Example: Configuring SCP based on Suite B algorithms
Network configuration
As shown in Figure 144:
Switch B acts as the SCP Suite B server (SSH2), and it uses publickey authentication to authenticate the SCP client.
Switch A acts as an SCP Suite B client (SSH2). After the user on Switch A logs in to Switch B through the SCP Suite B client software, the user can transfer files between switches as a network administrator.
Figure 144: Network diagram
Procedure
Generate the client's certificates and the server's certificates. (Details not shown.)
You must first configure the certificates of the server and the client because they are required for identity authentication between the two parties.
In this example, the server's certificate files are ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12. The client's certificate files are ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12.
Configure the SCP client:
You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SCP client.
# Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP client through FTP or TFTP. (Details not shown.)
# Create a PKI domain named server256 for verifying the server's certificate ecdsa256 and enter its view.
<SwitchA> system-view [SwitchA] pki domain server256
# Disable CRL checking.
[SwitchA-pki-domain-server256] undo crl check enable [SwitchA-pki-domain-server256] quit
# Import local certificate file ssh-server-ecdsa256.p12 to PKI domain server256.
[SwitchA] pki import domain server256 p12 local filename ssh-server-ecdsa256.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: server256]:
# Display information about local certificates in PKI domain server256.
[SwitchA] display pki certificate domain server256 local Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=CN, ST=Beijing, L=Beijing, O=AA, OU=Software, CN=SuiteB CA Validity Not Before: Aug 21 08:39:51 2015 GMT Not After : Aug 20 08:39:51 2016 GMT Subject: C=CN, ST=Beijing, O=AA, OU=Software, CN=SSH Server secp256 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:a2:b4:b4:66:1e:3b:d5:50:50:0e:55:19:8d:52: 6d:47:8c:3d:3d:96:75:88:2f:9a:ba:a2:a7:f9:ef: 0a:a9:20:b7:b6:6a:90:0e:f8:c6:de:15:a2:23:81: 3c:9e:a2:b7:83:87:b9:ad:28:c8:2a:5e:58:11:8e: c7:61:4a:52:51 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 08:C1:F1:AA:97:45:19:6A:DA:4A:F2:87:A1:1A:E8:30:BD:31:30:D7 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:a9:16:e9:c1:76:f0:32:fc:4b:f9:8f:b6:7f: 31:a0:9f:de:a7:cc:33:29:27:2c:71:2e:f9:0d:74:cb:25:c9: 00:d2:52:18:7f:58:3f:cc:7e:8b:d3:42:65:00:cb:63:f8:02: 30:01:a2:f6:a1:51:04:1c:61:78:f6:6b:7e:f9:f9:42:8d:7c: a7:bb:47:7c:2a:85:67:0d:81:12:0b:02:98:bc:06:1f:c1:3c: 9b:c2:1b:4c:44:38:5a:14:b2:48:63:02:2b# Create a PKI domain named client256 for the client's certificate ecdsa256 and enter its view.
[SwitchA] pki domain client256
# Disable CRL checking.
[SwitchA-pki-domain-client256] undo crl check enable [SwitchA-pki-domain-client256] quit
# Import local certificate file ssh-client-ecdsa256.p12 to PKI domain client256.
[SwitchA] pki import domain client256 p12 local filename ssh-client-ecdsa256.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: client256]:
# Display information about local certificates in PKI domain client256.
[SwitchA] display pki certificate domain client256 local Certificate: Data: Version: 3 (0x2) Serial Number: 4 (0x4) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=CN, ST=Beijing, L=Beijing, O=AA, OU=Software, CN=SuiteB CA Validity Not Before: Aug 21 08:41:09 2015 GMT Not After : Aug 20 08:41:09 2016 GMT Subject: C=CN, ST=Beijing, O=AA, OU=Software, CN=SSH Client secp256 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:da:e2:26:45:87:7a:63:20:e7:ca:7f:82:19:f5: 96:88:3e:25:46:f8:2f:9a:4c:70:61:35:db:e4:39: b8:38:c4:60:4a:65:28:49:14:32:3c:cc:6d:cd:34: 29:83:84:74:a7:2d:0e:75:1c:c2:52:58:1e:22:16: 12:d0:b4:8a:92 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 1A:61:60:4D:76:40:B8:BA:5D:A1:3C:60:BC:57:98:35:20:79:80:FC X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA256 30:66:02:31:00:9a:6d:fd:7d:ab:ae:54:9a:81:71:e6:bb:ad: 5a:2e:dc:1d:b3:8a:bf:ce:ee:71:4e:8f:d9:93:7f:a3:48:a1: 5c:17:cb:22:fa:8f:b3:e5:76:89:06:9f:96:47:dc:34:87:02: 31:00:e3:af:2a:8f:d6:8d:1f:3a:2b:ae:2f:97:b3:52:63:b6: 18:67:70:2c:93:2a:41:c0:e7:fa:93:20:09:4d:f4:bf:d0:11: 66:0f:48:56:01:1e:c3:be:37:4e:49:19:cf:c6# Create a PKI domain named server384 for verifying the server's certificate ecdsa384 and enter its view.
[SwitchA] pki domain server384
# Disable CRL checking.
[SwitchA-pki-domain-server384] undo crl check enable [SwitchA-pki-domain-server384] quit
# Import local certificate file ssh-server-ecdsa384.p12 to PKI domain server384.
[SwitchA] pki import domain server384 p12 local filename ssh-server-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: server384]:
# Display information about local certificates in PKI domain server384.
[SwitchA] display pki certificate domain server384 local Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: ecdsa-with-SHA384 Issuer: C=CN, ST=Beijing, L=Beijing, O=AA, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:08:41 2015 GMT Not After : Aug 19 10:08:41 2016 GMT Subject: C=CN, ST=Beijing, O=AA, OU=Software, CN=ssh server Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:4a:33:e5:99:8d:49:45:a7:a3:24:7b:32:6a:ed: b6:36:e1:4d:cc:8c:05:22:f4:3a:7c:5d:b7:be:d1: e6:9e:f0:ce:95:39:ca:fd:a0:86:cd:54:ab:49:60: 10:be:67:9f:90:3a:18:e2:7d:d9:5f:72:27:09:e7: bf:7e:64:0a:59:bb:b3:7d:ae:88:14:94:45:b9:34: d2:f3:93:e1:ba:b4:50:15:eb:e5:45:24:31:10:c7: 07:01:f9:dc:a5:6f:81 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 10:16:64:2C:DA:C1:D1:29:CD:C0:74:40:A9:70:BD:62:8A:BB:F4:D5 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA384 30:65:02:31:00:80:50:7a:4f:c5:cd:6a:c3:57:13:7f:e9:da: c1:72:7f:45:30:17:c2:a7:d3:ec:73:3d:5f:4d:e3:96:f6:a3: 33:fb:e4:b9:ff:47:f1:af:9d:e3:03:d2:24:53:40:09:5b:02: 30:45:d1:bf:51:fd:da:22:11:90:03:f9:d4:05:ec:d6:7c:41: fc:9d:a1:fd:5b:8c:73:f8:b6:4c:c3:41:f7:c6:7f:2f:05:2d: 37:f8:52:52:26:99:28:97:ac:6e:f9:c7:01# Create a PKI domain named client384 for the client's certificate ecdsa384 and enter its view.
[SwitchA] pki domain client384
# Disable CRL checking.
[SwitchA-pki-domain-client384] undo crl check enable [SwitchA-pki-domain-client384] quit
# Import local certificate file ssh-client-ecdsa384.p12 to PKI domain client384.
[SwitchA] pki import domain client384 p12 local filename ssh-client-ecdsa384.p12 The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-). Please enter the key pair name[default name: client384]:
# Display information about local certificates in PKI domain client384.
[SwitchA] display pki certificate domain client384 local Certificate: Data: Version: 3 (0x2) Serial Number: 2 (0x2) Signature Algorithm: ecdsa-with-SHA384 Issuer: C=CN, ST=Beijing, L=Beijing, O=AA, OU=Software, CN=SuiteB CA Validity Not Before: Aug 20 10:10:59 2015 GMT Not After : Aug 19 10:10:59 2016 GMT Subject: C=CN, ST=Beijing, O=AA, OU=Software, CN=ssh client Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (384 bit) pub: 04:85:7c:8b:f4:7a:36:bf:74:f6:7c:72:f9:08:69: d0:b9:ac:89:98:17:c9:fc:89:94:43:da:9a:a6:89: 41:d3:72:24:9b:9a:29:a8:d1:ba:b4:e5:77:ba:fc: df:ae:c6:dd:46:72:ab:bc:d1:7f:18:7d:54:88:f6: b4:06:54:7e:e7:4d:49:b4:07:dc:30:54:4b:b6:5b: 01:10:51:6b:0c:6d:a3:b1:4b:c9:d9:6c:d6:be:13: 91:70:31:2a:92:00:76 ASN1 OID: secp384r1 NIST CURVE: P-384 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: BD:5F:8E:4F:7B:FE:74:03:5A:D1:94:DB:CA:A7:82:D6:F7:78:A1:B0 X509v3 Authority Key Identifier: keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22 Signature Algorithm: ecdsa-with-SHA384 30:66:02:31:00:d2:06:fa:2c:0b:0d:f0:81:90:01:c3:3d:bf: 97:b3:79:d8:25:a0:e2:0e:ed:00:c9:48:3e:c9:71:43:c9:b4: 2a:a6:0a:27:80:9e:d4:0f:f2:db:db:5b:40:b1:a9:0a:e4:02: 31:00:ee:00:e1:07:c0:2f:12:3f:88:ea:fe:19:05:ef:56:ca: 33:71:75:5e:11:c9:a6:51:4b:3e:7c:eb:2a:4d:87:2b:71:7c: 30:64:fe:14:ce:06:d5:0a:e2:cf:9a:69:19:ff# Assign an IP address to VLAN-interface 2.
[SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0 [SwitchA-Vlan-interface2] quit
Configure the SCP server:
# Upload the server's certificate files (ssh-server-ecdsa256.p12 and ssh-server-ecdsa384.p12) and the client's certificate files (ssh-client-ecdsa256.p12 and ssh-client-ecdsa384.p12) to the SCP server through FTP or TFTP. (Details not shown.)
# Create a PKI domain named client256 for verifying the client's certificate ecdsa256 and import the file of this certificate to this domain. Create a PKI domain named server256 for the server's certificate ecdsa256 and import the file of this certificate to this domain. (Details not shown.)
# Create a PKI domain named client384 for verifying the client's certificate ecdsa384 and import the file of this certificate to this domain. Create a PKI domain named server384 for the server's certificate ecdsa384 and import the file of this certificate to this domain. (Details not shown.)
# Specify Suite B algorithms for algorithm negotiation.
<SwitchB> system-view [SwitchB] ssh2 algorithm key-exchange ecdh-sha2-nistp256 ecdh-sha2-nistp384 [SwitchB] ssh2 algorithm cipher aes128-gcm aes256-gcm [SwitchB] ssh2 algorithm public-key x509v3-ecdsa-sha2-nistp256 x509v3-ecdsa-sha2-nistp384
# Enable the SCP server.
[SwitchB] scp server enable
# Assign an IP address to VLAN-interface 2.
[SwitchB] interface vlan-interface 2 [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0 [SwitchB-Vlan-interface2] quit
# Set the authentication mode to AAA for user lines.
[SwitchB] line vty 0 63 [SwitchB-line-vty0-63] authentication-mode scheme [SwitchB-line-vty0-63] quit
# Create a local device management user named client001. Authorize the user to use the SSH service and assign the network-admin user role to the user.
[SwitchB] local-user client001 class manage [SwitchB-luser-manage-client001] service-type ssh [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin [SwitchB-luser-manage-client001] quit
# Create a local device management user named client002. Authorize the user to use the SSH service and assign the network-admin user role to the user.
[SwitchB] local-user client002 class manage [SwitchB-luser-manage-client002] service-type ssh [SwitchB-luser-manage-client002] authorization-attribute user-role network-admin [SwitchB-luser-manage-client002] quit
Establish an SCP connection to the SCP server:
Based on the 128-bit Suite B algorithms:
# Specify server256 as the PKI domain of the server's certificate.
[SwitchB]ssh server pki-domain server256
# Create an SSH user client001. Specify the publickey authentication method for the user and specify client256 as the PKI domain for verifying the client's certificate.
[SwitchB] ssh user client001 service-type scp authentication-type publickey assign pki-domain client256
# Establish an SCP connection to the SCP server at 192.168.0.1 based on the 128-bit Suite B algorithms.
<SwitchA> scp 192.168.0.1 get src.cfg suite-b 128-bit pki-domain client256 server-pki -domain server256 Username: client001 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. src.cfg 100% 4814 4.7KB/s 00:00 <SwitchA>
Based on the 192-bit Suite B algorithms:
# Specify server384 as the PKI domain of the server's certificate.
[SwitchB] ssh server pki-domain server384
# Create an SSH user client002. Specify the publickey authentication method for the user and specify client384 as the PKI domain for verifying the client's certificate.
[Switch] ssh user client002 service-type scp authentication-type publickey assign pki-domain client384
# Establish an SCP connection to the SCP server at 192.168.0.1 based on the 192-bit Suite B algorithms.
<SwitchA> scp 192.168.0.1 get src.cfg suite-b 192-bit pki-domain client384 server-pki -domain server384 Username: client002 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. src.cfg 100% 4814 4.7KB/s 00:00 <SwitchA>