< Home

Managing Files When the Device Functions as an SFTP Client

Pre-configuration Tasks

Before connecting to a device as an SFTP client to manage files, complete the following tasks:

  • Ensure that routes are reachable between the current device and the SSH server.
  • Obtain the host name or IP address of the SSH server and SSH user information.
  • Obtain the listening port number of the SSH server if the default listening port number is not used.

Configuration Procedure

Table 1 describes the procedure for managing files when the device functions as an SFTP client.

Table 1 Procedure for managing files when the device functions as an SFTP client

No.

Task

Description

Remarks

1

(Optional) Configure the SFTP client source address

Configure the SFTP client source address. To ensure communication security, the source address can be set to a source IP address or source interface.

Tasks 1, 2, and 3 can be performed in any sequence. Tasks 4-6 must be performed sequentially.

2

Generate a local key pair

Generate a local key pair and configure the public key on the SSH server.

Perform this task only if the device logs in to the SSH server in RSA, DSA, or ECC authentication mode.

3

Configure the initial SSH connection.

Configure the initial SSH connection by enabling the initial authentication function or saving the public key of the SSH server on the SSH client.

4

Run SFTP commands to connect to the SSH server.

-

5

Perform file operations using SFTP.

Users can perform operations on directories and files on the SSH server and view the help about SFTP commands on the SFTP client.

6

Disconnect the SFTP client from the SSH server.

-

Procedure

  • (Optional) Configure the SFTP client source address.

    When specifying the source address in an ACL, use the address of a stable interface, for example, a loopback interface. This simplifies the ACL rule and security policy configuration. After the client source address is configured as the source or destination address in the ACL rule, IP address differences and interface status impact are shielded, and incoming and outgoing packets are filtered.

    The SFTP client source address must be set to the loopback interface IP address or loopback interface.

    Table 2 Configuring the SFTP client source address

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Configure the SFTP client source address.

    sftp client-source { -a source-ip-address | -i interface-type interface-number }

    The default source address is 0.0.0.0.

    The client source address is set to the loopback interface IP address or loopback interface.

  • Generating a local key pair

    Perform this step only if the device logs in to the SSH server in RSA, DSA, or ECC authentication mode. This step is not required if the password authentication mode is used.

    Table 3 Generating a local key pair

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Generate the local key pair.

    rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create.

    Run one of the commands according to the type of key configured on the remote end.

    Run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command to view the public key in the local RSA, DSA, or ECC key pair. Configure the public key on the SSH server.

  • Configure the initial SSH connection.

    Before the client has saved the public key of the SSH server, the client cannot connect to the SSH server. Configure the initial SSH connection in either of the following ways:

    • Enable the initial authentication function on the SSH client. This function allows the client to successfully connect to an SSH server for the first time without validating the SSH server's public key. When the initial SSH connection succeeds, the client automatically saves the public key of the SSH server for subsequent SSH connections. For details, see Table 4. This configuration method is simple.
    • Save the public key of the SSH server on the client so that the client can authenticate the SSH server successfully. For details, see Table 5. This method ensures higher security but becomes more complex than the first method.
    Table 4 Enabling first authentication for the SSH client

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Enable first authentication for the SSH client.

    ssh client first-time enable

    By default, first authentication is disabled on the SSH client.
    Table 5 Configuring the SSH client to assign the RSA, DSA, or ECC public key to the SSH server

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    Enter the RSA, DSA, or ECC public key view.

    rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ]

    ,

    dsa peer-public-key key-name encoding-type { der | openssh | pem }

    Or

    ecc peer-public-key key-name encoding-type { der | openssh | pem }

    Perform one of the operations based on the key type.

    Enter the public key editing view.

    public-key-code begin

    -

    Edit the public key.

    hex-data
    • The public key must be a hexadecimal character string in the public key encoding format, and generated by the SSH server.
    • After entering the public key editing view, you must enter the RSA, DSA, or ECC public key that is generated on the server to the client.

    Exit from the public key editing view.

    public-key-code end
    • If the public key hex-data is invalid, the public key cannot be generated after you run this command.
    • If the specified key key-name has been deleted, the system displays a message indicating that the key does not exist and then returns to the system view after you run this command.

    Return to the system view.

    peer-public-key end

    -

    Bind the RSA, DSA, or ECC public key to the SSH server.

    ssh client servername assign { rsa-key | dsa-key | ecc-key } keyname

    If the SSH server public key saved in the SSH client does not take effect, run the undo ssh client servername assign { rsa-key | dsa-key | ecc-key } command to cancel the binding between the SSH server and RSA, DSA, or ECC public key. Then run this command to assign a new RSA, DSA, or ECC public key to the SSH server.

  • Run SFTP commands to connect to the SSH server.

    The command for connecting an SFTP client is similar to that for connecting the STelnet client. Both types of clients can carry the source address, support the keepalive function, and select a key exchange algorithm, an encryption algorithm, and an HMAC algorithm.

    Table 6 Running SFTP commands to connect to the SSH server

    Operation

    Command

    Description

    Enter the system view.

    system-view

    -

    (Optional) Configure a key exchange algorithm list for the SSH client.

    ssh client key-exchange { dh_group14_sha256 | dh_group15_sha512 | dh_group16_sha512 | dh_group_exchange_sha256 }*

    By default, an SSH client supports all key exchange algorithms.

    The system software does not support the dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1 parameters. To use the dh_group_exchange_sha1, dh_group14_sha1, or dh_group1_sha1 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to use other parameters.

    (Optional) Configure an encryption algorithm list for the SSH client.

    ssh client cipher { aes128_ctr | aes256_ctr } *

    By default, an SSH client supports the following encryption algorithms: AES128_CTR and AES256_CTR.

    The system software does not support the aes256_cbc, aes128_cbc, 3des_cbc, and des_cbc parameters. To use these parameters, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify the aes256_ctr or aes128_ctr parameter.

    (Optional) Configure an HMAC algorithm list for the SSH client.

    ssh client hmac sha2_256

    By default, an SSH client supports SHA2_256_96.

    The system software does not support the sha2_256_96, sha1, sha1_96, md5, and md5_96 parameters. To use the sha2_256_96, sha1, sha1_96, md5, or md5_96 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify the sha2_256 parameter.

    Connect the SFTP client to the SFTP server based on IPv4.

    sftp [ -a source-address | -i interface-type interface-number ] host-ip [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } | prefer_kex prefer_key-exchange | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac| -ki aliveinterval ] | [ -kc alivecountmax] *

    Run either of the commands based on the IP address type.

    In most cases, only the IP address is specified in the commands.

    NOTE:

    The aes128 or aes256 algorithm is recommended to improve data transmission security.

    Connect the SFTP client to the SFTP server based on IPv6.

    sftp ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port ] [ identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } | -vpn-instance vpn-instance-name | prefer_kex prefer_key-exchange | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki aliveinterval | -kc alivecountmax ] *
    Command example:
    [HUAWEI] sftp 10.137.217.201

    After the SSH connection is established, sftp-client> is displayed, indicating that you have entered the SFTP client view.

  • Perform file operations using SFTP.

    In the SFTP client view, you can perform one or more file-related operations listed in Table 7.

    You can perform the following operations in any sequence and select one or more operation items as required.

    In the SFTP client view, the system does not support predictive command input. Therefore, you must enter commands in their full syntax.

    The file system limits the number of files in the root directory to 50. Creation of files in excess of this limit in the root directory may fail.

    Table 7 Running SFTP commands to perform file-related operations

    Operation

    Command

    Description

    Change the user's current working directory.

    cd [ remote-directory ]

    -

    Change the current working directory to its parent directory.

    cdup

    -

    Display the user's current working directory.

    pwd

    -

    Display the file list in a specified directory.

    dir/ls [ -l | -a ] [ remote-directory ]

    Outputs of the dir and ls commands are the same.

    Delete directories from the server.

    rmdir remote-directory &<1-10>

    A maximum of 10 directories can be deleted at one time.

    Before running the rmdir command to delete directories, ensure that the directories do not contain any files. Otherwise, the deletion fails.

    Create a directory on the server.

    mkdir remote-directory

    -

    Change the name of a specified file on the server.

    rename old-name new-name

    -

    Download a file from the remote server.

    get remote-filename [ local-filename ]

    -

    Upload a local file to the remote server.

    put local-filename [ remote-filename ]

    -

    Delete files from the server.

    remove remote-filename &<1-10>

    A maximum of 10 files can be deleted at one time.

    View the help about SFTP commands.

    help [ all | command-name ]

    -

    You can also use the following commands to download files from the SFTP server or upload files.

    • IPv4 address: sftp client-transfile { get | put } [ -a source-address | -i interface-type interface-number ] host-ip host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ]| prefer_kex prefer_key-exchange | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki aliveinterval | -kc alivecountmax ] * username user-name password password sourcefile source-file [ destination destination ]
    • IPv6 address: sftp client-transfile { get | put } ipv6 [ -a source-address ] host-ip host-ipv6 [ -oi interface-type interface-number ] [ port ] [ -vpn-instance vpn-instance-name | prefer_kex prefer_key-exchange | identity-key { rsa | dsa | ecc } | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac | -ki aliveinterval | -kc alivecountmax ] * username user-name password password sourcefile source-file [ destination destination ]

  • Disconnect the SFTP client from the SSH server.

    Operation

    Command

    Description

    Disconnect the SFTP client from the SSH server.

    quit

    -

Verifying the Configuration

  • Run the display sftp-client command to check source interface of the SFTP client.

  • Run the display ssh server-info command to check the mappings between the SSH server and the public key.
Parent Topic: File Management on Other Devices
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >