Configuring First Login to the SSH Server (Configuring the SSH Client to Assign the Public Key to the SSH Server)
To allow the SSH client (STelnet client in this case) with initial authentication disabled to successfully log in to the SSH server for the first time, configure the SSH client to assign an RSA, DSA, SM2, or ECC public key to the SSH server before the login.
Context
If initial authentication is disabled on the SSH client, the client cannot log in to the SSH server, because the validity check of the RSA, DSA, SM2, or ECC public key will fail. The client must assign an RSA, DSA, SM2, or ECC public key to the server before logging in to the server.
The public key allocated to the SSH server must be generated on the server, modified on the client, and then sent back to the server. Otherwise, the validity check for the public key on the SSH client cannot succeed.
Perform the following steps on the SSH client:
For security purposes, do not use RSA keys whose length is less than 2048 bits. You are advised to use RSA_SHA2_256 and RSA_SHA2_512 instead.
Procedure
- Run system-view
The system view is displayed.
- (Optional) Run ssh client publickey { dsa | ecc | rsa | sm2 | rsa_sha2_256 | rsa_sha2_512 } *
A public key algorithm is configured for the SSH client.
- Perform any of the following operations based on the selected public key algorithm:
- To enter the RSA public key view, run the rsa peer-public-key key-name command.
- To enter the DSA public key view, run the dsa peer-public-key key-name encoding-type enc-type command.
- To enter the ECC public key view, run the ecc peer-public-key key-name command.
- To enter the SM2 public key view, run the sm2 peer-public-key key-name command.
- Run public-key-code begin
The public key view is displayed.
- Enter hex-data.
The entered public key must be a hexadecimal string complying with the public key format. The public key is generated randomly on the SSH server.
After entering the public key view, you can send the RSA, DSA, SM2 , or ECC public key that is generated on the server to the client. Copy and paste the RSA, DSA, SM2, or ECC public key to the SSH server.
- Run public-key-code end
Exit the public key view.
If the configured public key contains invalid characters or does not comply with the public key format, an error message is displayed, and the configured public key is discarded. If the configured public key is valid, it is saved into the client's public key chain table.
If no valid hex-data is specified, no public key is generated.
If key-name specified in Step 2 has been deleted in another window, the system displays an error and returns to the system view.
- Run peer-public-key end
Exit the public key view and return to the system view.
- Perform any of the following operations based on the selected algorithm:
- To assign an RSA public key to the SSH server, run the ssh client peer server-name assign rsa-key key-name command.
- To assign a DSA public key to the SSH server, run the ssh client peer server-name assign dsa-key key-name command.
- To assign an ECC public key to the SSH server, run the ssh client peer server-name assign ecc-key key-name command.
- To assign an SM2 public key to the SSH server, run the ssh client peer server-name assign sm2-key key-name command.
- Run commit
The configuration is committed.