日期:2018-03-27  浏览次数:2057 次

使用STelnet V1协议存在安全风险,建议使用STelnet V2登录设备。

通过STelnet登录设备的缺省值

参数

缺省值

STelnet服务器功能

关闭

SSH服务器端口号

22

SSH服务器密钥对的更新周期

0小时,表示永不更新

SSH连接认证超时时间

60秒

SSH连接的认证重试次数

3

SSH服务器兼容低版本功能

使能

VTY用户界面的认证方式

没有配置认证方式

VTY用户界面所支持的协议

Telnet协议

SSH用户的认证方式

认证方式是空,即不支持任何认证方式

SSH用户的服务方式

服务方式是空,即不支持任何服务方式

SSH服务器为用户分配公钥

没有为用户分配公钥

用户级别

VTY用户界面对应的默认命令访问级别是0

1、生成本地密钥对

   密钥保存在交换机中单不保存在配置文件中

[Huawei]rsa ?

  key-pair         RSA key pair

  local-key-pair   Local RSA public key pair operations

  peer-public-key  Remote peer RSA public key configuration

 

[Huawei]rsa local-key-pair ?

  create   Create new local public key pairs

  destroy  Destroy the local public key pairs   # 销毁本地密钥对

 

[Huawei]rsa local-key-pair create

The key name will be: Huawei_Host

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

       it will take a few minutes.

Input the bits in the modulus[default = 512]:1024  # 密钥对长度越大,密钥对安全性就越好,建议使用最大的密钥对长度

Generating keys...

.......++++++

.++++++

........................++++++++

..........++++++++

[Huawei]dsa local-key-pair ?

  create   Create a new local key-pair

  destroy  Destroy the local key-pair

 

[Huawei]dsa local-key-pair create

Info: The key name will be: Huawei_Host_DSA.

Info: The key modulus can be any one of the following : 512, 1024, 2048.

Info: If the key modulus is greater than 512, it may take a few minutes.

Please input the modulus [default=512]:1024

Info: Generating keys...

Info: Succeeded in creating the DSA host keys.

 

----------------------查看密钥对-----------------------

[Huawei]display dsa local-key-pair public

 

=====================================================

Time of Key pair created: 11:37:32  2016/3/30

Key name    : Huawei_Host_DSA

Key modulus : 1024

Key type    : DSA encryption Key

=====================================================

Key code:

3082019F

  028180

    A49C5EAF 906C80B1 C474CCB0 D47C6965 22DFCF3C

    9602BAD8 FCE8F7E3 7A69BE18 8CB7D858 6B50EEBC

    54BFB089 61A0DD31 5F7F3080 F0DB47E4 ECDCC10E

    7EC18D31 35CD78F7 E002FB6B 4CB59BA5 E2CDB898

    43FAD059 98B8EEA8 E7395FC7 CA9D1655 47927368

    9914AF09 6CFDC125 6CC8A07F DDDE603B F31C4EA4

    0B752AC7 817E877F

  0214

    CBC5C0BC 2D7B6DFE 15A7F9A3 6F6ED15B 6ECC9F27

  028180

    6D3202E7 4DCAC5DB 97034305 8D79FDB2 76D5CAA2

    C8D00C3D 666F61D4 F2E36445 4027FD04 0D61B2A3

    AF3CED6B C36CC68D E8DF35F9 FAF802ED 73BCBD66

    C55AE0F6 69530C14 1B33A5A1 CF77D636 75A5EF3B

    264AB66E 2A8CFFB1 690E45F8 6FACF1B3 E2A11328

    C14BA7F3 CA0D198B 3ED94368 45BA5E89 F1ADB79E

    F459F826 B9A5CF6D

  028180

    7F379C46 85328DCE F9603A92 2EF0FF48 84C7560E

    D3E0660C B7ED2F84 39219FEB 61BDE65A F9B55D45

    AEE8445F FA3F36AD 3A5310D2 36214AF1 619F61CB

    31980AEE E4D6BD98 8003E903 8FD54933 26948C87

    CD3F7EBC E7BEAB90 9E4A3FCA D92AF70F 24E69611

    2D2573C7 1A19AA43 A9AAF80B 3A6F3B37 CB737102

    744D0A49 F9636680

 

 Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----

AAAAB3NzaC1kc3MAAACBAKScXq+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4Y

jLfYWGtQ7rxUv7CJYaDdMV9/MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiY

Q/rQWZi47qjnOV/Hyp0WVUeSc2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/

AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBtMgLnTcrF25cDQwWNef2ydtXK

osjQDD1mb2HU8uNkRUAn/QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbFWuD2aVMM

FBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun88oNGYs+2UNoRbpe

ifGtt570WfgmuaXPbQAAAIB/N5xGhTKNzvlgOpIu8P9IhMdWDtPgZgy37S+EOSGf

62G95lr5tV1FruhEX/o/Nq06UxDSNiFK8WGfYcsxmAru5Na9mIAD6QOP1UkzJpSM

h80/frznvquQnko/ytkq9w8k5pYRLSVzxxoZqkOpqvgLOm87N8tzcQJ0TQpJ+WNm

gA==

---- END SSH2 PUBLIC KEY ----

 

Public key code for pasting into OpenSSH authorized_keys file :

ssh-dss AAAAB3NzaC1kc3MAAACBAKScXq+QbICxxHTMsNR8aWUi3888lgK62Pzo9+N6ab4YjLfYWGtQ

7rxUv7CJYaDdMV9/MIDw20fk7NzBDn7BjTE1zXj34AL7a0y1m6XizbiYQ/rQWZi47qjnOV/Hyp0WVUeS

c2iZFK8JbP3BJWzIoH/d3mA78xxOpAt1KseBfod/AAAAFQDLxcC8LXtt/hWn+aNvbtFbbsyfJwAAAIBt

MgLnTcrF25cDQwWNef2ydtXKosjQDD1mb2HU8uNkRUAn/QQNYbKjrzzta8Nsxo3o3zX5+vgC7XO8vWbF

WuD2aVMMFBszpaHPd9Y2daXvOyZKtm4qjP+xaQ5F+G+s8bPioRMowUun88oNGYs+2UNoRbpeifGtt570

WfgmuaXPbQAAAIB/N5xGhTKNzvlgOpIu8P9IhMdWDtPgZgy37S+EOSGf62G95lr5tV1FruhEX/o/Nq06

UxDSNiFK8WGfYcsxmAru5Na9mIAD6QOP1UkzJpSMh80/frznvquQnko/ytkq9w8k5pYRLSVzxxoZqkOp

qvgLOm87N8tzcQJ0TQpJ+WNmgA== dsa-key

 

[Huawei]

 

2、打开STelnet服务器功能

[Huawei]stelnet server enable

 

3、配置SSH服务器端口号

[Huawei]ssh server port ?

  INTEGER<22,1025-55535>  Set the port number, the default value is 22

 

4、配置密钥对更新时间

[Huawei]ssh server rekey-interval ?

  INTEGER<0-24>  Set the interval (in hours), the default value is 0, which means the server will not generate the new key automatically

 

5、配置SSH认证超时时间

[Huawei]ssh server timeout ?

  INTEGER<1-120>  Set the authentication timeout, the default value is 60 seconds

 

6、配置SSH认证重试次数

    配置SSH认证重试次数用来设置SSH用户请求连接的认证重试次数,防止非法用户登录。

[Huawei]ssh server authentication-retries ?

  INTEGER<1-5>  Set the authentication times, the default value is 3 times

 

7、使能兼容低版本SSH协议

[Huawei]ssh server compatible-ssh1x ?

  enable  Enable or disable the compatibility with SSH1, the default value is enabled

 

8、配置SSH服务器的源接口

    指定SSH服务器端的源接口前,必须已经成功创建LoopBack接口,否则会导致本配置无法成功执行。

[Huawei]ssh server-source -i ?

  <NULL>  Not exists loopback interface

 

9、配置访问控制列表

[Huawei]ssh server acl 2001

 

10、配置通过SSH登陆的帐号密码

具体配置见VTY配置

 

11、配置VTY用户界面支持SSH协议

[Huawei-ui-vty0-4]protocol inbound ?

  all     All protocols

  ssh     SSH protocol

  telnet  Telnet protocol

 

12、创建SSH用户

[Huawei]ssh user ?

  STRING<1-64>  The specified user name

 

[Huawei]ssh user 1

Info: Succeeded in adding a new SSH user.

[Huawei]

 

13、配置SSH用户的认证方式

[Huawei]ssh user 1 ?

  assign               Set the key

  authentication-type  Authentication type

  authorization-cmd    Authorization mode

  service-type         Set service type

  sftp-directory       Set SFTP directory

  <cr>                

 

[Huawei]ssh user 1 authentication-type ?

  all           Any authentication mode, any one of password, RSA, and DSA

  dsa           DSA authentication

  password      Password authentication

  password-dsa  Both password and DSA authentication modes

  password-rsa  Both password and RSA authentication modes

  rsa           RSA authentication

 

    如果没有使用ssh user命令配置相应的SSH用户,则可以直接执行ssh authentication-type default password命令为用户配置SSH认证缺省采用密码认证,在用户数量比较多时,对用户使用缺省密码认证方式可以简化配置,此时只需再配置AAA用户即可。

 

14、配置SSH用户的服务类型

[Huawei]ssh user 1 service-type ?

  all      Set all service type

  sftp     Set SFTP service type

  stelnet  Set Stelnet service type

 

 [Huawei]ssh user 1 service-type stelnet

 

15、配置SSH用户按命令行授权,即只能通过命令行使用

[Huawei]ssh user 1 authorization-cmd ?

  aaa  Set the AAA authorization mode

 

    password认证依靠AAA实现,当用户使用password、password-rsa或password-dsa认证方式登录设备时,需要在AAA视图下创建同名的本地用户。

    如果SSH用户使用password认证,则只需要在SSH服务器端生成本地RSA或DSA密钥。

    如果SSH用户使用RSA或DSA认证,则在服务器端和客户端都需要生成本地RSA或DSA密钥对,并且服务器端和客户端都需要将对方的公钥配置到本地。

 

16、对SSH用户进行password、password-dsa或password-rsa认证时在AAA下创建同名用户名

[Huawei-aaa]local-user 1 password irreversible-cipher 023wg.com

 

17、对SSH用户进行dsa、rsa、password-dsa或password-rsa认证时配置方法

17.1、进入RSA或DSA公共密钥视图

[Huawei]rsa peer-public-key 023wg.com

Enter "RSA public key" view, return system view with "peer-public-key end".

[Huawei-rsa-public-key]

[Huawei]dsa peer-public-key ?

  STRING<1-30>  Name of the peer public key

 

[Huawei]dsa peer-public-key 1 ?

  encoding-type  Encoding type of the remote peer's public key

 

[Huawei]dsa peer-public-key 1 encoding-type ?

  der  DER encoded public key  # DER编码的公钥

  pem  PEM encoded public key  # PEM编码的公钥

 

 [Huawei]dsa peer-public-key 1 encoding-type der ?

  <cr> 

 

[Huawei]dsa peer-public-key 1 encoding-type der

Info: Enter "DSA public key" view, return system view with "peer-public-key end"

.

[Huawei-dsa-public-key]

 

17.2、编辑公共密钥

 [Huawei-rsa-public-key]public-key-code ?

  begin  Begin to input public key code

 

[Huawei-rsa-public-key]public-key-code begin ?

  <cr> 

 

[Huawei-rsa-public-key]public-key-code begin

Enter "RSA key code" view, return last view with "public-key-code end".

[Huawei-rsa-key-code]

 

17.3、编辑公共密钥

键入的公共密钥必须是按公钥格式编码的十六进制字符串,由支持SSH的客户端软件生成。请将获取的RSA或DSA公钥输入到作为SSH服务端的设备上。

[Huawei-rsa-key-code]30820108 02820101 00DD8904 1A5E30AA 976F384B 5DB366A7

[Huawei-rsa-key-code]048C0E79 06EC6B08 8BB9567D 75914B5B 4EA7B2E5 1938D118

………………………………………………………………………………………………………

[Huawei-rsa-key-code]4B863A38 BA7E0F0D BE5C5AE4 CA55B192 B531AC48 B07D21E3

[Huawei-rsa-key-code]1B020125

[Huawei-rsa-key-code]

 

17.4、退出公共密钥编辑视图

[Huawei-rsa-key-code]public-key-code end

% Fail to decode key string, the key string may be invalid.

[Huawei-rsa-public-key]

 

17.5、退出公共密钥视图

[Huawei-rsa-public-key]peer-public-key end

[Huawei]

 

17.6、为SSH用户分配RSA或DSA公钥

[Huawei]ssh user 023wg.com assign dsa-key 023wg.com