Example for Using SFTP to Operate Files
In this example, a local key pair is configured on the SSH server, and a username and a password are configured on the server for an SSH user. After the SFTP service is enabled on the server and the SFTP client is connected to the server, you can operate files between the client and the server.
Networking Requirements
As the device deployment scale increases, more and more devices need to be maintained and upgraded remotely. Online software upgrade, a new upgrade method by loading software packages remotely, facilitates remote upgrades, reduces upgrade costs, shortens the time that customers wait for upgrades, and improves customers' satisfaction. FTP is usually used to transmit data for online upgrades. FTP transmits data and even user names and passwords in plaintext, bringing security risks.
SFTP resolves the security issue. It enables you to securely log in to a remote device for file management, improving data transmission security. You can then transfer files and perform online upgrades.
As shown in Figure 1, after the SFTP service is enabled on the device that functions as an SSH server, you can log in to the server in password, RSA, password-RSA, DSA, password-DSA, ECC, password-ECC, SM2, password-SM2, x509v3-ssh-rsa, password-x509v3-rsa, or All authentication mode from the PC that functions as an SFTP client.
Precautions
After you log in to the SFTP server through the console port, configure an IP address of a logical interface as the source address for SFTP login.
Configuration Roadmap
The configuration roadmap is as follows:
Configure the SSH server to generate a local key pair to securely exchange data between the client and the server.
Create an SSH user and configure an authentication mode, username, password, and authorized directory for the user.
Enable the SFTP service on the SSH server and configure a service type.
Data Preparation
To complete the configuration, you need the following data:
SSH user's authentication mode (password authentication) and username: (client001)
User level (3) of client001
IP address (10.137.217.223) of the SSH server
Procedure
- Configure an IP address for the SFTP server.
<HUAWEI> system-view [~HUAWEI] sysname SSH Server [*HUAWEI] commit [~SSH Server] interface GigabitEthernet0/0/0 [~SSH Server-GigabitEthernet0/0/0] undo shutdown [*SSH Server-GigabitEthernet0/0/0] ip address 10.137.217.223 255.255.0.0 [*SSH Server-GigabitEthernet0/0/0] quit [*SSH Server] commit
- Configure the SSH username and password on the SSH server.
[*SSH Server] aaa [*SSH Server-aaa] local-user client001 password cipher Hello-huawei123 [*SSH Server-aaa] local-user client001 level 3 [*SSH Server-aaa] local-user client001 service-type ssh [*SSH Server-aaa] quit [*SSH Server] commit
- Enable the SFTP service and set the service type to SFTP.
[~SSH Server] interface LoopBack 0 [~SSH Server-LoopBack0] ip address 10.1.1.1 255.255.255.255 [*SSH Server-LoopBack0] quit [*SSH Server] sftp server enable [*SSH Server] ssh server-source -i loopback 0 [*SSH Server] ssh user client001 authentication-type password [*SSH Server] commit [~SSH Server] ssh user client001 service-type sftp [*SSH Server] commit
- Configure the authorized directory for the SSH user.
[~SSH Server] ssh user client001 sftp-directory home:/ [*SSH Server] commit
- Verify the configuration.
Start the SFTP software on the client, and enter the username, password, and port number (22 by default) to access the SSH server and transfer files.
Configuration Files
- SSH server configuration file
# sysname SSH Server # aaa local-user client001 password cipher @%@%.OuC6Vo7Z,A'y~/KB&,vmd@%@% local-user client001 service-type ssh local-user client001 level 3 # interface GigabitEthernet0/0/0 undo shutdown ip address 10.137.217.223 255.255.0.0 # interface LoopBack 0 ip address 10.1.1.1 255.255.255.255 sftp server enable ssh server-source -i loopback 0 ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type sftp stelnet ssh user client001 sftp-directory home:/ # return