Log in to the SSH server through the console port or using Telnet and run the display ssh server status command to check the SSH server configuration.
If the STelnet service is disabled, run the stelnet [ ipv4 | ipv6 ] server enable command to enable the STelnet service on the SSH server.
Run the user-interface vty command on the SSH server to enter the user interface view and then run the display this command to check whether protocol inbound is set to ssh or all. If not, run the protocol inbound { ssh | all } command to allow STelnet users to log in to the switch.
A local key pair must be configured when the switch works as the SSH server.
Run the display rsa local-key-pair public, display dsa local-key-pair public, or display ecc local-key-pair public command on the SSH server to check the current key pair. If no information is displayed, no key pair is configured on the server. Run the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create command to create a key pair.
Run the display ssh user-information command to view the SSH user configuration. If no configuration is available, run the ssh user, ssh user authentication-type, and ssh user service-type commands in the system view to create an SSH user and set an authentication mode and the service type for the SSH user.
Log in to the switch through the console port and run the display users command to check whether all VTY user interfaces are in use. By default, a maximum of five users are allowed by a VTY channel. You can run the display user-interface maximum-vty command to check the maximum number of users allowed by the current VTY channel.
If the number of login users reaches the upper limit, run the user-interface maximum-vty 15 command to increase the maximum number of login users to 15.
Run the user-interface vty command on the SSH server to enter the user interface view and then run the display this command to check whether an ACL is configured in the VTY user interface. If so, record the ACL number.
Run the display acl acl-number command on the SSH server to check whether the IP address of the STelnet client is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule and then run the corresponding command to modify the ACL and permit the IP address of the client.
Run the display ssh server status command on the SSH server to check the SSH version.
If the SSHv1 client logs in, run the ssh server compatible-ssh1x enable command to enable the version compatibility function on the server.
Run the display this command in the system view to check whether first-time authentication is enabled on the SSH client.
If not, the initial login of the SSH client fails because validity check on the public key of the SSH server fails. Run the ssh client first-time enable command to enable first-time authentication on the SSH client.
Run the display auto-defend configuration command on the SSH server to check the attack source tracing configuration.
By default, attack source tracing is enabled on an SSH server. If the punishment action for attack source tracing is set to discard and the rate of protocol packets received on an interface exceeds the threshold for port attack defense, user login may fail. To solve this problem, run the undo auto-defend enable command to disable attack source tracing or run the undo auto-defend action command to disable the attack source punish function.