Managing Files When the Device Functions as an SFTP Server

Procedure

• Set SFTP server parameters.

  Table 3 Setting SFTP server parameters

  Operation	Command	Description
  Enter the system view.	system-view	-
  Generate a local key pair.	rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create.	Perform one of the operations based on the key type. After the key pair is generated, run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to check the public key in the local key pair. NOTE: For increased security, you are advised to use the longest possible length for the key pairs.
  Enable the SFTP server function.	sftp [ ipv4 | ipv6 ] server enable	By default, the SFTP server function is disabled.
  (Optional) Configure a key exchange algorithm list for the SSH server.	ssh server key-exchange { dh_group14_sha256 | dh_group15_sha512 | dh_group16_sha512 | dh_group_exchange_sha256 }*	By default, an SSH server supports all key exchange algorithms. The system software does not support the dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1 parameters. To use the dh_group_exchange_sha1, dh_group14_sha1, or dh_group1_sha1 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to use other parameters.
  (Optional) Configure an encryption algorithm list for the SSH server.	ssh server cipher { aes128_ctr | aes256_ctr } *	By default, an SSHserver supports five encryption algorithms: AES128_CTR and AES256_CTR. The system software does not support the aes256_cbc, aes128_cbc, 3des_cbc, and des_cbc parameters. To use these parameters, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify the aes256_ctr or aes128_ctr parameter.
  (Optional) Configure an HMAC algorithm list for the SSH server.	ssh server hmac sha2_256	By default, an SSH server supports SHA2_256. The system software does not support the sha2_256_96, sha1, sha1_96, md5, and md5_96 parameters. To use the sha2_256_96, sha1, sha1_96, md5, or md5_96 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify the sha2_256 parameter.
  (Optional) Configure the minimum key length supported during Diffie-hellman-group-exchange key exchange between the SSH server and client.	ssh server dh-exchange min-len min-len	By default, the minimum key length supported is 1024 bytes.
  (Optional) Specifies the public key algorithm of the SSH server.	ssh server publickey { dsa | ecc | rsa } *	By default, DSA, ECC, and RSA public key algorithms are enabled.
  (Optional) Configure the listening port number.	ssh [ ipv4 | ipv6 ] server port port-number	By default, the listening port number is 22. If a new port number is configured, the SSH server disconnects all SSH clients and uses the new port number to listen for connection requests. Attackers do not know the port number and cannot access the listening port of the SSH server.
  (Optional) Configure the interval for updating the key pair of the server.	ssh server rekey-interval hours	By default, the interval for updating the key pair is 0, which indicates that the key pair is never updated. After the interval is configured, the system automatically updates the key pair at the specified interval, which ensures security. This command takes effect only for SSH1.X. However, SSH1.X provides weak security and is not recommended.
  (Optional) Configure the SSH authentication timeout duration.	ssh server timeout seconds	By default, the SSH authentication timeout duration is 60 seconds.
  (Optional) Configure the number of SSH authentication retries.	ssh server authentication-retries times	By default, the number of SSH authentication retries is 3.
  (Optional) Enable compatibility with earlier versions.	ssh server compatible-ssh1x enable	By default, the server's compatibility with earlier versions is disabled. When an SSH server is upgraded, the server's compatibility with earlier versions is the same as that in the configuration file.
  (Optional) Configure an ACL.	ssh [ ipv6 ] server acl acl-number	By default, no ACL is configured for the SSH server. An ACL is configured to determine which clients can log in to the current device through SSH.
  (Optional) Configure the source IP address of the SSH server.	ssh server-source -i loopback interface-number	By default, the source interface of an SSH server is not specified. NOTE: Before specifying the source interface of the SSH server, ensure that the loopback interface to be specified as the source interface has been created. If the loopback interface is not created, this command cannot be correctly executed.

  • When the local RSA key pair is generated, two key pairs (a server key pair and a host key pair) are generated at the same time. Each key pair contains a public key and a private key. The length of the two key pairs is 2048 bits.
  • When the local DSA key pair is generated, only the host key pair is generated. The length of the host key pair can be 1024 or 2048 bits. The default length is 2048 bits.
  • When the local ECC key pair is generated, only the host key pair is generated. The length of the host key pair can be 256, 384, or 521 bits. The default length is 521 bits.

• Configure the VTY user interface for SSH users to log in to the device.

  SSH users use the VTY user interface to log in to the device using SFTP. Attributes of the VTY user interface must be configured.

  Table 4 Configuring the VTY user interface for SSH users to log in to the device

  Operation	Command	Description
  Enter the system view.	system-view	-
  Enter the VTY user interface view.	user-interface vty first-ui-number [ last-ui-number ]	-
  Set the authentication mode of the VTY user interface to AAA.	authentication-mode aaa	By default, no authentication mode is configured for the VTY user interface. The authentication mode of the VTY user interface must be set to AAA. Otherwise, you cannot configure the protocol inbound ssh command and users cannot log in to the device.
  Configure a VTY user interface that supports SSH.	protocol inbound ssh	By default, the VTY user interface supports SSH. If no VTY user interface supports SSH, users cannot log in to the device.
  Configure the user level.	user privilege level level	The user level must be set to 3 or higher to allow connections to be established. If a local user uses password authentication, you can run the local-user user-name privilege level level command to set the level of the user to 3 or higher.
  (Optional) Configure other attributes of the VTY user interface.	-	Other attributes of the VTY user interface are as follows: Maximum number of VTY user interfaces Restrictions on incoming calls and outgoing calls on the VTY user interface Terminal attributes on the VTY user interface For details, see Configuring STelnet Login–Other commands.

• Configure SSH user information.
  Configure SSH user information including the authentication mode. The supported authentication modes are RSA, password, password-rsa, DSA, password-dsa, ECC, password-ecc, and all.

  • The password-rsa authentication mode consists of the password and RSA authentication modes.
  • The password-dsa authentication mode consists of the password and DSA authentication modes.
  • The password-ecc authentication mode consists of the password and ECC authentication modes.
  • The all authentication mode indicates that SSH users can be authenticated by ECC, DSA, password, or RSA.

  Table 5 Configuring SSH user information

  Operation	Command	Description
  Enter the system view.	system-view	-
  Create SSH users.	ssh user user-name	-
  Configure the authentication mode for SSH users.	ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | ecc | password-ecc | all }	If SSH users are not created using the ssh user command, directly run the ssh authentication-type default password command to configure the default password authentication mode for users. This makes configuration simpler when a large number of users exist, because you need to configure only AAA users. NOTE: In all authentication mode, the user priority depends on the authentication mode selected. If password authentication is selected, the user priority is the same as that specified on the AAA module. If RSA/DSA/ECC authentication is selected, the user priority depends on the priority of the VTY window used during user access. If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA/DSA/ECC authentication modes. Set relevant parameters as needed.
  Set the service type to SFTP or all for SSH users.	ssh user username service-type { sftp | all }	By default, the service type of SSH users is empty.
  Configure the authorized directory for SSH users.	ssh user username sftp-directory directoryname	The default SFTP service authorized directory is flash: for an SSH user.

  • The password authentication mode is implemented based on AAA. To log in to the device in the password-ecc, password-dsa, password, or password-rsa authentication mode, create a local user with the same user name in the AAA view.
  • If the SSH user uses the password authentication mode, only the SSH server needs to generate the RSA, DSA, or ECC key. If the SSH user uses the RSA, DSA, or ECC authentication mode, both the SSH server and client need to generate the RSA, DSA, or ECC key and configure the public key of the peer end locally.
  Perform any of the following configurations according to authentication mode:

  • To configure password authentication for the SSH user, see Table 6.

  • To configure RSA, DSA, or ECC authentication for the SSH user, see Table 7.

  • To configure password-rsa, password-dsa, or password-ecc authentication for the SSH user, configure an AAA user and set the RSA, DSA, or ECC public key. For details, see Table 6 and Table 7.

  Table 6 Configuring password, password-ecc, password-dsa, or password-rsa authentication for the SSH user

  Operation	Command	Description
  Enter the system view.	system-view	-
  Enter the AAA view.	aaa	-
  Configure the local user name and password.	local-user user-name password irreversible-cipher password	-
  Configure the service type for the local user.	local-user user-name service-type ssh	-
  Configure the level for the local user.	local-user user-name privilege level level	-
  Return to the system view.	quit	-

  Table 7 Configuring DSA, RSA, ECC, password-dsa, password-rsa, or password-ecc authentication for the SSH user

  Operation	Command	Description
  Enter the system view.	system-view	-
  Display the RSA, DSA, or ECC public key view.	rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] , dsa peer-public-key key-name encoding-type { der | openssh | pem } , or ecc peer-public-key key-name encoding-type { der | openssh | pem }	-
  Display the public key editing view.	public-key-code begin	-
  Edit the public key.	hex-data	The public key must be a hexadecimal character string in the public key encoding format, and generated by the client software that supports SSH. For detailed operations, see the documentation of the SSH client software. You must enter the RSA, DSA, ECC public key on the device that works as the SSH server.
  Exit the public key editing view.	public-key-code end	If no public key code hex-data is entered, the public key cannot be generated after you run this command. If the specified key key-name has been deleted in another view, the system displays a message indicating that the key does not exist and then returns to the system view directly when you run this command.
  Return to the system view from the public key view.	peer-public-key end	-
  Assign an RSA, DSA, or ECC public key to an SSH user.	ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name	-

• Connect to the device using SFTP.

  The SSH client software supporting SFTP must be installed on the terminal to ensure that the terminal can connect to the device using SFTP. The following describes how to connect to the device using OpenSSH and the Windows CLI.

  • For details how to install OpenSSH, see the OpenSSH installation description.

  • To use OpenSSH to connect to the device using SFTP, run the relevant OpenSSH commands. For details about OpenSSH commands, see OpenSSH help.

  • Windows command prompt can identify commands supported by OpenSSH only when OpenSSH is installed on the terminal.

  Access the Windows CLI and run the commands supported by OpenSSH to connect to the device using SFTP.

  The command prompt sftp> indicates that you have accessed the working directory on the SFTP server. (The following information is for reference.)

  C:\Documents and Settings\Administrator> sftp sftpuser@10.136.23.5
  Connecting to 10.136.23.5...
  The authenticity of host '10.136.23.5 (10.136.23.5)' can't be established.
  DSA key fingerprint is 46:b2:8a:52:88:42:41:d4:af:8f:4a:41:d9:b8:4f:ee.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '10.136.23.5' (DSA) to the list of known hosts.
  
  User Authentication
  Password:
  sftp>

• Perform file operations using SFTP.

  In the SFTP client view, you can perform one or more file-related operations listed in Table 8.

  You can perform the following operations in any sequence and select one or more operation items as required.

  

  In the SFTP client view, the system does not support predictive command input. Therefore, you must enter commands in their full syntax.

  The file system limits the number of files in the root directory to 50. Creation of files in excess of this limit in the root directory may fail.

  Table 8 Running SFTP commands to perform file-related operations

  Operation	Command	Description
  Change the user's current working directory.	cd [ remote-directory ]	-
  Change the current working directory to its parent directory.	cdup	-
  Display the user's current working directory.	pwd	-
  Display the file list in a specified directory.	dir/ls [ -l | -a ] [ remote-directory ]	Outputs of the dir and ls commands are the same.
  Delete directories from the server.	rmdir remote-directory &<1-10>	A maximum of 10 directories can be deleted at one time. Before running the rmdir command to delete directories, ensure that the directories do not contain any files. Otherwise, the deletion fails.
  Create a directory on the server.	mkdir remote-directory	-
  Change the name of a specified file on the server.	rename old-name new-name	-
  Download a file from the remote server.	get remote-filename [ local-filename ]	-
  Upload a local file to the remote server.	put local-filename [ remote-filename ]	-
  Delete files from the server.	remove remote-filename &<1-10>	A maximum of 10 files can be deleted at one time.
  View the help about SFTP commands.	help [ all | command-name ]	-

  You can also use the following commands to download files from the SFTP server or upload files.

  • IPv4 address: sftp client-transfile { get | put } [ -a source-address | -i interface-type interface-number ] host-ip host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ]| prefer_kex prefer_key-exchange | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki aliveinterval | -kc alivecountmax ] ^* username user-name password password sourcefile source-file [ destination destination ]
  • IPv6 address: sftp client-transfile { get | put } ipv6 [ -a source-address ] host-ip host-ipv6 [ -oi interface-type interface-number ] [ port ] [ -vpn-instance vpn-instance-name | prefer_kex prefer_key-exchange | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki aliveinterval | -kc alivecountmax ] ^* username user-name password password sourcefile source-file [ destination destination ]

• Disconnect the SFTP client from the SSH server.

  Operation	Command	Description
  Disconnect the SFTP client from the SSH server.	quit	-