Enabling the SFTP Service

Before using SFTP to access a device, enable the SFTP service on the device.

Context

Perform the following steps on the device to be used as an SSH server:

For security purposes, do not use RSA keys whose length is less than 2048 bits. You are advised to use RSA_SHA2_256 and RSA_SHA2_512 instead.

Procedure

Run system-view
The system view is displayed.
(Optional) Run ssh server publickey { dsa | ecc | rsa | sm2 | x509v3-ssh-rsa| rsa-sha2-256 | rsa-sha2-512 } ^*
A public key encryption algorithm is configured for the SSH server.
(Optional) Configure the maximum number of key pairs. Perform any of the following operations based on the user requirements for system performance:
- Run the rsa key-pair maximum max-keys command to configure the maximum number of RSA key pairs that can be created.
- Run the dsa key-pair maximum max-keys command to configure the maximum number of DSA key pairs that can be created.
- Run the ecc key-pair maximum max-keys command to configure the maximum number of ECC key pairs that can be created.
(Optional) Select either of the following methods to create a key pair for an SSH server.
- Method 1
  - If the user requirements for system security are not high, run the rsa local-key-pair create command to configure a local RSA key pair or run the dsa local-key-pair create command to configure a local DSA key pair.
  - If the user requirements for system security are high, run the ecc local-key-pair create command to configure a local ECC key pair.
- Method 2
  - If the user requirements for system security are not high, run the rsa key-pair label label-name [ modulus modulus-bits ] command to configure a local RSA key pair or run the dsa key-pair label label-name [ modulus modulus-bits ] command to configure a local DSA key pair.
  - If the user requirements for system security are high, run the ecc key-pair label label-name [ modulus modulus-bits ] command to configure a local ECC key pair or run the sm2 key-pair label label-name [ modulus modulus-bits ] command to configure a local SM2 key pair.
  After keys are generated, run the ssh server assign { rsa-host-key | dsa-host-key | ecc-host-key | sm2-host-key } key-name command to assign a key pair to an SSH server.
  
  If the authentication mode is set to x509v3-ssh-rsa, run the ssh server assign pki pki-name command to configure a PKI certificate for the SSH server.
Perform any of the following operations based on the SFTP service type:
- Run the sftp server enable command to enable the SFTP service.
- Run the sftp ipv4 server enable command to enable the IPv4 SFTP service.
- Run the sftp ipv6 server enable command to enable the IPv6 SFTP service.
SSH uses port 22 to listen to packets. Running this command will enable this port to listen to IPv4 and IPv6 TCP packets.
(Optional) Run ssh server cipher { des_cbc | 3des_cbc | aes128_cbc | aes192_cbc | aes256_cbc | aes128_ctr | aes192_ctr | aes256_ctr | arcfour128 | arcfour256 | aes128_gcm | aes256_gcm | blowfish_cbc } ^*
Encryption algorithms are configured for the SSH server.

For security purposes, you are advised to use secure algorithms such as aes128_ctr, aes256_ctr, aes192_ctr, aes128_gcm, and aes256_gcm.
(Optional) Run ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 | sha2_512 } ^*
HMAC authentication algorithms are configured for the SSH server.

For security purposes, you are advised to use sha2_256 or sha2_512.
(Optional) Run ssh server key-exchange { dh_group14_sha1 | dh_group1_sha1 | dh_group_exchange_sha1 | dh_group_exchange_sha256 | dh_group16_sha512 | ecdh_sha2_nistp256 | ecdh_sha2_nistp384 | ecdh_sha2_nistp521 | sm2_kep } ^*
A key exchange algorithm list is configured for the SSH server.

For security purposes, you are advised to use dh_group16_sha512 as the key exchange algorithm.
(Optional) Run ssh server dh-exchange min-len min-len
The minimum key length supported during diffie-hellman-group-exchange key exchange with the SSH client is configured.

If the SSH client supports the diffie-hellman-group-exchange key exchange algorithm with a length greater than 1024 bits, you are advised to run the ssh server dh-exchange min-len command to set the minimum key length to 3072 bits to improve security.
Run commit
The configuration is committed.

Verifying the Configuration

Perform any of the following operations to view information about the locally generated key pair:
- Run the display rsa key-pair [ brief | label label-name ] command to view the RSA key pair information.
- Run the display dsa key-pair [ brief | label label-name ] command to view the DSA key pair information.
- Run the display ecc key-pair [ brief | label label-name ] command to view the ECC key pair information.
- Run the display sm2 key-pair [ brief | label label-name ] command to view the SM2 key pair information.
After a local key pair is generated, perform any of the following operations to view the public key information in the key pair:
- Run the display rsa local-key-pair public command to view the RSA public key information.
- Run the display dsa local-key-pair public command to view the DSA public key information.
- Run the display ecc local-key-pair public command to view the ECC public key information.