family
[SSH Server]int MEth 0/0/1
[SSH Server-MEth 0/0/1]ip binding vpn-instance MGT
[SSH Server-MEth 0/0/1]ip address X.X.X.X 24
[SSH Server]ip route-static vpn-instance MGT 0.0.0.0 0 X.X.X.254 (X.X.X.254为带外管理的网关地址)
打开CRT
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server’s public key? [Y/N] :y
The server’s public key will be saved with the name 10.1.1.1. Please wait…
Enter password:
配置文件
S系列6730 /5731配置
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
protocol inbound all
quit
aaa
local-user admin password irreversible-cipher XXX
local-user admin privilege level 15
local-user admin service-type terminal ssh http
undo local-aaa-user password policy administrator
quit
stelnet server enable
ssh server-source all-interface
y
ssh user admin authentication-type password
ssh user admin service-type stelnet
ssh client first-time enable
ssh server cipher aes256_ctr aes128_ctr
undo ssh server publickey
(可选)
ssh server key-exchange dh_group_exchange_sha256 dh_group1_sha1
ssh server cipher 3des_cbc aes128_cbc aes128_ctr aes256_cbc aes256_ctr des_cbc
ssh server hmac md5 md5_96 sha1 sha1_96 sha2_256 sha2_256_96
ssh server publickey dsa ecc rsa rsa_sha2_256 rsa_sha2_512