Configuring STelnet Login
STelnet is recommended because Telnet may pose security risks. Before configuring STelnet login, ensure that the PC and the switch are routable to each other.
The STelnet V1 protocol poses security risks, and therefore STelnet V2 is recommended.
Common Configurations for STelnet Login
By default, the STelnet function is not configured on a switch. To use this function, you need to perform the following steps to configure the STelnet service and user information:
Set a protocol type, an authentication mode, and a user level for the VTY user interface.
Enable the STelnet server function and create an SSH user.
Set an authentication mode for the SSH user.
Generate a local key pair on the SSH server to implement secure data exchange between the server and client.
Procedure
- Set a protocol type, an authentication mode, and a user level for the VTY user interface.
[HUAWEI] user-interface vty 0 4 [HUAWEI-ui-vty0-4] authentication-mode aaa //Set the authentication mode for the VTY user interface to AAA. [HUAWEI-ui-vty0-4] protocol inbound ssh //Configure the VTY user interface to support SSH. By default, VTY user interfaces support SSH. [HUAWEI-ui-vty0-4] user privilege level 15 //Set the level of the VTY user interface to 15. [HUAWEI-ui-vty0-4] quit
STelnet login requires VTY user interfaces to support SSH. Therefore, the VTY user interfaces must use AAA authentication.
- Enable the STelnet server function and create an SSH user.
[HUAWEI] stelnet server enable //Enable the STelnet server function. [HUAWEI] ssh user admin123 //Create an SSH user named admin123. [HUAWEI] ssh user admin123 service-type stelnet //Set the service type of the SSH user to STelnet.
- Set an authentication mode for the SSH user.
Set the authentication mode for the SSH user to password.
To use password authentication, you need to create a local user with the same name as the SSH user in the AAA view.
[HUAWEI] ssh user admin123 authentication-type password //Set the authentication mode for the SSH user to password authentication. [HUAWEI] aaa [HUAWEI-aaa] local-user admin123 password irreversible-cipher abcd@123 //Create a local user with the same name as the SSH user and set the login password of the user. [HUAWEI-aaa] local-user admin123 privilege level 15 //Set the level of the local user to 15. Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y [HUAWEI-aaa] local-user admin123 service-type ssh //Set the service type of the local user to SSH. [HUAWEI-aaa] quit
Set the authentication mode for the SSH user to RSA, DSA, or ECC. (The following uses ECC authentication as an example. Steps for configuring RSA and DSA authentication are similar to those for configuring ECC authentication.)
To use RSA, DSA, or ECC authentication, you need to copy the public key in the RSA key pair generated on the SSH client to the SSH server. When the SSH client logs in to the SSH server, the SSH client passes the authentication if the private key of the client matches the copied public key. For details about public key on the client, see the help document of the SSH client software.
[HUAWEI] ssh user admin123 authentication-type ecc //Set the authentication mode for the SSH user to ECC. [HUAWEI] ecc peer-public-key key01 encoding-type pem //Configure the encoding type of an ECC public key and enter the ECC public key view. key01 is the public key name. Enter "ECC public key" view, return system view with "peer-public-key end". [HUAWEI-ecc-public-key] public-key-code begin //Enter the public key editing view. Enter "ECC key code" view, return last view with "public-key-code end". [HUAWEI-dsa-key-code] 308188 //Copy the public key generated on the client. The public key is a hexadecimal character string. [HUAWEI-dsa-key-code] 028180 [HUAWEI-dsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB [HUAWEI-dsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F [HUAWEI-dsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B [HUAWEI-dsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 [HUAWEI-dsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931 [HUAWEI-ecc-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 [HUAWEI-ecc-key-code] 171896FB 1FFC38CD [HUAWEI-ecc-key-code] 0203 [HUAWEI-ecc-key-code] 010001 [HUAWEI-ecc-key-code] public-key-code end //Return to the public key view. [HUAWEI-ecc-public-key] peer-public-key end //Return to the system view. [HUAWEI] ssh user admin123 assign ecc-key key01 //Assign the public key key01 to the admin123 user.
To use Password-RSA, Password-DSA, or Password-ECC authentication, configure AAA user information and enter the public key generated on the SSH client.
If all authentication is used, configure AAA user information or enter the public key generated on the client or perform the two operations together.
For device security purposes, change the password periodically.
- Generate a local key pair on the server.
[HUAWEI] ecc local-key-pair create Info: The key name will be: HUAWEI_Host_ECC. Info: The key modulus can be any one of the following: 256, 384, 521. Info: If the key modulus is greater than 512, it may take a few minutes. Please input the modulus [default=521]:521 Info: Generating keys.......... Info: Succeeded in creating the ECC host keys. - Log in to the switch through STelnet.
On the PC, connect to the SSH server through password authentication.
Log in to the switch using PuTTY, enter the switch's IP address, and select the SSH protocol.Figure 1 Logging in to the SSH server using PuTTY in password authentication mode
Click Open. Enter the user name and password as prompted and press Enter to log in to the SSH server. (The following information is only for reference.)
login as: admin123 Sent username "admin123" admin123@10.10.10.20's password: Info: The max number of VTY users is 8, and the number of current VTY users on line is 5. The current login time is 2018-12-22 09:35:28+00:00. <HUAWEI>
Verifying the Configuration
- Run the display ssh user-information [ username ] command to check information about SSH users on the SSH server. If no SSH user is specified, information about all SSH users logging in to the SSH server is displayed.
- Run the display ssh server status command to check global configurations of the SSH server.
- Run the display ssh server session command to check information about sessions between the SSH server and client.
Related Commands
Function |
Command |
Description |
|---|---|---|
Generate a local host key pair. |
rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create |
By default, no host key pair is configured. |
Enable the STelnet server function. |
stelnet server enable |
By default, the STelnet server function is disabled. |
Set an authentication mode for accessing a VTY user interface. |
authentication-mode { aaa } |
By default, none authentication is used. If AAA authentication is selected, you need to configure information about the local AAA user. |
Set a protocol for a VTY user interface. |
protocol inbound { all | ssh } |
By default, VTY user interfaces support SSH. The configuration takes effect at the next login. |
Set the level of users who are allowed to access a VTY user interface. |
user privilege level level |
The default value is 0. When RSA, DSA, or ECC authentication is used, the user level is determined by the level of the VTY user interface to which the user logs in. If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence. |
Create an SSH user. |
ssh user user-name |
By default, no SSH user is created. |
Set a service type for an SSH user. |
ssh user user-name service-type { stelnet | all } |
By default, no service type is configured for an SSH user. |
Set an authentication mode for an SSH user. |
ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | ecc | password-ecc | all } |
|
Function |
Command |
Description |
|---|---|---|
Enable terminal services on a VTY user interface. |
shell |
By default, terminal services are enabled on all VTY user interfaces. |
Set the maximum number of VTY user interfaces. |
user-interface maximum-vty number |
By default, the maximum number of VTY user interfaces is 15. |
Set the VTY inactivity timeout. |
idle-timeout minutes [ seconds ] |
The default timeout value is 10 minutes. |
Set the number of lines displayed on a terminal screen. |
screen-length screen-length |
The default number of lines displayed on a terminal screen is 24. |
Set the number of columns displayed on a terminal screen. |
screen-width screen-width |
The default number of columns displayed on a terminal screen is 80. |
Set the size of the historical command buffer on a VTY user interface. |
history-command max-size size-value |
By default, a maximum of 10 historical commands can be saved in the buffer. |
Set a key exchange algorithm list for an SSH server. |
ssh server key-exchange { dh_group14_sha256 | dh_group15_sha512 | dh_group16_sha512 | dh_group_exchange_sha256 }* |
By default, an SSH server supports all key exchange algorithms. The system software does not support the dh_group_exchange_sha1, dh_group14_sha1, and dh_group1_sha1 parameters. To use the dh_group_exchange_sha1, dh_group14_sha1, or dh_group1_sha1 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to use other parameters. |
Set an encryption algorithm list for an SSH server. |
ssh server cipher { aes128_ctr | aes256_ctr } * |
By default, an SSH server supports five encryption algorithms: AES128_CTR and AES256_CTR. The system software does not support the aes256_cbc, aes128_cbc, 3des_cbc, and des_cbc parameters. To use these parameters, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify the aes256_ctr or aes128_ctr parameter. |
Set an HMAC algorithm list for an SSH server. |
ssh server hmac sha2_256 |
By default, an SSH server supports all HMAC algorithms. The system software does not support the sha2_256_96, sha1, sha1_96, md5, and md5_96 parameters. To use the sha2_256_96, sha1, sha1_96, md5, or md5_96 parameter, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify the sha2_256 parameter. |
Set a port number for an SSH server. |
ssh [ ipv4 | ipv6 ] server port port-number |
By default, the port number of an SSH server is 22. Configuring a new port number for an SSH server prevents attackers from accessing the SSH server using the default port, improving SSH server security. |
Set a public key algorithm for an SSH server. |
ssh server publickey { dsa | ecc | rsa } * |
By default, DSA, ECC, and RSA algorithms are enabled. A public key algorithm can be specified for login to an SSH server. Login using other public key algorithms is rejected, improving device security. The ECC algorithm is recommended. |
Set the source interface of an SSH server. |
ssh server-source -i loopback interface-number |
By default, the source interface of an SSH server is not specified. You can configure a source interface for an SSH server to prevent exposure of the device's management IP address, improving device security. |
Set the interval at which the key pair of an SSH server is updated. |
ssh server rekey-interval hours |
The default interval is 0, indicating that the key pair is never updated. |
Set the SSH session inactivity timeout. |
ssh server timeout seconds |
The default timeout value is 60 seconds. |
Set the maximum number of authentication retries for an SSH connection. |
ssh server authentication-retries times |
The default value is 3. |
Enable an SSH server to be compatible with earlier versions. |
ssh server compatible-ssh1x enable |
By default, this function is disabled. |