Example: Configuring the device as an Stelnet client (publickey authentication)
Network configuration
As shown in Figure 137:
Switch B acts as the Stelnet server, and it uses publickey authentication and the DSA public key algorithm.
Switch A acts as the Stelnet client. After the user on Switch A logs in to Switch B through Stelnet, the user can configure and manage Switch B as a network administrator.
Figure 137: Network diagram
Procedure
In the server configuration, the client's host public key is required. Generate a DSA key pair on the client before configuring the Stelnet server.
Configure the Stelnet client:
# Assign an IP address to VLAN-interface 2.
<SwitchA> system-view [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0 [SwitchA-Vlan-interface2] quit
# Generate a DSA key pair.
[SwitchA] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+ ...+.................+..........+...+ Create the key pair successfully.
# Export the DSA host public key to a public key file named key.pub.
[SwitchA] public-key local export dsa ssh2 key.pub [SwitchA] quit
# Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.)
Configure the Stelnet server:
# Generate RSA key pairs.
<SwitchB> system-view [SwitchB] public-key local create rsa The range of public key modulus is (512 ~ 2048) If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ........................++++++ ...................++++++ ..++++++++ ............++++++++ Create the key pair successfully.
# Generate a DSA key pair.
[SwitchB] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+ ...+.................+..........+...+ Create the key pair successfully.
# Generate an ECDSA key pair.
[SwitchB] public-key local create ecdsa secp256r1 Generating Keys... . Create the key pair successfully.
# Enable the Stelnet server.
[SwitchB] ssh server enable
# Assign an IP address to VLAN-interface 2. The Stelnet client uses this address as the destination address for SSH connection.
[SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0 [SwitchB-Vlan-interface2] quit
# Set the authentication mode to AAA for user lines.
[SwitchB] line vty 0 63 [SwitchB-line-vty0-63] authentication-mode scheme [SwitchB-line-vty0-63] quit
# Import the peer public key from the public key file key.pub, and name it switchkey.
[SwitchB] public-key peer switchkey import sshkey key.pub
# Create an SSH user named client002. Specify the authentication method as publickey for the user. Assign the public key switchkey to the user.
[SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey
# Create a local device management user named client002.
[SwitchB] local-user client002 class manage
# Authorize local user client002 to use the SSH service.
[SwitchB-luser-manage-client002] service-type ssh
# Assign the network-admin user role to local user client002.
[SwitchB-luser-manage-client002] authorization-attribute user-role network-admin [SwitchB-luser-manage-client002] quit
Establish an SSH connection to the Stelnet server.
<SwitchA> ssh2 192.168.1.40 identity-key dsa Username: client002 Press CTRL+C to abort. Connecting to 192.168.1.40 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n Enter a character ~ and a dot to abort. ****************************************************************************** * Copyright (c) 2010-2017 Hewlett Packard Enterprise Development LP * * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** <SwitchB>
After you enter username client002 and then enter y to continue accessing the server, you can log in to the server successfully.