Example: Configuring the device as an Stelnet client (password authentication)
Network configuration
As shown in Figure 136:
Switch B acts as the Stelnet server and uses password authentication to authenticate the Stelnet client. The username and password of the client are saved on Switch B.
Switch A acts as the Stelnet client. After the user on Switch A logs in to Switch B through Stelnet, the user can configure and manage Switch B as a network administrator.
Figure 136: Network diagram
Procedure
Configure the Stelnet server:
# Generate RSA key pairs.
<SwitchB> system-view [SwitchB] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ........................++++++ ...................++++++ ..++++++++ ............++++++++ Create the key pair successfully.
# Generate a DSA key pair.
[SwitchB] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+ ...+.................+..........+...+ Create the key pair successfully.
# Generate an ECDSA key pair.
[SwitchB] public-key local create ecdsa secp256r1 Generating Keys... . Create the key pair successfully.
# Enable the Stelnet server.
[SwitchB] ssh server enable
# Assign an IP address to VLAN-interface 2. The Stelnet client uses this address as the destination address of the SSH connection.
[SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit
# Set the authentication mode to AAA for user lines.
[SwitchB] line vty 0 63 [SwitchB-line-vty0-63] authentication-mode scheme [SwitchB-line-vty0-63] quit
# Create a local device management user named client001.
[SwitchB] local-user client001 class manage
# Set the password to aabbcc in plain text for local user client001.
[SwitchB-luser-manage-client001] password simple aabbcc
# Authorize local user client001 to use the SSH service.
[SwitchB-luser-manage-client001] service-type ssh
# Assign the network-admin user role to local user client001.
[SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit
# Create an SSH user named client001. Specify the service type as stelnet and the authentication method as password for the user.
[SwitchB] ssh user client001 service-type stelnet authentication-type password
Establish a connection to the Stelnet server:
# Assign an IP address to VLAN-interface 2.
<SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0 [SwitchA-Vlan-interface2] quit [SwitchA] quit
Before establishing a connection to the server, you can configure the server's host public key on the client to authenticate the server.
To configure the server's host public key on the client, perform the following tasks:
# Use the display public-key local dsa public command on the server to display the server's host public key. (Details not shown.)
# Enter public key view of the client and copy the host public key of the server to the client.
[SwitchA] public-key peer key1 Enter public key view. Return to system view with "peer-public-key end" command. [SwitchA-pkey-public-key-key1]308201B73082012C06072A8648CE3804013082011F0281810 0D757262C4584C44C211F18BD96E5F0 [SwitchA-pkey-public-key-key1]61C4F0A423F7FE6B6B85B34CEF72CE14A0D3A5222FE08CECE 65BE6C265854889DC1EDBD13EC8B274 [SwitchA-pkey-public-key-key1]DA9F75BA26CCB987723602787E922BA84421F22C3C89CB9B0 6FD60FE01941DDD77FE6B12893DA76E [SwitchA-pkey-public-key-key1]EBC1D128D97F0678D7722B5341C8506F358214B16A2FAC4B3 68950387811C7DA33021500C773218C [SwitchA-pkey-public-key-key1]737EC8EE993B4F2DED30F48EDACE915F0281810082269009E 14EC474BAF2932E69D3B1F18517AD95 [SwitchA-pkey-public-key-key1]94184CCDFCEAE96EC4D5EF93133E84B47093C52B20CD35D02 492B3959EC6499625BC4FA5082E22C5 [SwitchA-pkey-public-key-key1]B374E16DD00132CE71B020217091AC717B612391C76C1FB2E 88317C1BD8171D41ECB83E210C03CC9 [SwitchA-pkey-public-key-key1]B32E810561C21621C73D6DAAC028F4B1585DA7F42519718CC 9B09EEF0381840002818000AF995917 [SwitchA-pkey-public-key-key1]E1E570A3F6B1C2411948B3B4FFA256699B3BF871221CC9C5D F257523777D033BEE77FC378145F2AD [SwitchA-pkey-public-key-key1]D716D7DB9FCABB4ADBF6FB4FDB0CA25C761B308EF53009F71 01F7C62621216D5A572C379A32AC290 [SwitchA-pkey-public-key-key1]E55B394A217DA38B65B77F0185C8DB8095522D1EF044B465E 8716261214A5A3B493E866991113B2D [SwitchA-pkey-public-key-key1]485348 [SwitchA-pkey-public-key-key1] peer-public-key end [SwitchA] quit
# Establish an SSH connection to the server, and specify the host public key of the server.
<SwitchA> ssh2 192.168.1.40 public-key key1 Username: client001 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. client001@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** <SwitchB>
After you enter username client001 and password aabbcc, you can successfully log in to Switch B.
If the client does not have the server's host public key, enter username client001, and then enter y to access the server and download the server's host public key.
<SwitchA> ssh2 192.168.1.40 Username: client001 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:y client001@192.168.1.40's password: Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** <SwitchB>
After you enter password aabbcc, you can access Switch B successfully. At the next connection attempt, the client authenticates the server by using the saved server's host public key on the client.