Publickey authentication enabled Stelnet client configuration example

As shown in Figure 102:

• You can log in to Switch B through the Stelnet client that runs on Switch A.

• After login, you are assigned the user role network-admin for configuration management.

• Switch B acts as the Stelnet server and uses publickey authentication and the DSA public key algorithm.

In the server configuration, the client public key is required. Use the client software to generate a DSA key pair on the client before configuring the Stelnet server.

1. Configure the Stelnet client:

   # Assign an IP address to VLAN-interface 2.

   <SwitchA> system-view
   [SwitchA] interface vlan-interface 2
   [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0
   [SwitchA-Vlan-interface2] quit
   

   # Generate a DSA key pair.

   [SwitchA] public-key local create dsa
   The range of public key size is (512 ~ 2048).
   If the key modulus is greater than 512, it will take a few minutes.
   Press CTRL+C to abort.
   Input the modulus length [default = 1024]:
   Generating Keys...
   .++++++++++++++++++++++++++++++++++++++++++++++++++*
   ........+......+.....+......................................+
   ...+.................+..........+...+
   Create the key pair successfully.
   

   # Export the DSA host public key to file key.pub.

   [SwitchA] public-key local export dsa ssh2 key.pub
   [SwitchA] quit
   

   # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.)

2. Configure the Stelnet server:

   # Generate RSA key pairs.

   <SwitchB> system-view
   [SwitchB] public-key local create rsa
   The range of public key size is (512 ~ 2048)
   If the key modulus is greater than 512, it will take a few minutes.
   Press CTRL+C to abort.
   Input the modulus length [default = 1024]:
   Generating Keys...
   ........................++++++
   ...................++++++
   ..++++++++
   ............++++++++
   Create the key pair successfully.
   

   # Generate a DSA key pair.

   [SwitchB] public-key local create dsa
   The range of public key size is (512 ~ 2048).
   If the key modulus is greater than 512, it will take a few minutes.
   Press CTRL+C to abort.
   Input the modulus length [default = 1024]:
   Generating Keys...
   .++++++++++++++++++++++++++++++++++++++++++++++++++*
   ........+......+.....+......................................+
   ...+.................+..........+...+
   Create the key pair successfully.
   

   # Generate an ECDSA key pair.

   [SwitchB] public-key local create ecdsa secp256r1
   Generating Keys...
   .
   Create the key pair successfully.
   

   # Enable Stelnet server.

   [SwitchB] ssh server enable
   

   # Assign an IP address to VLAN-interface 2. The Stelnet client uses the address as the destination address of the SSH connection.

   [SwitchB] interface vlan-interface 2
   [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
   [SwitchB-Vlan-interface2] quit
   

   # Set the authentication mode to AAA for the user lines.

   [SwitchB] line vty 0 63
   [SwitchB-line-vty0-63] authentication-mode scheme
   [SwitchB-line-vty0-63] quit
   

   # Import the peer public key from the file key.pub, and name it switchkey.

   [SwitchB] public-key peer switchkey import sshkey key.pub
   

   # Create an SSH user client002. Specify the authentication method as publickey for the user. Assign the public key switchkey to the user.

   [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey
   

   # Create a local device management user client002. Specify the service type as ssh for the user. Assign the user role network-admin to the user.

   [SwitchB] local-user client002 class manage
   [SwitchB-luser-manage-client002] service-type ssh
   [SwitchB-luser-manage-client002] authorization-attribute user-role network-admin
   [SwitchB-luser-manage-client002] quit
   

3. Establish an SSH connection to the Stelnet server 192.168.1.40.

   <SwitchA> ssh2 192.168.1.40
   Username: client002
   Press CTRL+C to abort.
   Connecting to 192.168.1.40 port 22.
   The server is not authenticated. Continue? [Y/N]:y
   Do you want to save the server public key? [Y/N]:n
   client002@192.168.1.40's password: 
   Enter a character ~ and a dot to abort.
   
   ******************************************************************************  
   * Copyright (c) 2010-2016 Hewlett Packard Enterprise Development LP          *  
   * Without the owner's prior written consent,                                 *  
   * no decompiling or reverse-engineering shall be allowed.                    *  
   ******************************************************************************  
   
   <SwitchB>
   

   Select Yes to access the server and download the server's host public key. At the next connection attempt, the client authenticates the server by using the saved server's host public key on the client.