组网需求
SSH提供了在一个传统不安全的网络环境中,服务器通过对客户端的认证及双向的数据加密,为网络终端访问提供了安全的服务。通过SFTP方式,客户端可以安全地连接到SSH服务器,进行文件的安全传输。
如图1所示,SSH服务器与客户端client001、client002路由可达,此例中用华为设备作为SSH服务器。
要求:两个客户端分别使用password方式和DSA方式与SSH服务器连接,实现安全访问服务器上的文件。
说明:Password认证为不安全的认证,实际应用中建议使用AAA认证。
图1 通过SFTP访问其他设备文件组网图
配置思路
采用如下思路配置通过SFTP访问其他设备文件功能:
- 在服务器端生成本地密钥对及使能SFTP服务器功能,实现在服务器端和客户端进行安全地数据交互。
- 在SSH服务器上配置用户client001和client002,分别使用password和DSA的认证方式登录SSH服务器。
- 在客户端client002生成本地密钥对,并将客户端生成的DSA公钥配置到SSH服务器上,实现客户端登录服务器端时,对客户端进行验证。
- 用户client001和client002分别以SFTP方式登录SSH服务器,实现访问服务器上的文件。
操作步骤
1、在服务器端生成本地密钥对及使能SFTP服务器功能。
<HUAWEI> system-view
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
[SSH_Server] ssh server-source -i Vlanif 10 //假设服务器IP地址10.1.1.1对应的接口为Vlanif 10。
[SSH Server] sftp server enable 2、在服务器端创建SSH用户。
# 配置VTY用户界面。
[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] user privilege level 3
[SSH Server-ui-vty0-4] quit # 新建用户名为client001的SSH用户,且认证方式为password。
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
[SSH Server] ssh user client001 service-type sftp
[SSH Server] ssh user client001 sftp-directory flash:
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] quit # 新建用户名为client002的SSH用户,且认证方式为DSA。
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type dsa
[SSH Server] ssh user client002 service-type sftp
[SSH Server] ssh user client002 sftp-directory flash: 3、在客户端client002生成本地密钥对,并将客户端生成的DSA公钥配置到SSH服务器上。
# 客户端生成客户端的本地密钥对。
<HUAWEI> system-view
[HUAWEI] sysname client002
[client002] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys. # 查看客户端上生成DSA公钥。
[client002] display dsa local-key-pair public
=====================================================
Time of Key pair created: 2014-03-03 19:11:04+00:00
Key name: client002_Host
Key type: DSA encryption Key
=====================================================
Key code:
30820109
02820100
C7D92E27 E88745D4 933AB1F5 DA692AC4 1D544BDC
8EA252B0 E90A5001 1F2567C6 3952DEFD 95EF93C2
D77E8CDF B36E7F43 57C1D7BA 0978DD7A 2F7F7187
04FD6A03 C4FFDB58 04B3A0C4 B6E50528 AAE56FF9
5F66EE00 8E4702DB AA764006 322E6F72 CC9C1A39
462DBCD0 EA934441 1678BA23 40473EC4 58DF84FA
20C9CB60 98E5ACDA 2E98B55A 0299FBAB FE91EFA3
E155E065 7C7FFCD4 4EAB71EC A7A73DD7 AC8474B7
2DD37D1C 710C6E14 57DA200C 477E45BC 38AC7685
BD8D6325 CCBE3F32 85435E5B EB6A08DF 752B7EBD
CE21CFCB F3AC0C35 671E5ACC AFC36F0B 54E646F6
D12B4BA3 6E9EF69F A5BED377 954709EB CE29A923
04B347D7 29296E7D 3D5F69AB 4365AA2F
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQDH2S4n6IdF1JM6sfXaaSrEHVRL3I6iUrDp
ClABHyVnxjlS3v2V75PC136M37Nuf0NXwde6CXjdei9/cYcE/WoDxP/bWASzoMS2
5QUoquVv+V9m7gCORwLbqnZABjIub3LMnBo5Ri280OqTREEWeLojQEc+xFjfhPog
yctgmOWs2i6YtVoCmfur/pHvo+FV4GV8f/zUTqtx7KenPdeshHS3LdN9HHEMbhRX
2iAMR35FvDisdoW9jWMlzL4/MoVDXlvragjfdSt+vc4hz8vzrAw1Zx5azK/DbwtU
5kb20StLo26e9p+lvtN3lUcJ684pqSMEs0fXKSlufT1faatDZaov
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-dsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDH2S4n6IdF1JM6sfXaaSrEHVRL3I6iUrDpClABHyVnxjlS3v2V75PC136M37Nuf0NXwde6CXjdei9/cYcE/WoDxP/bWASz
oMS25QUoquVv+V9m7gCORwLbqnZABjIub3LMnBo5Ri280OqTREEWeLojQEc+xFjfhPogyctgmOWs2i6YtVoCmfur/pHvo+FV4GV8f/zUTqtx7KenPdeshHS3LdN9HHEMbhRX
2iAMR35FvDisdoW9jWMlzL4/MoVDXlvragjfdSt+vc4hz8vzrAw1Zx5azK/DbwtU5kb20StLo26e9p+lvtN3lUcJ684pqSMEs0fXKSlufT1faatDZaov= dsa-key # 将客户端上产生的DSA公钥配置到服务器端(上面display命令显示信息中黑体部分即为客户端产生的DSA公钥,将其拷贝粘贴至服务器端)。
[SSH Server] dsa peer-public-key dsakey001 encoding-type der
[SSH Server-dsa-public-key] public-key-code begin
[SSH Server-dsa-key-code] 30820109
[SSH Server-dsa-key-code] 02820100
[SSH Server-dsa-key-code] C7D92E27 E88745D4 933AB1F5 DA692AC4 1D544BDC
[SSH Server-dsa-key-code] 8EA252B0 E90A5001 1F2567C6 3952DEFD 95EF93C2
[SSH Server-dsa-key-code] D77E8CDF B36E7F43 57C1D7BA 0978DD7A 2F7F7187
[SSH Server-dsa-key-code] 04FD6A03 C4FFDB58 04B3A0C4 B6E50528 AAE56FF9
[SSH Server-dsa-key-code] 5F66EE00 8E4702DB AA764006 322E6F72 CC9C1A39
[SSH Server-dsa-key-code] 462DBCD0 EA934441 1678BA23 40473EC4 58DF84FA
[SSH Server-dsa-key-code] 20C9CB60 98E5ACDA 2E98B55A 0299FBAB FE91EFA3
[SSH Server-dsa-key-code] E155E065 7C7FFCD4 4EAB71EC A7A73DD7 AC8474B7
[SSH Server-dsa-key-code] 2DD37D1C 710C6E14 57DA200C 477E45BC 38AC7685
[SSH Server-dsa-key-code] BD8D6325 CCBE3F32 85435E5B EB6A08DF 752B7EBD
[SSH Server-dsa-key-code] CE21CFCB F3AC0C35 671E5ACC AFC36F0B 54E646F6
[SSH Server-dsa-key-code] D12B4BA3 6E9EF69F A5BED377 954709EB CE29A923
[SSH Server-dsa-key-code] 04B347D7 29296E7D 3D5F69AB 4365AA2F
[SSH Server-dsa-key-code] 0203
[SSH Server-dsa-key-code] 010001
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end # 为SSH用户client002绑定SSH客户端的DSA公钥。
[SSH Server] ssh user client002 assign dsa-key dsakey001 4、SFTP客户端连接SSH服务器。
# 第一次登录,使能SSH客户端首次认证功能。
使能客户端client001首次认证功能。
<HUAWEI> system-view
[HUAWEI] sysname client001
[client001] ssh client first-time enable 使能客户端client002首次认证功能。
[client002] ssh client first-time enable # SFTP客户端client001用password认证方式连接SSH服务器。
[client002] sftp 10.1.1.1
Please input the username:client002
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
password:SSH_SERVER_CODE
Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey authentication; Ctrl_C for Cancel], Please select [R, D, Enter or Ctrl_C]:D
sftp-client> # SFTP客户端client002用DSA认证方式连接SSH服务器。
[client002] sftp 10.1.1.1
Please input the username:client002
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
password:SSH_SERVER_CODE
Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey authentication; Ctrl_C for Cancel], Please select [R, D, Enter or Ctrl_C]:D
sftp-client> 5、检查配置结果。
配置完成后,在SSH服务器端执行display ssh server status命令可以查看到SFTP服务已经使能。执行display ssh user-information命令可以查看服务器端SSH用户信息。
# 查看SSH状态信息。
[SSH Server] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Enable
Stelnet server :Disable
Scp server :Disable
SSH server source :0.0.0.0
ACL4 number :0
ACL6 number :0 # 查看SSH用户信息。
[SSH Server] display ssh user-information
User 1:
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : flash:
Service-type : sftp
Authorization-cmd : No
User 2:
User Name : client002
Authentication-type : dsa
User-public-key-name : dsakey001
User-public-key-type : dsa
Sftp-directory : flash:
Service-type : sftp
Authorization-cmd : No 配置文件
SSH服务器上的配置文件
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin
30820109
02820100
C7D92E27 E88745D4 933AB1F5 DA692AC4 1D544BDC 8EA252B0 E90A5001 1F2567C6
3952DEFD 95EF93C2 D77E8CDF B36E7F43 57C1D7BA 0978DD7A 2F7F7187 04FD6A03
C4FFDB58 04B3A0C4 B6E50528 AAE56FF9 5F66EE00 8E4702DB AA764006 322E6F72
CC9C1A39 462DBCD0 EA934441 1678BA23 40473EC4 58DF84FA 20C9CB60 98E5ACDA
2E98B55A 0299FBAB FE91EFA3 E155E065 7C7FFCD4 4EAB71EC A7A73DD7 AC8474B7
2DD37D1C 710C6E14 57DA200C 477E45BC 38AC7685 BD8D6325 CCBE3F32 85435E5B
EB6A08DF 752B7EBD CE21CFCB F3AC0C35 671E5ACC AFC36F0B 54E646F6 D12B4BA3
6E9EF69F A5BED377 954709EB CE29A923 04B347D7 29296E7D 3D5F69AB 4365AA2F
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher $1a$P2m&M5d"'JHR7b~SrcHF\Z\,2R"t&6V|zOLh9ygt;M\bjG$D>%@Ug/<3I$+=Y$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
sftp server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
ssh user client002
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key dsakey001
ssh user client002 service-type sftp
ssh user client002 sftp-directory flash:
ssh server-source -i Vlanif 10
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
#
return SSH客户端client001的配置文件
#
sysname client001
#
ssh client first-time enable
#
return SSH客户端client002的配置文件
#
sysname client002
#
ssh client first-time enable
#
return ![兄弟们,买手机千万要注意了,一是量力而行,二是消费陷阱。比如个人的使用情况,对拍照,对性能...没需求的话,承认吧,其实[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)