組網需求
SSH提供了在一個傳統不安全的網絡環境中,伺服器通過對用戶端的認證及雙向的資料加密,為網絡終端通路提供了安全的服務。通過SFTP方式,用戶端可以安全地連接配接到SSH伺服器,進行檔案的安全傳輸。
如圖1所示,SSH伺服器與用戶端client001、client002路由可達,此例中用華為裝置作為SSH伺服器。
要求:兩個用戶端分别使用password方式和DSA方式與SSH伺服器連接配接,實作安全通路伺服器上的檔案。
說明:Password認證為不安全的認證,實際應用中建議使用AAA認證。
圖1 通過SFTP通路其他裝置檔案組網圖
配置思路
采用如下思路配置通過SFTP通路其他裝置檔案功能:
- 在伺服器端生成本地密鑰對及使能SFTP伺服器功能,實作在伺服器端和用戶端進行安全地資料互動。
- 在SSH伺服器上配置使用者client001和client002,分别使用password和DSA的認證方式登入SSH伺服器。
- 在用戶端client002生成本地密鑰對,并将用戶端生成的DSA公鑰配置到SSH伺服器上,實作用戶端登入伺服器端時,對用戶端進行驗證。
- 使用者client001和client002分别以SFTP方式登入SSH伺服器,實作通路伺服器上的檔案。
操作步驟
1、在伺服器端生成本地密鑰對及使能SFTP伺服器功能。
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[SSH_Server] ssh server-source -i Vlanif 10 //假設伺服器IP位址10.1.1.1對應的接口為Vlanif 10。
[SSH Server] sftp server enable 2、在伺服器端建立SSH使用者。
# 配置VTY使用者界面。
[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] user privilege level 3
[SSH Server-ui-vty0-4] quit # 建立使用者名為client001的SSH使用者,且認證方式為password。
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
[SSH Server] ssh user client001 service-type sftp
[SSH Server] ssh user client001 sftp-directory flash:
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] quit # 建立使用者名為client002的SSH使用者,且認證方式為DSA。
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type dsa
[SSH Server] ssh user client002 service-type sftp
[SSH Server] ssh user client002 sftp-directory flash: 3、在用戶端client002生成本地密鑰對,并将用戶端生成的DSA公鑰配置到SSH伺服器上。
# 用戶端生成用戶端的本地密鑰對。
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys. # 檢視用戶端上生成DSA公鑰。
[client002] display dsa local-key-pair public
=====================================================
Time of Key pair created: 2014-03-03 19:11:04+00:00
Key name: client002_Host
Key type: DSA encryption Key
=====================================================
Key code:
30820109
02820100
C7D92E27 E88745D4 933AB1F5 DA692AC4 1D544BDC
8EA252B0 E90A5001 1F2567C6 3952DEFD 95EF93C2
D77E8CDF B36E7F43 57C1D7BA 0978DD7A 2F7F7187
04FD6A03 C4FFDB58 04B3A0C4 B6E50528 AAE56FF9
5F66EE00 8E4702DB AA764006 322E6F72 CC9C1A39
462DBCD0 EA934441 1678BA23 40473EC4 58DF84FA
20C9CB60 98E5ACDA 2E98B55A 0299FBAB FE91EFA3
E155E065 7C7FFCD4 4EAB71EC A7A73DD7 AC8474B7
2DD37D1C 710C6E14 57DA200C 477E45BC 38AC7685
BD8D6325 CCBE3F32 85435E5B EB6A08DF 752B7EBD
CE21CFCB F3AC0C35 671E5ACC AFC36F0B 54E646F6
D12B4BA3 6E9EF69F A5BED377 954709EB CE29A923
04B347D7 29296E7D 3D5F69AB 4365AA2F
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQDH2S4n6IdF1JM6sfXaaSrEHVRL3I6iUrDp
ClABHyVnxjlS3v2V75PC136M37Nuf0NXwde6CXjdei9/cYcE/WoDxP/bWASzoMS2
5QUoquVv+V9m7gCORwLbqnZABjIub3LMnBo5Ri280OqTREEWeLojQEc+xFjfhPog
yctgmOWs2i6YtVoCmfur/pHvo+FV4GV8f/zUTqtx7KenPdeshHS3LdN9HHEMbhRX
2iAMR35FvDisdoW9jWMlzL4/MoVDXlvragjfdSt+vc4hz8vzrAw1Zx5azK/DbwtU
5kb20StLo26e9p+lvtN3lUcJ684pqSMEs0fXKSlufT1faatDZaov
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-dsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH2S4n6IdF1JM6sfXaaSrEHVRL3I6iUrDpClABHyVnxjlS3v2V75PC136M37Nuf0NXwde6CXjdei9/cYcE/WoDxP/bWASz
oMS25QUoquVv+V9m7gCORwLbqnZABjIub3LMnBo5Ri280OqTREEWeLojQEc+xFjfhPogyctgmOWs2i6YtVoCmfur/pHvo+FV4GV8f/zUTqtx7KenPdeshHS3LdN9HHEMbhRX
2iAMR35FvDisdoW9jWMlzL4/MoVDXlvragjfdSt+vc4hz8vzrAw1Zx5azK/DbwtU5kb20StLo26e9p+lvtN3lUcJ684pqSMEs0fXKSlufT1faatDZaov= dsa-key # 将用戶端上産生的DSA公鑰配置到伺服器端(上面display指令顯示資訊中黑體部分即為用戶端産生的DSA公鑰,将其拷貝粘貼至伺服器端)。
[SSH Server] dsa peer-public-key dsakey001 encoding-type der
[SSH Server-dsa-public-key] public-key-code begin
[SSH Server-dsa-key-code] 30820109
[SSH Server-dsa-key-code] 02820100
[SSH Server-dsa-key-code] C7D92E27 E88745D4 933AB1F5 DA692AC4 1D544BDC
[SSH Server-dsa-key-code] 8EA252B0 E90A5001 1F2567C6 3952DEFD 95EF93C2
[SSH Server-dsa-key-code] D77E8CDF B36E7F43 57C1D7BA 0978DD7A 2F7F7187
[SSH Server-dsa-key-code] 04FD6A03 C4FFDB58 04B3A0C4 B6E50528 AAE56FF9
[SSH Server-dsa-key-code] 5F66EE00 8E4702DB AA764006 322E6F72 CC9C1A39
[SSH Server-dsa-key-code] 462DBCD0 EA934441 1678BA23 40473EC4 58DF84FA
[SSH Server-dsa-key-code] 20C9CB60 98E5ACDA 2E98B55A 0299FBAB FE91EFA3
[SSH Server-dsa-key-code] E155E065 7C7FFCD4 4EAB71EC A7A73DD7 AC8474B7
[SSH Server-dsa-key-code] 2DD37D1C 710C6E14 57DA200C 477E45BC 38AC7685
[SSH Server-dsa-key-code] BD8D6325 CCBE3F32 85435E5B EB6A08DF 752B7EBD
[SSH Server-dsa-key-code] CE21CFCB F3AC0C35 671E5ACC AFC36F0B 54E646F6
[SSH Server-dsa-key-code] D12B4BA3 6E9EF69F A5BED377 954709EB CE29A923
[SSH Server-dsa-key-code] 04B347D7 29296E7D 3D5F69AB 4365AA2F
[SSH Server-dsa-key-code] 0203
[SSH Server-dsa-key-code] 010001
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end # 為SSH使用者client002綁定SSH用戶端的DSA公鑰。
[SSH Server] ssh user client002 assign dsa-key dsakey001 4、SFTP用戶端連接配接SSH伺服器。
# 第一次登入,使能SSH用戶端首次認證功能。
使能用戶端client001首次認證功能。
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable 使能用戶端client002首次認證功能。
[client002] ssh client first-time enable # SFTP用戶端client001用password認證方式連接配接SSH伺服器。
[client002] sftp 10.1.1.1
Please input the username:client002
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
password:SSH_SERVER_CODE
Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey authentication; Ctrl_C for Cancel], Please select [R, D, Enter or Ctrl_C]:D
sftp-client> # SFTP用戶端client002用DSA認證方式連接配接SSH伺服器。
[client002] sftp 10.1.1.1
Please input the username:client002
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
password:SSH_SERVER_CODE
Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey authentication; Ctrl_C for Cancel], Please select [R, D, Enter or Ctrl_C]:D
sftp-client> 5、檢查配置結果。
配置完成後,在SSH伺服器端執行display ssh server status指令可以檢視到SFTP服務已經使能。執行display ssh user-information指令可以檢視伺服器端SSH使用者資訊。
# 檢視SSH狀态資訊。
[SSH Server] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Enable
Stelnet server :Disable
Scp server :Disable
SSH server source :0.0.0.0
ACL4 number :0
ACL6 number :0 # 檢視SSH使用者資訊。
[SSH Server] display ssh user-information
User 1:
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : flash:
Service-type : sftp
Authorization-cmd : No
User 2:
User Name : client002
Authentication-type : dsa
User-public-key-name : dsakey001
User-public-key-type : dsa
Sftp-directory : flash:
Service-type : sftp
Authorization-cmd : No 配置檔案
SSH伺服器上的配置檔案
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin
30820109
02820100
C7D92E27 E88745D4 933AB1F5 DA692AC4 1D544BDC 8EA252B0 E90A5001 1F2567C6
3952DEFD 95EF93C2 D77E8CDF B36E7F43 57C1D7BA 0978DD7A 2F7F7187 04FD6A03
C4FFDB58 04B3A0C4 B6E50528 AAE56FF9 5F66EE00 8E4702DB AA764006 322E6F72
CC9C1A39 462DBCD0 EA934441 1678BA23 40473EC4 58DF84FA 20C9CB60 98E5ACDA
2E98B55A 0299FBAB FE91EFA3 E155E065 7C7FFCD4 4EAB71EC A7A73DD7 AC8474B7
2DD37D1C 710C6E14 57DA200C 477E45BC 38AC7685 BD8D6325 CCBE3F32 85435E5B
EB6A08DF 752B7EBD CE21CFCB F3AC0C35 671E5ACC AFC36F0B 54E646F6 D12B4BA3
6E9EF69F A5BED377 954709EB CE29A923 04B347D7 29296E7D 3D5F69AB 4365AA2F
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher $1a$P2m&M5d"'JHR7b~SrcHF\Z\,2R"t&6V|zOLh9ygt;M\bjG$D>%@Ug/<3I$+=Y$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
ssh user client002
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key dsakey001
ssh user client002 service-type sftp
ssh user client002 sftp-directory flash:
ssh server-source -i Vlanif 10
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
#
return SSH用戶端client001的配置檔案
#
sysname client001
#
ssh client first-time enable
#
return SSH用戶端client002的配置檔案
#
sysname client002
#
ssh client first-time enable
#
return ![兄弟們,買手機千萬要注意了,一是量力而行,二是消費陷阱。比如個人的使用情況,對拍照,對性能...沒需求的話,承認吧,其實[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)