Example: Configuring the device as an Stelnet client (publickey authentication)

Network configuration

As shown in Figure 137:

Figure 137: Network diagram

Procedure

In the server configuration, the client's host public key is required. Generate a DSA key pair on the client before configuring the Stelnet server.

  1. Configure the Stelnet client:

    # Assign an IP address to VLAN-interface 2.

    <SwitchA> system-view
    [SwitchA] interface vlan-interface 2
    [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0
    [SwitchA-Vlan-interface2] quit
    

    # Generate a DSA key pair.

    [SwitchA] public-key local create dsa
    The range of public key modulus is (512 ~ 2048).
    If the key modulus is greater than 512, it will take a few minutes.
    Press CTRL+C to abort.
    Input the modulus length [default = 1024]:
    Generating Keys...
    .++++++++++++++++++++++++++++++++++++++++++++++++++*
    ........+......+.....+......................................+
    ...+.................+..........+...+
    Create the key pair successfully.
    

    # Export the DSA host public key to a public key file named key.pub.

    [SwitchA] public-key local export dsa ssh2 key.pub
    [SwitchA] quit
    

    # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.)

  2. Configure the Stelnet server:

    # Generate RSA key pairs.

    <SwitchB> system-view
    [SwitchB] public-key local create rsa
    The range of public key modulus is (512 ~ 2048)
    If the key modulus is greater than 512, it will take a few minutes.
    Press CTRL+C to abort.
    Input the modulus length [default = 1024]:
    Generating Keys...
    ........................++++++
    ...................++++++
    ..++++++++
    ............++++++++
    Create the key pair successfully.
    

    # Generate a DSA key pair.

    [SwitchB] public-key local create dsa
    The range of public key modulus is (512 ~ 2048).
    If the key modulus is greater than 512, it will take a few minutes.
    Press CTRL+C to abort.
    Input the modulus length [default = 1024]:
    Generating Keys...
    .++++++++++++++++++++++++++++++++++++++++++++++++++*
    ........+......+.....+......................................+
    ...+.................+..........+...+
    Create the key pair successfully.
    

    # Generate an ECDSA key pair.

    [SwitchB] public-key local create ecdsa secp256r1
    Generating Keys...
    .
    Create the key pair successfully.
    

    # Enable the Stelnet server.

    [SwitchB] ssh server enable
    

    # Assign an IP address to VLAN-interface 2. The Stelnet client uses this address as the destination address for SSH connection.

    [SwitchB] interface vlan-interface 2
    [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
    [SwitchB-Vlan-interface2] quit
    

    # Set the authentication mode to AAA for user lines.

    [SwitchB] line vty 0 63
    [SwitchB-line-vty0-63] authentication-mode scheme
    [SwitchB-line-vty0-63] quit
    

    # Import the peer public key from the public key file key.pub, and name it switchkey.

    [SwitchB] public-key peer switchkey import sshkey key.pub
    

    # Create an SSH user named client002. Specify the authentication method as publickey for the user. Assign the public key switchkey to the user.

    [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey
    

    # Create a local device management user named client002.

    [SwitchB] local-user client002 class manage
    

    # Authorize local user client002 to use the SSH service.

    [SwitchB-luser-manage-client002] service-type ssh
    

    # Assign the network-admin user role to local user client002.

    [SwitchB-luser-manage-client002] authorization-attribute user-role network-admin
    [SwitchB-luser-manage-client002] quit
    
  3. Establish an SSH connection to the Stelnet server.

    <SwitchA> ssh2 192.168.1.40 identity-key dsa
    Username: client002
    Press CTRL+C to abort.
    Connecting to 192.168.1.40 port 22.
    The server is not authenticated. Continue? [Y/N]:y
    Do you want to save the server public key? [Y/N]:n
    Enter a character ~ and a dot to abort.
    
    ******************************************************************************
    * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP          *
    * Without the owner's prior written consent,                                 *
    * no decompiling or reverse-engineering shall be allowed.                    *
    ******************************************************************************
    
    <SwitchB>
    

    After you enter username client002 and then enter y to continue accessing the server, you can log in to the server successfully.