Got it

How do I enable SSH to login device

Latest reply: Feb 27, 2021 06:47:29 167 12 5 0 1

Hello everyone,

Today I will share with you how to enable SSH to login device.

By default, the STelnet function is not configured on a switch. To use this function, you need to perform the following steps to configure the STelnet service and user information:

l Set a protocol type, an authentication mode, and a user privilege level for the VTY user interface.

l Enable the STelnet server function and create an SSH user.

l Set an authentication mode for the SSH user.

l Generate a local key pair on the SSH server to implement secure data exchange between the server and client.

1. Set a protocol type, an authentication mode, and a user privilege level for the VTY user interface.

[HUAWEI] user-interface vty 0 4

[HUAWEI-ui-vty0-4] authentication-mode aaa //Set the authentication mode for the VTY user interface to AAA.

[HUAWEI-ui-vty0-4] protocol inbound ssh //Configure the VTY user interface to support SSH. By default, VTY user interfaces support SSH.

[HUAWEI-ui-vty0-4] user privilege level 15 //Set the level of the VTY user interface to 15.

[HUAWEI-ui-vty0-4] quit

2. Enable the STelnet server function and create an SSH user.

[HUAWEI] stelnet server enable //Enable the STelnet server function.

[HUAWEI] ssh user admin123 //Create an SSH user named admin123.

[HUAWEI] ssh user admin123 service-type stelnet //Set the service type of the SSH user to STelnet.

3. Set an authentication mode for the SSH user.

Set the authentication mode for the SSH user to password.

To use password authentication, you need to create a local user with the same name as the SSH user in the AAA view.

[HUAWEI] ssh user admin123 authentication-type password //Set the authentication mode for the SSH user to password authentication.

[HUAWEI] aaa

[HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123 //Create a local user with the same name as the SSH user and set the login password of the user.

[HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user to 15.

Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y

[HUAWEI-aaa] local-user admin123 service-type ssh //Set the service type of the local user to SSH.

[HUAWEI-aaa] quit

Set the authentication mode for the SSH user to RSA, DSA, or ECC. (The following uses ECC authentication as an example. Steps for configuring RSA and DSA authentication are similar to those for configuring ECC authentication.)

To use RSA, DSA, or ECC authentication, you need to copy the public key in the RSA key pair generated on the SSH client to the SSH server. When the SSH client logs in to the SSH server, the SSH client passes the authentication if the private key of the client matches the copied public key.

[HUAWEI] ssh user admin123 authentication-type ecc //Set the authentication mode for the SSH user to ECC.

[HUAWEI] ecc peer-public-key key01 encoding-type pem //Configure the encoding type of an ECC public key and enter the ECC public key view. key01 is the public key name.

Enter "ECC public key" view, return system view with "peer-public-key end".

[HUAWEI-ecc-public-key] public-key-code begin //Enter the public key editing view.

Enter "ECC key code" view, return last view with "public-key-code end".

[HUAWEI-dsa-key-code] 308188 //Copy the public key generated on the client. The public key is a hexadecimal character string.

[HUAWEI-dsa-key-code] 028180

[HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB

[HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F

[HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B

[HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5

[HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931

[HUAWEI-ecc-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2

[HUAWEI-ecc-key-code] 171896FB 1FFC38CD

[HUAWEI-ecc-key-code] 0203

[HUAWEI-ecc-key-code] 010001

[HUAWEI-ecc-key-code] public-key-code end //Return to the public key view.

[HUAWEI-ecc-public-key] peer-public-key end //Return to the system view.

[HUAWEI] ssh user admin123 assign ecc-key key01 //Assign the public key key01 to the admin123 user.

4. Generate a local key pair on the server.

[HUAWEI] ecc local-key-pair create

Info: The key name will be: HUAWEI_Host_ECC.

Info: The key modulus can be any one of the following: 256, 384, 521.

Info: If the key modulus is greater than 512, it may take a few minutes.

Please input the modulus [default=521]:521

Info: Generating keys..........

Info: Succeeded in creating the ECC host keys.

In addition, SSH logins are also vulnerable to the following attacks:

Password crack

An attacker attempts to access a switch after obtaining the Secure Shell (SSH) port number, and the switch asks the attacker for authentication. Then the attacker cracks the password to pass the authentication and obtain the access right.

Denial of Service (DoS)

The SSH server supports a limited number of users. When the number of login users reaches the upper limit, no more users can log in to the SSH server. This situation may appear when users use the SSH server properly or when the SSH server is attacked.

To defend against the preceding attacks, configure the following security policies on a switch:

1. Configure password or Rivest-Shamir-Adelman (RSA) authentication

Password authentication: Set the authentication mode of user testuser to password authentication.

<HUAWEI> system-view

[HUAWEI] ssh user testuser

[HUAWEI] ssh user testuser authentication-type password

RSA authentication: Set the authentication mode of user testuser to RSA authentication (using a key of 2048 bits or more).

<HUAWEI> system-view

[HUAWEI] ssh user testuser

[HUAWEI] ssh user testuser authentication-type rsa

2. Disable the SSH server.

<HUAWEI> system-view

[HUAWEI] undo stelnet server enable

3. Change the port number of the SSH server to 55535.

<HUAWEI> system-view

[HUAWEI] ssh server port 55535

4. Configure ACL 2000 to allow users with the source IP address of 10.1.1.1 to log in to the switch.

<HUAWEI> system-view

[HUAWEI] acl 2000

[HUAWEI-acl-basic-2000] rule permit source 10.1.1.1 0

[HUAWEI-acl-basic-2000] quit

[HUAWEI] user-interface vty 14

[HUAWEI-ui-vty14] acl 2000 inbound //To prevent users using an IP address or address segment from accessing a switch, use inbound. To prevent users who have successfully accessed a switch from accessing other switches, use outbound.

[HUAWEI-ui-vty14] quit

5. Set the source port of the SSH server to Loopback0.

<HUAWEI> system-view

[HUAWEI] ssh server-source -i loopback 0 //A loopback interface must have been created and configured with an IP address before this command is executed.

That is all I want to share with you! Thank you!


  • x
  • convention:

Unicef
MVE Created Feb 22, 2021 09:58:06

Well note with thanks
View more
  • x
  • convention:

Live%20Lead%20Love%20%3A)
wissal
MVE Author Created Feb 22, 2021 16:38:40

Learned, well done
View more
  • x
  • convention:

I%20would%20like%20to%20share%20with%20you%20my%20experience%2C%20I%20am%20a%20telecommunications%20engineer%2C%20currently%20senior%20project%20manager%20at%20a%20telecom%20operator%20who%20is%20a%20partner%20of%20Huawei%2C%20in%20the%20radio%20access%20networks%20department%2C%20during%20my%20career%20I%20have%20managed%20various%20projects%20for%20various%20network%20nodes.%3Cbr%2F%3EAt%20the%20same%20time%2C%20temporarily%20I%20give%20courses%20in%20telecom%20engineering%20schools%2C%20to%20bring%20the%20operational%20side.
MangoKnight
Created Feb 22, 2021 16:44:54

Learned, well done
View more
  • x
  • convention:

A%20Guy%20That%20loves%20learning%20new%20stuff%20and%20tries%20to%20be%20helpful
Irshadhussain
Created Feb 22, 2021 17:00:07

thanks for sharing
View more
  • x
  • convention:

Irshadhussain
Created Feb 22, 2021 17:00:21

useful
View more
  • x
  • convention:

azkasaqib
Created Feb 22, 2021 17:01:29

good
View more
  • x
  • convention:

azkasaqib
Created Feb 22, 2021 17:01:35

How do I enable SSH to login device-3805163-1
View more
  • x
  • convention:

shakeela
Created Feb 22, 2021 17:02:56

Good to know
View more
  • x
  • convention:

shakeela
Created Feb 22, 2021 17:03:04

Keep it up
View more
  • x
  • convention:

12
Back to list

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.