Enabling the STelnet Server Function

Procedure

1. Run system-view

   The system view is displayed.

2. (Optional) Run ssh server publickey { dsa | ecc | rsa | sm2 | x509v3-ssh-rsa| rsa-sha2-256 | rsa-sha2-512 } ^*

   A public key encryption algorithm is configured for the SSH server.

3. (Optional) Configure the maximum number of key pairs. Perform one of the following operations based on the user requirements for system performance:

   • Run the rsa key-pair maximum max-keys command to configure the maximum number of RSA key pairs that can be created.

   • Run the dsa key-pair maximum max-keys command to configure the maximum number of DSA key pairs that can be created.

   • Run the ecc key-pair maximum max-keys command to configure the maximum number of ECC key pairs that can be created.

4. (Optional) Create an SSH server key pair. Use either of the following methods:
   • Method 1

     • If the user requirements for system security are not high, run the rsa local-key-pair create command to configure a local RSA key pair or run the dsa local-key-pair create command to configure a local DSA key pair.

     • If the user requirements for system security are high, run the ecc local-key-pair create command to configure a local ECC key pair.

     After the key pairs are generated, perform any of the following operations based on the selected public key algorithm:

     • Run the display rsa local-key-pair public command to check the public key in the local RSA key pair.
     • Run the display dsa local-key-pair public command to check the public key in the local DSA key pair.
     • Run the display ecc local-key-pair public command to check the public key in the local ECC key pair.
   • Method 2

     • If the user requirements for system security are not high, run the rsa key-pair label label-name command to configure a local RSA key pair or run the dsa key-pair label label-name command to configure a local DSA key pair.

     • If the user requirements for system security are high, run the ecc key-pair label label-name [ modulus modulus-bits ] command to create a local ECC key pair, or run the sm2 key-pair label label-name command to create a local SM2 key pair.

     After key pairs are generated, run the ssh server assign { rsa-host-key | dsa-host-key | ecc-host-key | sm2-host-key } key-name command to assign a key pair to the SSH server.

     If the authentication mode is set to x509v3-ssh-rsa, run the ssh server assign pki pki-name command to configure a PKI certificate for the SSH server.

     After the key pairs are generated, perform any of the following operations based on the selected public key algorithm:

     • Run the display rsa key-pair [ brief | label label-name ] command to check RSA key pairs.
     • Run the display dsa key-pair [ brief | label label-name ] command to check DSA key pairs.
     • Run the display ecc key-pair [ brief | label label-name ] command to check ECC key pairs.
     • Run the display sm2 key-pair [ brief | label label-name ] command to check SM2 key pairs.

5. Run stelnet server enable

   The STelnet server function is enabled.

   If the STelnet server function is disabled on the SSH server, all clients that have logged in through STelnet are disconnected from the server.

   

   SSH uses port 22 to listen to packets. Running this command will enable port 22 to listen to IPv4 and IPv6 TCP packets.

6. (Optional) Run ssh server security-banner disable

   The risk warning function triggered by an SSH server when an insecure algorithm is used between the SSH server and client is disabled.

7. (Optional) Run ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc | aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 | aes128_gcm | aes256_gcm | blowfish_cbc } ^*

   Encryption algorithms are configured for the SSH server.

   

   For security purposes, you are advised to use secure algorithms such as aes128_ctr, aes256_ctr, aes192_ctr, aes128_gcm, and aes256_gcm.

8. (Optional) Run ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 } ^*

   HMAC authentication algorithms are configured for the SSH server.

   

   For security purposes, you are advised to use a secure algorithm (sha2_256 or sha2_512.)

9. (Optional) Run ssh server key-exchange { dh_group14_sha1 | dh_group1_sha1 | dh_group_exchange_sha1 | dh_group_exchange_sha256 | dh_group16_sha512 | ecdh_sha2_nistp256 | ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } ^*

   A key exchange algorithm list is configured for the SSH server.

   

   For security purposes, you are advised to use the dh_group16_sha512 key exchange algorithm.

10. (Optional) Run ssh server dh-exchange min-len min-len

    The minimum key length supported during diffie-hellman-group-exchange key exchange with the SSH client is configured.

    

    If the SSH client supports the diffie-hellman-group-exchange key exchange algorithm with a length greater than 1024 bits, you are advised to run the ssh server dh-exchange min-len command to set the minimum key length to 3072 bits to improve security.

11. Run commit

    The configuration is committed.