华为交换机SSH配置教程案例

华为交换机SSH登录也可以成为Stelnet登录，SSH登录最大限度的保证登录操作设备的安全。

一、配置需求

1、S5700-核心作为SSH服务端

2、S3700-5楼模拟为SSH客户端登录

3、S5700与S3700之间的网络已提前打通

二、配置步骤

1、配置SSH登录的账号（wlgcs）密码（wlgcscn）

<S5700-core> sys

Enter system view, return user view with Ctrl+Z.

[S5700-core-aaa]local-user wlgcs password cipher wlgcscn

2、设置登录账号只用于SSH登录

[S5700-core-aaa]local-user wlgcs service-type ?

8021x 802.1x user

bind Bind authentication user

ftp FTP user

http Http user

ppp PPP user

ssh SSH user

telnet Telnet user

terminal Terminal user

web Web authentication user

x25-pad X25-pad user

[S5700-core-aaa]local-user wlgcs service-type ssh

3、设置SSH登录账号的权限级别

[S5700-core-aaa]local-user wlgcs privilege level ?

INTEGER<0-15> Level value

[S5700-core-aaa]local-user wlgcs privilege level 15

4、开启SSH登录功能

[S5700-core-aaa]qu

[S5700-core]stelnet server enable

Info: The Stelnet server is already started.

5、创建公钥，给SSH客户端登录使用

[S5700-core]rsa ?

local-key-pair Local RSA public key pair operations

peer-public-key Remote peer RSA public key configuration

[S5700-core]rsa local-key-pair ?

create Create new local public key pairs

destroy Destroy the local public key pairs

[S5700-core]rsa local-key-pair create

The key name will be: S5700-core_Host

% RSA keys defined for S5700-core_Host already exist.

Confirm to replace them? [y/n]:y # 选择Y 确认更新公钥

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

it will take a few minutes.

Input the bits in the modulus[default = 512]:2048 # 输入长度，越长越安全

Generating keys...

................................................................+++

..........................+++

....................++++++++

................................++++++++

[S5700-core]

6、配置SSH用户名（要与AAA下一样）及登录时的验证方式为密码验证

[S5700-core]ssh ?

authentication-type Authentication type

client Set SSH client attribute

server Set the server attribute

user SSH user

[S5700-core]ssh user wlgcs ?

assign Set the key

authentication-type Authentication type

authorization-cmd Authorization mode

service-type Set service type

sftp-directory Set SFTP directory

<cr>

[S5700-core]ssh user wlgcs authentication-type ?

all Any authentication mode, any one of password, RSA, and DSA

dsa DSA authentication

password Password authentication

password-dsa Both password and DSA authentication modes

password-rsa Both password and RSA authentication modes

rsa RSA authentication

[S5700-core]ssh user wlgcs authentication-type password

7、配置SSH用户名（要与AAA下一样）及登录方式

[S5700-core]ssh user wlgcs service-type ?

all Set all service type

sftp Set SFTP service type

stelnet Set Stelnet service type

[S5700-core]ssh user wlgcs service-type stelnet

8、设置VTY允许登录SSH登录

[S5700-core]user-interface vty 0 4

[S5700-core-ui-vty0-4]protocol inbound ?

all All protocols

ssh SSH protocol

telnet Telnet protocol

[S5700-core-ui-vty0-4]protocol inbound ssh

9、S3700模拟SSH客户端需要SSH功能

[S3700-5L]ssh client first-time enable

三、配置验证

[S3700-5L]stelnet 192.168.50.254

Please input the username:wlgcs

Trying 192.168.50.254 ...

Press CTRL+K to abort

Connected to 192.168.50.254 ...

The server is not authenticated. Continue to access it? [Y/N] :y # 输入Y继续访问

Save the server's public key? [Y/N] :y # 首次登录输入Y 保存秘钥到本地

Enter password: # 输入密码登录

Info: The max number of VTY users is 5, and the number

of current VTY users on line is 1.

The current login time is 2020-06-09 16:29:05.

<S5700-core>sys

Enter system view, return user view with Ctrl+Z.

[S5700-core]dis ver

Huawei Versatile Routing Platform Software

VRP (R) software, Version 5.110 (S5700 V200R001C00)

Quidway S5700-28C-HI Routing Switch uptime is 0 week, 0 day, 0 hour, 50 minutes

[S5700-core]

关于SSH版本：

版本主要有1.3，1.5，2.0。

交换机做SSH服务器时，默认同时支持SSH1.x和SSH 2，登陆设备后会显示SSH 1.99，其实就是v1 v2的兼容模式。

[HUAWEI] ssh server compatible-ssh1x enable （默认开启）

如果客户端的协议版本号低于1.3或高于2.0，则版本协商失败，断开连接。

如果客户端的协议版本为大于等于1.3并且小于1.99，如果系统配置为兼容SSH1.X方式，则进入SSH1.5 SERVER模块，后续进行SSH1.x协议流程，否则版本协商失败，断开与客户端的连接。

如客户端协议版本为1.99或2.0，则进入SSH2.0 SERVER模块，后续进行SSH2.0协议流程。