Material source: Huawei Router Configuration Guide
While learning, organize test notes and share with you. If there is any infringement, delete it. Thank you for your support!
Attached the summary post: 
Configuration ideas
- Configure users client001 and client002 on the SSH server, and log in to the SSH server using different authentication methods respectively.
- generates local key pairs on the STelnet client Client002 and SSH server side, and binds the rsh public key of the ssh client for the user client002, so as to verify the client when the client logs on to the server side.
- SSH server-side STelnet and SFTP services are enabled.
- configures the service method and authorization directory of SSH users.
- configures the SSH server to listen for port number, so that the client can access the server with other port numbers.
- users client001 and client002 log in to the SSH server in STelnet and SFTP respectively.
Operation steps
- generates a local key pair on the server
SSH Server:sysname SSH Serverrsa local-key-pair create- Configure the server-side RSA public key
The client generates the local key pair of the client
Client002:sysname client002rsa local-key-pair createView the RSA public key generated on the client.
[~client002] dis rsa local-key-pair public======================Host Key==========================Time of Key pair created : 2019-10-23 15:03:29Key Name : client002_HostKey Type : RSA Encryption Key========================================================Key Code:3082010A0282010100E82738 8AE4F3B0 DDB06A28 0FD054FE E1D91B40EC99AF7A 7C14B247 52C618C8 8E1825D5 62B2F267FAA0D7EE 9CFDA4AA 2B490EA7 A4DCFDDC FE723F993316A3D4 EC822D4E 8D80CD6E 3A6402BB 9432B648D24C056E E7547BC1 F596DEBB 09B10F8D 1361B5AD1D204870 9D8D4881 68F0B1C7 E73161BE 7BBFF7549430B8FA E28B57AA C87A7F7F 5D29E300 F5067FA553783658 A68BAD0A 486CFB7B 37C2BF7A A5F68CE4DD488D5E 06A78E80 5836B668 BC8341A0 CDDEFE9A228FF048 18E4FD46 8C1A128F 14761DC3 E939B4F12C4FDCD3 B8BEAD7B B2454E8C 39247383 A186F8A8AA04AC81 BB12A436 FE07C3B9 85E88677 3A44357C3CDDD288 29648FFA F4C963D7 2F622981 830203010001Host public key for PEM format code:---- BEGIN SSH2 PUBLIC KEY ----AAAAB3NzaC1yc2EAAAADAQABAAABAQDoJziK5POw3bBqKA/QVP7h2RtA7JmvenwUskdSxhjIjhgl1WKy8mf6oNfunP2kqitJDqek3P3c/nI/mTMWo9Tsgi1OjYDNbjpkAruUMrZI0kwFbudUe8H1lt67CbEPjRNhta0dIEhwnY1IgWjwscfnMWG+e7 /3VJQwuPrii1eqyHp/f10p4wD1Bn+lU3g2WKaLrQpIbPt7N8K/eqX2jOTdSI1eBqeOgFg2tmi8g0Ggzd7+miKP8EgY5P1GjBoSjxR2HcPpObTxLE/c07i+rXuyRU6MOSRzg6GG+KiqBKyBuxKkNv4Hw7mF6IZ3OkQ1fDzd0ogpZI/69Mlj1y9iKYGD--- END SSH2 PUBLIC KEY ---Public key code for pasting into OpenSSH authorized_keys file:ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoJziK5POw3bBqKA/QVP7h2RtA7JmvenwUskdSxhjIjhgl1WKy8mf6oNfunP2kqitJDqek3P3c/nI/mTMWo9Tsgi1OjYDNbjpkAruUMrZI0kwFbudUe8H1lt67CbEPjRNhta0dIEhwnY1IgWjwscfnMWG+e7 /3VJQwuPrii1eqyHp/f10p4wD1Bn+lU3g2WKaLrQpIbPt7N8K/eqX2jOTdSI1eBqeOgFg2tmi8g0Ggzd7+miKP8EgY5P1GjBoSjxR2HcPpObTxLE/c07i+rXuyRU6MOSRzg6GG+KiqBKyBuxKkNv4Hw7mF6IZ3OkQ1fDzd0ogpZI/69Mlj1y9iKYGD rsa-keyHost public key for SSH1 format code:2048 65537 29306627283638245027301637315280770431415530389244244975230531145561759626104057970787610929852299674051395034571703345660143794244307882155154183686531050878005 01050432939363364346993695329207072093704369478707235648089812787714014481569680088240127399285715237731306729776284639469871318041909359346924512622099202725159 57737917281999667209130691812429167451094961461515164793214256373118988284147995742859729113317424165281854082088098635717909474272021919385823372625084620236173 08198414038686321260976602728478298553565503910030065605290194687201091479154797244037233152226680632686743021553740244651535856402819====================================== Server Key========================Time of Key pair created : 2019-10-23 15:03:29Key Name : client002_ServerKey Type : RSA Encryption Key========================================================Key Code:3081B90281B1009BA1EB 31436F37 BC8D0209 5B316C22 468A2C5FB7354FF4 2EF2BD23 7F60D6C1 9F731BA9 004F77E76713AD7D A9367413 E308FA7A 86B3379F 6CEF8D995CA7873F 023E806B 0FA6234D 80DC8C07 4069C284C37E66BE 16B58A3F 6A0A74C8 BA3C0995 7FDF76C79D09A126 F1CD89B6 EBFD6EE3 521DC175 5FEC0163E13D7D5A 84A41C6E 3DEC9FFB D338CEC1 0A8FEE6E7FAF56BA 66EF7F3A 2580DC1E 2B752B44 0BD94C15BED635E3 501074E2 070F970A 4D1D5332 750203010001[~client002]Transfer the RSA public key generated on the client to the server.
SSH Server:rsa peer-public-key rsakey001 public-key-code begin 3082010A0282010100E82738 8AE4F3B0 DDB06A28 0FD054FE E1D91B40 EC99AF7A 7C14B247 52C618C88E1825D5 62B2F267 FAA0D7EE 9CFDA4AA 2B490EA7 A4DCFDDC FE723F99 3316A3D4EC822D4E 8D80CD6E 3A6402BB 9432B648 D24C056E E7547BC1 F596DEBB 09B10F8D1361B5AD 1D204870 9D8D4881 68F0B1C7 E73161BE 7BBFF754 9430B8FA E28B57AAC87A7F7F 5D29E300 F5067FA5 53783658 A68BAD0A 486CFB7B 37C2BF7A A5F68CE4DD488D5E 06A78E80 5836B668 BC8341A0 CDDEFE9A 228FF048 18E4FD46 8C1A128F14761DC3 E939B4F1 2C4FDCD3 B8BEAD7B B2454E8C 39247383 A186F8A8 AA04AC81BB12A436 FE07C3B9 85E88677 3A44357C 3CDDD288 29648FFA F4C963D7 2F622981830203010001 public-key-code end peer-public-key end- Create SSH user
on the server side to configure the VTY user interface.
SSH Server:user-interface vty 0 4 authentication-mode aaa protocol inbound sshCreate SSH user Client001.
Create a new SSH user with user name Client001, and the authentication method is password.
SSH Server:ssh user client001ssh user client001 authentication-type passwordis configured as Hello-huawei123 for SSH user Client001.
SSH Server:aaa local-user client001 password irreversible-cipher $1c$TYH4FuMpqC$E_FcCVX\`l=l/_.X1BNE"8ESc(w5.Px27AC"N$ local-user client001 service-type sshConfigure Client001 service-type service mode STelnet.
SSH Server:ssh user client001 service-type stelnecreates SSH user Client002.
creates a new SSH user with the user name Client002, and the authentication method is RSA, and binds the SSH client RSA public key.
SSH Server:ssh user client002ssh user client002 authentication-type rsassh user client002 assign rsa-key rsakey001Configure Client002 service-type sftpssh user client002 sftp-directory cfcard:
- SSH server-side Steelent and SFTP services enable
SSH Server:stelnet server enablesftp server enables- Configure the new listening port number on the SSH server
SSH Server:ssh ipv4 server port 1025ssh ipv6 server port 1025SSH client connects to the SSH server.
logs in for the first time. You need to enable the SSH client first authentication function.
enables the client Client001 first authentication function.
clien001:sysname client001ssh client first-time enableEnable client Client002 first authentication function
client002:ssh client first-time enableSTelnet client connects to the SSH server with the new port number.
[~client001]stelnet 1.1.1.1 1025Trying 1.1.1.1 ...Press CTRL + K to abortConnected to 1.1.1.1 ...Please input the username: client001Enter password: Warning: The initial password poses security risks.The password needs to be changed. Change now? [Y/N]:nInfo: The max number of VTY users is 5, the number of current VTY users online is 1, and total number of terminal users online is 2.The current login time is 2019-10-23 15:15:23.First login successfully.SSH ServerSFTP client connects to the SSH server with the new port number.
[~client002]sftp 1.1.1.1 1025Trying 1.1.1.1 ...Press CTRL+K to abortConnected to 1.1.1.1 ...Please input the username: client002sftp-client- Check configuration results
The attacker used the original port number 22 to access the SSH server, but failed.
[~client002]sftp 1.1.1.1Trying 1.1.1.1 ...Press CTRL+K to abortError: Failed to connect to the remote host.[~client002]After the configuration is completed, execute the display ssh server status command and display ssh server session command on the SSH server side, and you can view the current listening port number of the SSH server side, and the STelnet client or SFTP client has successfully connected to the SSH server.
View SSH status information.
[~SSH Server]dis ssh server statusSSH Version: 2.0SSH authentication timeout (Seconds) : 60SSH authentication retries (Times) : 3SSH server key generating interval (Hours) : 0SSH version 1.x compatibility: DisableSSH server keepalive : EnableSFTP IPv4 server : EnableSFTP IPv6 server : EnableSTELNET IPv4 server: EnableSTELNET IPv6 server: EnableSNETCONF IPv4 server: DisableSNETCONF IPv6 server: DisableSNETCONF IPv4 server port(830): DisableSNETCONF IPv6 server port(830): DisableSCP IPv4 server: DisableSCP IPv6 server: DisableSSH server DES: DisableSSH IPv4 server port: 1025SSH IPv6 server port: 1025SSH server source address: 0.0.0.0SSH ipv6 server source address : 0::0SSH ipv6 server source vpnName : ACL name : ACL number : ACL6 name: ACL6 number: SSH server ip-block: EnableView the connection information of the SSH server.
[~SSH Server]dis ssh server session--------------------------------------------------------------------------------Session : 1Conn: VTY 0Version : 2.0State : StartedUsername: client001Retry : 1CTOS Cipher : aes256-ctrSTOC Cipher : aes256-ctrCTOS Hmac : hmac-sha2-256STOC Hmac : hmac-sha2-256CTOS Compress : noneSTOC Compress : noneKex : diffie-hellman-group14-sha1Public Key: ECChService Type: stelnetAuthentication Type: passwordConnection Port Number: 1025Idle Time: 00:01:49Total Packet Number: 30Packet Number after Rekey: 30Total Data(MB): 0Data after Rekey(MB): 0Time after Session Established(Minute): 2Time after Rekey(Minute): 2Session: 2Conn: SFTP 0Version: 2.0State: StartedUsername: client002Retry: 1CTOS Cipher: aes256-ctrSTOC Cipher: aes256-ctrCTOS Hmac: hmac-sha2-256STOC Hmac: hmac-sha2-256CTOS Compress: noneSTOC Compress: noneKex: diffie-hellman-group14-sha1Public Key: ECCService Type: sftpAuthentication Type: rsaConnection Port Number: 1025Idle Time: 00:00:38Total Packet Number : 16Packet Number after Rekey : 16Total Data(MB): 0Data after Rekey(MB): 0Time after Session Established(Minute): 0Time after Rekey(Minute): 0--------------------------------------------------------------------------------[~SSH Server] 
