Example for Configuring the SFTP Server

Networking Requirements

As shown in Figure 1, routes between the PC and the device functioning as an SSH server are reachable. 10.136.23.4 is the management Ethernet interface's IP address on the SSH server. Configure the device as an SSH server so that it can authenticate the client (PC) and encrypt data in bidirectional mode. This prevents man-in-middle attacks and DNS/IP spoofing attacks and ensures secure file transfer.

Figure 1 Networking diagram for managing files using SFTP when the device functions as an SSH server

Configuration Roadmap

The configuration roadmap is as follows:

Generate a local key pair and enable the SFTP server function on the SSH server so that the server and client can securely exchange data.
Configure the VTY user interface on the SSH server.
Configure SSH user information including the authentication mode, service type, authorized directory, user name, and password.
Connect to the SSH server using the third-party software OpenSSH on the PC.

Procedure

Generate a local key pair on the SSH server, and enable the SFTP server.

<HUAWEI> system-view
[HUAWEI] sysname SSH_Server
[SSH_Server] dsa local-key-pair create
Info: The key name will be: SSH_Server_Host_DSA.                                                                                   
Info: The key modulus can be any one of the following : 1024, 2048.                                                            
Info: If the key modulus is greater than 512, it may take a few minutes.                                                            
Please input the modulus [default=2048]:                                                                                            
Info: Generating keys...                                                                                                            
Info: Succeeded in creating the DSA host keys.

[SSH_Server] sftp server enable

Configure the VTY user interface on the SSH_Server.

[SSH_Server] user-interface vty 0 14
[SSH_Server-ui-vty0-14] authentication-mode aaa
[SSH_Server-ui-vty0-14] protocol inbound ssh
[SSH_Server-ui-vty0-14] quit

Configure SSH user information including the authentication mode, service type, authorized directory, user name, and password.

[SSH_Server] ssh user client001 authentication-type password
[SSH_Server] ssh user client001 service-type sftp
[SSH_Server] ssh user client001 sftp-directory flash: 
[SSH_Server] aaa
[SSH_Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
[SSH_Server-aaa] local-user client001 privilege level 15
[SSH_Server-aaa] local-user client001 service-type ssh
[SSH_Server-aaa] quit

Connect to the SSH server using the third-party software OpenSSH on the PC.
The Windows CLI can identify OpenSSH commands only when OpenSSH is installed on the PC.

Use a version of OpenSSH that is compatible with the operating system running on the terminal. An incorrect version may prevent communication with the switch through SFTP.

Figure 2 Connecting to the SSH server

After you connect to the SSH server through third-party software, the SFTP view is displayed. You can then perform file-related operations in the SFTP view.

Configuration File

SSH_Server configuration file

#
sysname SSH_Server
#
aaa
 local-user client001 password irreversible-cipher $1a$P2m&M5d"'JHR7b~SrcHF\Z\,2R"t&6V|zOLh9y$>M\bjG$D>%@Ug/<3I$+=Y$
 local-user client001 privilege level 15
 local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
user-interface vty 0 14
 authentication-mode aaa
#
return