举例:配置设备作为STelnet客户端登录其他设备(password认证和RSA认证)
组网需求
如图1所示,用户希望在服务器端和客户端进行安全的数据交互,配置两个登录用户为Client001和Client002,分别使用password认证方式和RSA认证方式登录SSH服务器,并且配置新的端口号,而不使用缺省端口号。
本例中interface1代表10GE1/0/1。
配置思路
采用如下的思路配置通过STelnet登录其他设备:
- 在SSH服务器端生成本地密钥对,实现在服务器端和客户端进行安全的数据交互。
- 在SSH服务器端配置SSH用户client001和client002分别使用不同的认证方式。
- 在SSH服务器端开启STelnet服务功能。
- 在SSH服务器端配置SSH用户client001和client002的服务方式为STelnet。
- 在SSH服务器端配置SSH服务器的端口号,有效防止攻击者对SSH服务标准端口的访问,确保安全性。
- 用户client001和client002分别以STelnet方式实现登录SSH服务器。
操作步骤
- 在服务器端生成本地密钥对。
<HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be:Host The range of public key size is (2048, 4096). NOTE: Key pair generation will take a short while. Please input the modulus [default = 3072]:
- 在服务器端创建SSH用户。# 配置VTY用户界面。
[SSH Server] user-interface vty 0 4 [SSH Server-ui-vty0-4] authentication-mode aaa [SSH Server-ui-vty0-4] protocol inbound ssh [SSH Server-ui-vty0-4] quit
- 创建SSH用户client001。
# 新建用户名为client001的SSH用户,且认证方式为password。
[SSH Server] aaa [SSH Server-aaa] local-user client001 password Please configure the login password (8-128) It is recommended that the password consist of at least 2 types of characters, including lowercase letters, uppercase letters, numerals and special characters. Please enter password: Please confirm password: [SSH Server-aaa] local-user client001 privilege level 3 [SSH Server-aaa] local-user client001 service-type ssh [SSH Server-aaa] quit [SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password
#在客户端Client001,配置加密算法、HMAC认证算法、密钥交换算法列表、公钥算法。
<HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm [client001] ssh client hmac sha2_256 sha2_512 [client001] ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512 [client001] ssh client publickey rsa_sha2_256 rsa_sha2_512
- 创建SSH用户client002。
# 新建用户名为client002的SSH用户,且认证方式为RSA。
[SSH Server] ssh user client002 [SSH Server] ssh user client002 authentication-type rsa [SSH Server] ssh authorization-type default root
# 在STelnet客户端Client002生成客户端的本地密钥对。
<HUAWEI> system-view [HUAWEI] sysname client002 [client002] rsa local-key-pair create The key name will be: client002_Host The range of public key size is (2048, 4096). NOTE: Key pair generation will take a short while. Please input the modulus [default = 3072]:
# 配置STelnet客户端Client002的加密算法、HMAC认证算法、密钥交换算法列表、公钥算法。
[client002] ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm [client002] ssh client hmac sha2_256 sha2_512 [client002] ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512 [client002] ssh client publickey rsa_sha2_256 rsa_sha2_512
# 查看客户端上生成的RSA密钥对的公钥部分。[client002] display rsa local-key-pair public ======================Host key========================== Time of Key pair created : 2023-12-27 18:00:55 Key Name : Host Key modulus : 3072 Key Type : RSA Encryption Key ======================================================== Key code: 3082010A 02820101 00A4BAB8 B964077E F7657F7F E4BE1DE8 71EE1707 E4EE2864 2D06FBE0 BFC1CB52 F99B7A99 0132B709 3F841CA2 3544B8B2 6EE0A9ED 04B19FE3 FB3DA86D BE68FFE2 2303108D BDC24B80 A1793A08 FDA0B6C1 13C31EA5 298EC9B1 2B0BC8BD 32CFF896 29F8CA98 8B1724AF 5DA8A390 20906ADE 6A8AD77D 6234F0C8 DC965BA0 1771D9C0 A89ED49B 5ECF7EE2 D5997527 FC87FE03 E51658C1 0996DFDF DC456376 2FA4B268 4345131D 431419D2 DD5E4003 6A7D3295 145F3175 22E80686 E6B39A05 799D6BCF A78F69B6 BC2D0836 F5013421 77D68B89 A9EC182A 04B87BE3 500FCE14 9C95CF78 75704359 0C70FD60 1EFC0B99 32F02142 4CE781E4 36A60BFC 2CBD07F6 9E700CEE 4D0203 010001 Key fingerprint: ssh-rsa 3072 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1yc2EAAAADAQABAAABAQCkuri5ZAd+92V/f+S+Hehx7hcH5O4oZC0G ++C/wctS+Zt6mQEytwk/hByiNUS4sm7gqe0EsZ/j+z2obb5o/+IjAxCNvcJLgKF5 Ogj9oLbBE8MepSmOybErC8i9Ms/4lin4ypiLFySvXaijkCCQat5qitd9YjTwyNyW W6AXcdnAqJ7Um17PfuLVmXUn/If+A+UWWMEJlt/f3EVjdi+ksmhDRRMdQxQZ0t1e QANqfTKVFF8xdSLoBobms5oFeZ1rz6ePaba8LQg29QE0IXfWi4mp7BgqBLh741AP zhSclc94dXBDWQxw/WAe/AuZMvAhQkzngeQ2pgv8LL0H9p5wDO5N ---- END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCkuri5ZAd+92V/f+S+Hehx7hcH5O4oZC0G++C/wctS+Zt6mQEytwk/hByiNUS4sm7gqe0EsZ/j+z2obb5o/+IjAxCNvcJLgKF5Ogj9oLbBE8MepSmOybErC8i9Ms/4lin4ypiLFySvXaijkCCQat5qitd9YjTwyNyWW6AXcdnAqJ7Um17PfuLVmXUn/If+A+UWWMEJlt/f3EVjdi+ksmhDRRMdQxQZ0t1eQANqfTKVFF8xdSLoBobms5oFeZ1rz6ePaba8LQg29QE0IXfWi4mp7BgqBLh741APzhSclc94dXBDWQxw/WAe/AuZMvAhQkzngeQ2pgv8LL0H9p5wDO5N rsa-key# 将客户端上产生的RSA公钥配置到服务器端(上面display命令显示信息中黑体部分即为客户端产生的RSA公钥,将其拷贝粘贴至服务器端)。[SSH Server] rsa peer-public-key rsakey001 [SSH Server-rsa-public-key] public-key-code begin [SSH Server-rsa-public-key-rsa-key-code] 3082010A [SSH Server-rsa-public-key-rsa-key-code] 2820101 [SSH Server-rsa-public-key-rsa-key-code] 00A4BAB8 B964077E F7657F7F E4BE1DE8 71EE1707 [SSH Server-rsa-public-key-rsa-key-code] E4EE2864 2D06FBE0 BFC1CB52 F99B7A99 0132B709 [SSH Server-rsa-public-key-rsa-key-code] 3F841CA2 3544B8B2 6EE0A9ED 04B19FE3 FB3DA86D [SSH Server-rsa-public-key-rsa-key-code] BE68FFE2 2303108D BDC24B80 A1793A08 FDA0B6C1 [SSH Server-rsa-public-key-rsa-key-code] 13C31EA5 298EC9B1 2B0BC8BD 32CFF896 29F8CA98 [SSH Server-rsa-public-key-rsa-key-code] 8B1724AF 5DA8A390 20906ADE 6A8AD77D 6234F0C8 [SSH Server-rsa-public-key-rsa-key-code] DC965BA0 1771D9C0 A89ED49B 5ECF7EE2 D5997527 [SSH Server-rsa-public-key-rsa-key-code] FC87FE03 E51658C1 0996DFDF DC456376 2FA4B268 [SSH Server-rsa-public-key-rsa-key-code] 4345131D 431419D2 DD5E4003 6A7D3295 145F3175 [SSH Server-rsa-public-key-rsa-key-code] 22E80686 E6B39A05 799D6BCF A78F69B6 BC2D0836 [SSH Server-rsa-public-key-rsa-key-code] F5013421 77D68B89 A9EC182A 04B87BE3 500FCE14 [SSH Server-rsa-public-key-rsa-key-code] 9C95CF78 75704359 0C70FD60 1EFC0B99 32F02142 [SSH Server-rsa-public-key-rsa-key-code] 4CE781E4 36A60BFC 2CBD07F6 9E700CEE 4D [SSH Server-rsa-public-key-rsa-key-code] 203 [SSH Server-rsa-public-key-rsa-key-code] 10001 [SSH Server-rsa-public-key-rsa-key-code] public-key-code end [SSH Server-rsa-public-key] peer-public-key end
# 在SSH服务器端为SSH用户client002绑定STelnet客户端的RSA公钥。
[SSH Server] ssh user client002 assign rsa-key rsakey001
- 创建SSH用户client001。
- SSH服务器端开启STelnet服务功能,并指定SSH服务端的源接口。# 开启STelnet服务功能。
[SSH Server] stelnet server enable
# 指定SSH服务端的源接口。
[SSH Server] ssh server-source all-interface
# 配置SSH服务器的公钥算法、加密算法、密钥交换算法列表、HMAC认证算法和最小密钥长度。
[SSH Server] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm [SSH Server] ssh server hmac sha2_256 sha2_512 [SSH Server] ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512 [SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512 [SSH Server] ssh server dh-exchange min-len 3072
- 配置SSH用户client001、client002的服务方式为STelnet。
[SSH Server] ssh user client001 service-type stelnet [SSH Server] ssh user client002 service-type stelnet
- 配置SSH服务器端新的端口号。
[SSH Server] ssh server port 1025
- STelnet客户端连接SSH服务器。# 第一次登录,需要开启SSH客户端首次登录功能。
开启客户端Client001首次登录功能。
[client001] ssh client first-time enable [client001] quit
开启客户端Client002首次登录功能。
[client002] ssh client first-time enable [client002] quit
# STelnet客户端client001用password认证方式连接SSH服务器,输入配置的用户名和密码。
<client001> stelnet 10.1.1.1 1025 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... The server's public key does not match the one cached before. The server is not authenticated. Continue to access it?[Y/N]:y The keyname:10.1.1.1 already exists. Update it? [Y/N]:n Please input the username: client001 Enter password:
输入密码,显示登录成功信息如下:
Warning: The initial password poses security risks. The password needs to be changed. Change now? [Y/N]:n Info: The max number of VTY users is 21, the number of current VTY users online is 4, and total number of terminal users online is 4. The current login time is 2023-12-31 11:22:06. <SSH Server># STelnet客户端client002用RSA认证方式连接SSH服务器。
<client002> stelnet 10.1.1.1 1025 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... The server's public key does not match the one cached before. The server is not authenticated. Continue to access it?[Y/N]:y The keyname:10.1.1.1 already exists. Update it? [Y/N]: n Please input the username: client002 Info: The max number of VTY users is 21, the number of current VTY users online is 4, and total number of terminal users online is 4. The current login time is 2023-12-31 11:36:06. <SSH Server>如果登录成功,用户将进入用户视图。如果登录失败,用户将收到Session is disconnected的信息。
检查配置结果
# 攻击者使用原端口号22登录SSH服务器,不能成功。
<client002> stelnet 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Error: Failed to connect to the remote host.
在SSH服务器端执行display ssh server status命令可以查看到STelnet服务已经开启。执行display ssh user-information命令可以查看服务器端SSH用户信息。
# 查看SSH状态信息。
[SSH Server] display ssh server status SSH Version : 2.0 SSH authentication timeout (Seconds) : 60 SSH authentication retries (Times) : 3 SSH server key generating interval (Hours) : 0 SSH version 1.x compatibility : Enable SSH server keepalive : Disable SFTP IPv4 server : Disable SFTP IPv6 server : Disable STELNET IPv4 server : Enable STELNET IPv6 server : Enable SNETCONF IPv4 server : Enable SNETCONF IPv6 server : Enable SNETCONF IPv4 server port(830) : Disable SNETCONF IPv6 server port(830) : Disable SCP IPv4 server : Enable SCP IPv6 server : Enable SSH port forwarding : Disable SSH IPv4 server port : 1025 SSH IPv6 server port : 1025 ACL name : ACL number : ACL6 name : ACL6 number : SSH server ip-block : Enable
# 查看SSH用户信息。
[SSH Server] display ssh user-information -------------------------------------------------------------------------------- User Name : client001 Authentication type : password User public key name : - User public key type : - Sftp directory : - Service type : stelnet User Name : client002 Authentication type : rsa User public key name : - User public key type : - Sftp directory : - Service type : stelnet -------------------------------------------------------------------------------- Total 2, 2 printed
配置脚本
- SSH服务器的配置脚本
# sysname SSH Server # rsa peer-public-key rsakey001 public-key-code begin 3082010A 02820101 00A4BAB8 B964077E F7657F7F E4BE1DE8 71EE1707 E4EE2864 2D06FBE0 BFC1CB52 F99B7A99 0132B709 3F841CA2 3544B8B2 6EE0A9ED 04B19FE3 FB3DA86D BE68FFE2 2303108D BDC24B80 A1793A08 FDA0B6C1 13C31EA5 298EC9B1 2B0BC8BD 32CFF896 29F8CA98 8B1724AF 5DA8A390 20906ADE 6A8AD77D 6234F0C8 DC965BA0 1771D9C0 A89ED49B 5ECF7EE2 D5997527 FC87FE03 E51658C1 0996DFDF DC456376 2FA4B268 4345131D 431419D2 DD5E4003 6A7D3295 145F3175 22E80686 E6B39A05 799D6BCF A78F69B6 BC2D0836 F5013421 77D68B89 A9EC182A 04B87BE3 500FCE14 9C95CF78 75704359 0C70FD60 1EFC0B99 32F02142 4CE781E4 36A60BFC 2CBD07F6 9E700CEE 4D 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password irreversible-cipher $1d$v!=.5/:(q-$xL=\K+if"'S}>k7vGP5$_ox0B@ys7.'DBHL~3*aN$ local-user client001 service-type ssh local-user client001 privilege level 3 # ssh server port 1025 stelnet server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type stelnet ssh user client002 ssh user client002 authentication-type rsa ssh user client002 assign rsa-key rsakey001 ssh user client002 service-type stelnet ssh authorization-type default root ssh server-source all-interface # ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm ssh server hmac sha2_256 sha2_512 ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512 ssh server publickey rsa_sha2_256 rsa_sha2_512 ssh server dh-exchange min-len 3072 # user-interface vty 0 4 authentication-mode aaa protocol inbound ssh # return - SSH客户端client001的配置脚本
# sysname client001 # ssh client first-time enable # ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm ssh client hmac sha2_256 sha2_512 ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512 ssh client publickey rsa_sha2_256 rsa_sha2_512 # return
- SSH客户端client002的配置脚本
# sysname client002 # ssh client first-time enable # ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm ssh client hmac sha2_256 sha2_512 ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512 ssh client publickey rsa_sha2_256 rsa_sha2_512 # return
版权声明:
作者:SE_YT
链接:https://www.cnesa.cn/2796.html
来源:CNESA
文章版权归作者所有,未经允许请勿转载。
THE END
0
二维码
打赏
海报
举例:配置设备作为STelnet客户端登录其他设备(password认证和RSA认证)
组网图形
图1 配置通过STelnet登录其他设备组网图
组网需求
配置思路
操作步骤
检查配置结果
配置脚本
组网需求
如图1所示,用户希望在服务器端和客户端进行安全的数据交互,配置两个登录用户为Client001和Client002,分别使用password认证方式和RSA认证方式登录SSH服务器,并且配置新的端口号,而不使用缺省端口号。
本例中interface1代表10GE1/0/1。
配置思路
采用如下的思路配置通过STelnet登录其他设备:
在SSH服务器端生成本地密钥对,实现在服务器端和客户端进行安全的数据交互。
在SSH服务器端配置SSH用户client001和client002分别使用不同的认证方式。
在SSH服务器端开启STelnet服务功能。
在SSH服务器端配置SSH用户client001和client002的服务方式为STelnet。
在SSH服务器端配置SSH服务器的端口号,有效防止攻击者对SSH服务标准端口的访问,确保安全性。
用户client001和client002分别以STelnet方式实现登录SSH服务器。
操作步骤
在服务器端生成本地密钥对。
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be:Host
The range of public key size is (2048, 4096).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:
在服务器端创建SSH用户。# 配置VTY用户界面。
[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit
创建SSH用户client001。
# 新建用户名为client001的SSH用户,且认证方式为password。
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password
Please configure the login password (8-128)
I……
共有 0 条评论