举例:配置设备作为SFTP客户端(password认证和RSA认证方式)
组网需求
SSH提供了在一个传统不安全的网络环境中,服务器通过对客户端的认证及双向的数据加密,为网络终端访问提供了安全的服务。通过SFTP方式,客户端可以安全地连接到SSH服务器,进行文件的安全传输。
如图1所示,SSH服务器与客户端client001、client002路由可达,此例中用华为设备作为SSH服务器。
要求:两个客户端分别使用password方式和RSA方式与SSH服务器连接,实现安全访问服务器上的文件。
本例中interface1代表10GE1/0/1。
配置思路
采用如下思路配置通过SFTP访问其他设备文件功能:
- 在服务器端生成本地密钥对及使能SFTP服务器功能,实现在服务器端和客户端进行安全地数据交互。
- 在SSH服务器上配置用户client001和client002,分别使用password和RSA的认证方式登录SSH服务器。
- 在客户端client002生成本地密钥对,并将客户端生成的RSA公钥配置到SSH服务器上,实现客户端登录服务器端时,对客户端进行验证。
- 用户client001和client002分别以SFTP方式登录SSH服务器,实现访问服务器上的文件。
操作步骤
- 在服务器端生成本地密钥对及使能SFTP服务器功能。
<HUAWEI> system-view [HUAWEI] sysname SSH Server [SSH Server] rsa local-key-pair create The key name will be:Host_Server The range of public key size is (2048, 4096). NOTE: Key pair generation will take a short while. Please input the modulus [default = 3072]:3072 [SSH Server] sftp server enable [SSH Server] ssh server-source all-interface
- 配置SSH服务器的公钥算法、加密算法、密钥交换算法列表、HMAC认证算法和最小密钥长度。
[SSH Server] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm [SSH Server] ssh server hmac sha2_256 sha2_512 [SSH Server] ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512 [SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512 [SSH Server] ssh server dh-exchange min-len 3072
- 在服务器端创建SSH用户。
# 新建用户名为client001的SSH用户,且认证方式为password。
[SSH Server] ssh user client001 [SSH Server] ssh user client001 authentication-type password [SSH Server] ssh user client001 service-type sftp [SSH Server] ssh user client001 sftp-directory flash:/ [SSH Server] aaa [SSH Server-aaa] local-user client001 password Please configure the login password (8-128) It is recommended that the password consist of at least 2 types of characters, i ncluding lowercase letters, uppercase letters, numerals and special characters. It is recommended that the password consist of at least 2 types of characters, including lowercase letters, uppercase letters, numerals and special characters. Please enter password: Please confirm password: Info: Add a new user. [SSH Server-aaa] local-user client001 service-type ssh [SSH Server-aaa] local-user client001 privilege level 3 [SSH Server-aaa] quit
# 新建用户名为client002的SSH用户,且认证方式为RSA。
[SSH Server] ssh user client002 [SSH Server] ssh user client002 authentication-type rsa [SSH Server] ssh authorization-type default root [SSH Server] ssh user client002 service-type sftp [SSH Server] ssh user client002 sftp-directory flash:/ - 在客户端client001,配置加密算法、HMAC认证算法、密钥交换算法列表、公钥算法。
<HUAWEI> system-view [HUAWEI] sysname client001 [client001] ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm [client001] ssh client hmac sha2_256 sha2_512 [client001] ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512 [client001] ssh client publickey rsa_sha2_256 rsa_sha2_512
- 在客户端client002生成本地密钥对,并将客户端生成的RSA公钥配置到SSH服务器上。
# 客户端生成客户端的本地密钥对。
<HUAWEI> system-view [HUAWEI] sysname client002 [client002] rsa local-key-pair create The key name will be:Host_Server The range of public key size is (2048, 4096). NOTE: Key pair generation will take a short while. Please input the modulus [default = 3072]:3072
# 配置客户端client002的加密算法、HMAC认证算法、密钥交换算法列表、公钥算法。
[client002] ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm [client002] ssh client hmac sha2_256 sha2_512 [client002] ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512 [client002] ssh client publickey rsa_sha2_256 rsa_sha2_512
# 查看客户端上生成RSA公钥。
[client002] display rsa local-key-pair public ======================Host key========================== Time of Key pair created : 2023-12-27 18:00:55 Key Name : Host Key modulus : 3072 Key Type : RSA Encryption Key ======================================================== Key code: 3082010A 02820101 00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB D8A4F785 5AD1F662 13845081 0C65F6B3 88A9C415 D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F E211F4B3 1115772D FB95D3DC 915A1858 D0DE49F7 F39DD7A7 7795F2B9 C9562E8B 598CB50F 6D39240D B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B 03AEC0A0 8A7E99F6 6C1939AA 52CC2E31 B6703278 AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5 26F5D4E5 16A15C5C D6D0018E 4EAFE055 B93FCB87 2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493 646CBE96 BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1 32693DE5 4B103442 8E0F4DAD 2598BE5E 19 0203 010001 Key fingerprint: ssh-rsa 3072 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1yc2EAAAADAQABAAABAQC7t6BJJK8TBPJmLS7UO51YmWfr2KT3hVrR 9mIThFCBDGX2s4ipxBXYHDS9QaS1gHDcdGDkpUB7m5VjD+IR9LMRFXct+5XT3JFa GFjQ3kn3853Xp3eV8rnJVi6LWYy1D205JA21xvHTM6IY0JjDAQT486jKcXLJWwOu wKCKfpn2bBk5qlLMLjG2cDJ4ruG82Nwh/KIEHJpMGFapNWiUmY37+oj/FwjDpn4J I2is6YPXyN3N9Sb11OUWoVxc1tABjk6v4FW5P8uHK7Ru+wLATDvxZ6QXOAzQsAvF lJNkbL6WvK89t60K+gpdFBVe1/l9wTJpPeVLEDRCjg9NrSWYvl4Z ---- END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7t6BJJK8TBPJmLS7UO51YmWfr2KT3hVrR9mIThFCB DGX2s4ipxBXYHDS9QaS1gHDcdGDkpUB7m5VjD+IR9LMRFXct+5XT3JFaGFjQ3kn3853Xp3eV8rnJVi6L WYy1D205JA21xvHTM6IY0JjDAQT486jKcXLJWwOuwKCKfpn2bBk5qlLMLjG2cDJ4ruG82Nwh/KIEHJpM GFapNWiUmY37+oj/FwjDpn4JI2is6YPXyN3N9Sb11OUWoVxc1tABjk6v4FW5P8uHK7Ru+wLATDvxZ6QX OAzQsAvFlJNkbL6WvK89t60K+gpdFBVe1/l9wTJpPeVLEDRCjg9NrSWYvl4Z== rsa-key# 将客户端上产生的RSA公钥配置到服务器端(上面display命令显示信息中黑体部分即为客户端产生的RSA公钥,将其拷贝粘贴至服务器端)。[SSH Server] rsa peer-public-key rsakey001 encoding-type der [SSH Server-rsa-public-key] public-key-code begin [SSH Server-rsa-public-key-rsa-key-code] 3082010A [SSH Server-rsa-public-key-rsa-key-code] 02820101 [SSH Server-rsa-public-key-rsa-key-code] 00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB [SSH Server-rsa-public-key-rsa-key-code] D8A4F785 5AD1F662 13845081 0C65F6B3 88A9C415 [SSH Server-rsa-public-key-rsa-key-code] D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F [SSH Server-rsa-public-key-rsa-key-code] E211F4B3 1115772D FB95D3DC 915A1858 D0DE49F7 [SSH Server-rsa-public-key-rsa-key-code] F39DD7A7 7795F2B9 C9562E8B 598CB50F 6D39240D [SSH Server-rsa-public-key-rsa-key-code] B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B [SSH Server-rsa-public-key-rsa-key-code] 03AEC0A0 8A7E99F6 6C1939AA 52CC2E31 B6703278 [SSH Server-rsa-public-key-rsa-key-code] AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D [SSH Server-rsa-public-key-rsa-key-code] FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5 [SSH Server-rsa-public-key-rsa-key-code] 26F5D4E5 16A15C5C D6D0018E 4EAFE055 B93FCB87 [SSH Server-rsa-public-key-rsa-key-code] 2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493 [SSH Server-rsa-public-key-rsa-key-code] 646CBE96 BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1 [SSH Server-rsa-public-key-rsa-key-code] 32693DE5 4B103442 8E0F4DAD 2598BE5E 19 [SSH Server-rsa-public-key-rsa-key-code] 0203 [SSH Server-rsa-public-key-rsa-key-code] 010001 [SSH Server-rsa-public-key-rsa-key-code] public-key-code end [SSH Server-rsa-public-key] peer-public-key end
# 为SSH用户client002绑定SSH客户端的RSA公钥。
[SSH Server] ssh user client002 assign rsa-key rsakey001
- SFTP客户端连接SSH服务器。
# 第一次登录,使能SSH客户端首次登录功能。
使能客户端client001首次登录功能。
[client001] ssh client first-time enable
使能客户端client002首次登录功能。
[client002] ssh client first-time enable
# SFTP客户端client001用password认证方式连接SSH服务器。
[client001] sftp 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... The server's public key does not match the one cached before. The server is not authenticated. Continue to access it? [Y/N]:y The keyname:10.1.1.1 already exists. Update it? [Y/N]:n Please input the username: client001 Enter password: sftp-client>
# SFTP客户端client002用RSA认证方式连接SSH服务器。
[client002] sftp 10.1.1.1 Trying 10.1.1.1 ... Press CTRL+K to abort Connected to 10.1.1.1 ... The server's public key does not match the one cached before. The server is not authenticated. Continue to access it? [Y/N]:y The keyname:10.1.1.1 already exists. Update it? [Y/N]:n Please input the username: client002 sftp-client>
检查配置结果
配置完成后,在SSH服务器端执行display ssh server status命令可以查看到SFTP服务已经使能。执行display ssh user-information命令可以查看服务器端SSH用户信息。
# 查看SSH状态信息。
[SSH Server] display ssh server status SSH Version : 2.0 SSH authentication timeout (Seconds) : 60 SSH authentication retries (Times) : 3 SSH server key generating interval (Hours) : 0 SSH version 1.x compatibility : Disable SSH server keepalive : Enable SFTP IPv4 server : Enable SFTP IPv6 server : Enable STELNET IPv4 server : Enable STELNET IPv6 server : Enable SNETCONF IPv4 server : Disable SNETCONF IPv6 server : Disable SNETCONF IPv4 server port(830) : Disable SNETCONF IPv6 server port(830) : Disable SCP IPv4 server : Enable SCP IPv6 server : Enable SSH IPv4 server port : 22 SSH IPv6 server port : 22 ACL name : -- ACL number : -- ACL6 name : -- ACL6 number : -- SSH server ip-block : Enable
# 查看SSH用户信息。
[SSH Server] display ssh user-information -------------------------------------------------------------------------------- User Name : client001 Authentication type : password User public key name : -- User public key type : -- Sftp directory : flash: Service type : sftp User Name : client002 Authentication type : rsa User public key name : -- User public key type : -- Sftp directory : flash: Service type : sftp -------------------------------------------------------------------------------- Total 2, 2 printed
配置脚本
-
# sysname SSH Server # rsa peer-public-key rsakey001 encoding-type der public-key-code begin 3082010A 02820101 00BBB7A0 4924AF13 04F2662D 2ED43B9D 589967EB D8A4F785 5AD1F662 13845081 0C65F6B3 88A9C415 D81C34BD 41A4B580 70DC7460 E4A5407B 9B95630F E211F4B3 1115772D FB95D3DC 915A1858 D0DE49F7 F39DD7A7 7795F2B9 C9562E8B 598CB50F 6D39240D B5C6F1D3 33A218D0 98C30104 F8F3A8CA 7172C95B 03AEC0A0 8A7E99F6 6C1939AA 52CC2E31 B6703278 AEE1BCD8 DC21FCA2 041C9A4C 1856A935 6894998D FBFA88FF 1708C3A6 7E092368 ACE983D7 C8DDCDF5 26F5D4E5 16A15C5C D6D0018E 4EAFE055 B93FCB87 2BB46EFB 02C04C3B F167A417 380CD0B0 0BC59493 646CBE96 BCAF3DB7 AD0AFA0A 5D14155E D7F97DC1 32693DE5 4B103442 8E0F4DAD 2598BE5E 19 0203 010001 public-key-code end peer-public-key end # aaa local-user client001 password irreversible-cipher $1d$g8wLJ`LjL!$CyE(V{3qg5DdU:PM[6=6O$UF-.fQ,Q}>^)OBzgoU$ local-user client001 service-type ssh local-user client001 privilege level 3 # sftp server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type sftp ssh user client001 sftp-directory flash:/ ssh user client002 ssh user client002 authentication-type rsa ssh user client002 assign rsa-key rsakey001 ssh user client002 service-type sftp ssh user client002 sftp-directory flash:/ ssh authorization-type default root ssh server-source all-interface # ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm ssh server hmac sha2_256 sha2_512 ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512 ssh server publickey rsa_sha2_256 rsa_sha2_512 ssh server dh-exchange min-len 3072 # return -
# sysname client001 # ssh client first-time enable # ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm ssh client hmac sha2_256 sha2_512 ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512 ssh client publickey rsa_sha2_256 rsa_sha2_512 # return
-
# sysname client002 # ssh client first-time enable # ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm ssh client hmac sha2_256 sha2_512 ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512 ssh client publickey rsa_sha2_256 rsa_sha2_512 # return
版权声明:
作者:SE_YT
链接:https://www.cnesa.cn/2816.html
来源:CNESA
文章版权归作者所有,未经允许请勿转载。
THE END
0
二维码
打赏
海报
举例:配置设备作为SFTP客户端(password认证和RSA认证方式)
组网图形
图1 通过SFTP访问其他设备文件组网图
组网需求
配置思路
操作步骤
检查配置结果
配置脚本
组网需求
SSH提供了在一个传统不安全的网络环境中,服务器通过对客户端的认证及双向的数据加密,为网络终端访问提供了安全的服务。通过SFTP方式,客户端可以安全地连接到SSH服务器,进行文件的安全传输。
如图1所示,SSH服务器与客户端client001、client002路由可达,此例中用华为设备作为SSH服务器。
要求:两个客户端分别使用password方式和RSA方式与SSH服务器连接,实现安全访问服务器上的文件。
本例中interface1代表10GE1/0/1。
配置思路
采用如下思路配置通过SFTP访问其他设备文件功能:
在服务器端生成本地密钥对及使能SFTP服务器功能,实现在服务器端和客户端进行安全地数据交互。
在SSH服务器上配置用户client001和client002,分别使用password和RSA的认证方式登录SSH服务器。
在客户端client002生成本地密钥对,并将客户端生成的RSA公钥配置到SSH服务器上,实现客户端登录服务器端时,对客户端进行验证。
用户client001和client002分别以SFTP方式登录SSH服务器,实现访问服务器上的文件。
操作步骤
在服务器端生成本地密钥对及使能SFTP服务器功能。
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be:Host_Server
The range of public key size is (2048, 4096).
NOTE: Key pair generation will take a short while.
Please input the modulus [default = 3072]:3072
[SSH Server] sftp server enable
[SSH Server] ssh server-source all-interface
配置SSH服务器的公钥算法、加密算法、密钥交换算法列表、HMAC认证算法和最小密钥长度。
[SSH Server] ssh server cipher aes128_ctr……
共有 0 条评论