素材來源:華為路由器配置指南
一邊學習一邊整理試驗筆記,並與大家分享,侵權即刪,謝謝支持!
附上匯總貼:
配置思路
- 在SSH服務器上配置用戶client001和client002,分別使用不同的認證方式登錄SSH服務器。
- 分別在STelnet客戶端Client002和SSH服務器端生成本地密鑰對,並為用戶client002綁定ssh客戶端的rsa公鑰,實現客戶端登錄服務器端時,對客戶端進行驗證。
- SSH服務器端STelnet和SFTP服務使能。
- 配置SSH用戶的服務方式和授權目錄。
- 配置SSH服務器偵聽端口號,實現客戶端以其他端口號訪問服務器。
- 用戶client001和client002分別以STelnet和SFTP方式登錄SSH服務器。
操作步驟
- 在服務器端生成本地密鑰對
SSH Server:
sysname SSH Server
rsa local-key-pair create
- 配置服務器端RSA公鑰
客戶端生成客戶端的本地密鑰對
Client002:
sysname client002
rsa local-key-pair create
查看客戶端上生成RSA公鑰。
[~client002] dis rsa local-key-pair public
======================Host Key==========================
Time of Key pair created : 2019-10-23 15:03:29
Key Name : client002_Host
Key Type : RSA Encryption Key
========================================================
Key Code:
3082010A
02820101
00E82738 8AE4F3B0 DDB06A28 0FD054FE E1D91B40
EC99AF7A 7C14B247 52C618C8 8E1825D5 62B2F267
FAA0D7EE 9CFDA4AA 2B490EA7 A4DCFDDC FE723F99
3316A3D4 EC822D4E 8D80CD6E 3A6402BB 9432B648
D24C056E E7547BC1 F596DEBB 09B10F8D 1361B5AD
1D204870 9D8D4881 68F0B1C7 E73161BE 7BBFF754
9430B8FA E28B57AA C87A7F7F 5D29E300 F5067FA5
53783658 A68BAD0A 486CFB7B 37C2BF7A A5F68CE4
DD488D5E 06A78E80 5836B668 BC8341A0 CDDEFE9A
228FF048 18E4FD46 8C1A128F 14761DC3 E939B4F1
2C4FDCD3 B8BEAD7B B2454E8C 39247383 A186F8A8
AA04AC81 BB12A436 FE07C3B9 85E88677 3A44357C
3CDDD288 29648FFA F4C963D7 2F622981 83
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQDoJziK5POw3bBqKA/QVP7h2RtA7JmvenwU
skdSxhjIjhgl1WKy8mf6oNfunP2kqitJDqek3P3c/nI/mTMWo9Tsgi1OjYDNbjpk
AruUMrZI0kwFbudUe8H1lt67CbEPjRNhta0dIEhwnY1IgWjwscfnMWG+e7/3VJQw
uPrii1eqyHp/f10p4wD1Bn+lU3g2WKaLrQpIbPt7N8K/eqX2jOTdSI1eBqeOgFg2
tmi8g0Ggzd7+miKP8EgY5P1GjBoSjxR2HcPpObTxLE/c07i+rXuyRU6MOSRzg6GG
+KiqBKyBuxKkNv4Hw7mF6IZ3OkQ1fDzd0ogpZI/69Mlj1y9iKYGD
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDoJziK5POw3bBqKA/QVP7h2RtA7JmvenwUskdSxhjIjhgl1WKy8mf6oNfunP2kqitJDqek3P3c/nI/mTMWo9Tsgi1OjYDNbjpkAruUMrZI0kwFbudUe8H1lt67CbEPjRNhta0dIEhwnY1IgWjwscfnMWG+e7/3VJQwuPrii1eqyHp/f10p4wD1Bn+lU3g2WKaLrQpIbPt7N8K/eqX2jOTdSI1eBqeOgFg2tmi8g0Ggzd7+miKP8EgY5P1GjBoSjxR2HcPpObTxLE/c07i+rXuyRU6MOSRzg6GG+KiqBKyBuxKkNv4Hw7mF6IZ3OkQ1fDzd0ogpZI/69Mlj1y9iKYGD rsa-key
Host public key for SSH1 format code:
2048 65537 29306627283638245027301637315280770431415530389244244975230531145561759626104057970787610929852299674051395034571703345660143794244307882155154183686531050878005010504329393633643469936953292070720937043694787072356480898127877140144815696800882401273992857152377313067297762846394698713180419093593469245126220992027251595773791728199966720913069181242916745109496146151516479321425637311898828414799574285972911331742416528185408208809863571790947427202191938582337262508462023617308198414038686321260976602728478298553565503910030065605290194687201091479154797244037233152226680632686743021553740244651535856402819
======================Server Key========================
Time of Key pair created : 2019-10-23 15:03:29
Key Name : client002_Server
Key Type : RSA Encryption Key
========================================================
Key Code:
3081B9
0281B1
009BA1EB 31436F37 BC8D0209 5B316C22 468A2C5F
B7354FF4 2EF2BD23 7F60D6C1 9F731BA9 004F77E7
6713AD7D A9367413 E308FA7A 86B3379F 6CEF8D99
5CA7873F 023E806B 0FA6234D 80DC8C07 4069C284
C37E66BE 16B58A3F 6A0A74C8 BA3C0995 7FDF76C7
9D09A126 F1CD89B6 EBFD6EE3 521DC175 5FEC0163
E13D7D5A 84A41C6E 3DEC9FFB D338CEC1 0A8FEE6E
7FAF56BA 66EF7F3A 2580DC1E 2B752B44 0BD94C15
BED635E3 501074E2 070F970A 4D1D5332 75
0203
010001
[~client002]
將客戶端上產生的RSA公鑰傳送到服務器端。
SSH Server:
rsa peer-public-key rsakey001
public-key-code begin
3082010A
02820101
00E82738 8AE4F3B0 DDB06A28 0FD054FE E1D91B40 EC99AF7A 7C14B247 52C618C8
8E1825D5 62B2F267 FAA0D7EE 9CFDA4AA 2B490EA7 A4DCFDDC FE723F99 3316A3D4
EC822D4E 8D80CD6E 3A6402BB 9432B648 D24C056E E7547BC1 F596DEBB 09B10F8D
1361B5AD 1D204870 9D8D4881 68F0B1C7 E73161BE 7BBFF754 9430B8FA E28B57AA
C87A7F7F 5D29E300 F5067FA5 53783658 A68BAD0A 486CFB7B 37C2BF7A A5F68CE4
DD488D5E 06A78E80 5836B668 BC8341A0 CDDEFE9A 228FF048 18E4FD46 8C1A128F
14761DC3 E939B4F1 2C4FDCD3 B8BEAD7B B2454E8C 39247383 A186F8A8 AA04AC81
BB12A436 FE07C3B9 85E88677 3A44357C 3CDDD288 29648FFA F4C963D7 2F622981
83
0203
010001
public-key-code end
peer-public-key end
- 在服務器端創建SSH用戶
配置VTY用戶界面。
SSH Server:
user-interface vty 0 4
authentication-mode aaa
protocol inbound ssh
創建SSH用戶Client001。
新建用戶名為Client001的SSH用戶,且認證方式為password。
SSH Server:
ssh user client001
ssh user client001 authentication-type password
為SSH用戶Client001配置密碼為Hello-huawei123。
SSH Server:
aaa
local-user client001 password irreversible-cipher $1c$TYH4FuMpqC$E_FcCVX\`<<l=l/_.X1BNE"8ESc(w5.Px2<7AC"N$
local-user client001 service-type ssh
配置Client001的服務方式為STelnet。
SSH Server:
ssh user client001 service-type stelnet
創建SSH用戶Client002。
新建用戶名為Client002的SSH用戶,且認證方式為RSA,並綁定SSH客戶端RSA公鑰。
SSH Server:
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key rsakey001
配置Client002的服務方式為SFTP,並為其配置授權目錄。
SSH Server:
ssh user client002 service-type sftp
ssh user client002 sftp-directory cfcard:
- SSH服務器端Stelent和SFTP服務使能
SSH Server:
stelnet server enable
sftp server enable
- 配置SSH服務端新的偵聽端口號
SSH Server:
ssh ipv4 server port 1025
ssh ipv6 server port 1025
SSH客戶端連接SSH服務器
第一次登錄,則需要使能SSH客戶端首次認證功能。
使能客戶端Client001首次認證功能。
clien001:
sysname client001
ssh client first-time enable
使能客戶端Client002首次認證功能
client002:
ssh client first-time enable
STelnet客戶端用新端口號連接SSH服務器。
[~client001]stelnet 1.1.1.1 1025
Trying 1.1.1.1 ...
Press CTRL + K to abort
Connected to 1.1.1.1 ...
Please input the username: client001
Enter password:
Warning: The initial password poses security risks.
The password needs to be changed. Change now? [Y/N]:n
Info: The max number of VTY users is 5, the number of current VTY users online i
s 1, and total number of terminal users online is 2.
The current login time is 2019-10-23 15:15:23.
First login successfully.
<SSH Server>
SFTP客戶端用新端口號連接SSH服務器。
[~client002]sftp 1.1.1.1 1025
Trying 1.1.1.1 ...
Press CTRL+K to abort
Connected to 1.1.1.1 ...
Please input the username: client002
sftp-client>
- 檢查配置結果
攻擊者使用原端口號22訪問SSH服務器,不能成功。
[~client002]sftp 1.1.1.1
Trying 1.1.1.1 ...
Press CTRL+K to abort
Error: Failed to connect to the remote host.
[~client002]
配置完成後,在SSH服務器端執行display ssh server status命令、display ssh server session命令,可以查看到SSH服務器端當前偵聽端口號,並且STelnet客戶端或SFTP客戶端已經成功連接到SSH服務器。
查看SSH狀態信息。
[~SSH Server]dis ssh server status
SSH Version : 2.0
SSH authentication timeout (Seconds) : 60
SSH authentication retries (Times) : 3
SSH server key generating interval (Hours) : 0
SSH version 1.x compatibility : Disable
SSH server keepalive : Enable
SFTP IPv4 server : Enable
SFTP IPv6 server : Enable
STELNET IPv4 server : Enable
STELNET IPv6 server : Enable
SNETCONF IPv4 server : Disable
SNETCONF IPv6 server : Disable
SNETCONF IPv4 server port(830) : Disable
SNETCONF IPv6 server port(830) : Disable
SCP IPv4 server : Disable
SCP IPv6 server : Disable
SSH server DES : Disable
SSH IPv4 server port : 1025
SSH IPv6 server port : 1025
SSH server source address : 0.0.0.0
SSH ipv6 server source address : 0::0
SSH ipv6 server source vpnName :
ACL name :
ACL number :
ACL6 name :
ACL6 number :
SSH server ip-block : Enable
查看SSH服務器的連接信息。
[~SSH Server] dis ssh server session
--------------------------------------------------------------------------------
Session : 1
Conn : VTY 0
Version : 2.0
State : Started
Username : client001
Retry : 1
CTOS Cipher : aes256-ctr
STOC Cipher : aes256-ctr
CTOS Hmac : hmac-sha2-256
STOC Hmac : hmac-sha2-256
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group14-sha1
Public Key : ECC
Service Type : stelnet
Authentication Type : password
Connection Port Number : 1025
Idle Time : 00:01:49
Total Packet Number : 30
Packet Number after Rekey : 30
Total Data(MB) : 0
Data after Rekey(MB) : 0
Time after Session Established(Minute) : 2
Time after Rekey(Minute) : 2
Session : 2
Conn : SFTP 0
Version : 2.0
State : Started
Username : client002
Retry : 1
CTOS Cipher : aes256-ctr
STOC Cipher : aes256-ctr
CTOS Hmac : hmac-sha2-256
STOC Hmac : hmac-sha2-256
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group14-sha1
Public Key : ECC
Service Type : sftp
Authentication Type : rsa
Connection Port Number : 1025
Idle Time : 00:00:38
Total Packet Number : 16
Packet Number after Rekey : 16
Total Data(MB) : 0
Data after Rekey(MB) : 0
Time after Session Established(Minute) : 0
Time after Rekey(Minute) : 0
--------------------------------------------------------------------------------
[~SSH Server]
![[MAMA 2022] IVE, KEP1ER, NMIXX, LE SSERAFIM, NEWJEANS - 'Cheer Up' Lyrics (Color Coded Lyrics) - 天天要聞](https://i.ytimg.com/vi/emQIKe2tGl8/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBitWecJGXwnCsgIXjiSuzCmdM-1w)
![NewJeans在宣布獲大賞後全員毫無反應 「你們忘了嗎?我們是NewJeans啊」XD| [K-潮流] - 天天要聞](https://i.ytimg.com/vi/VpJrVDAgBLs/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLAaXE8uvu_gvrtmhqxrfNkwM21qLA)
![[2022 MAMA] IVE&Kep1er&NMIXX&LE SSERAFIM&NewJeans - CHEER UP | Mnet 221129 방송 - 天天要聞](https://i.ytimg.com/vi/d2heDnR3sjc/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLAaAaOJ1FOuMVt8zl0aAdxxx1s2FQ)
![[2022 MAMA] IVE&Kep1er&NMIXX&LESSERAFIM&NewJeans-ELEVEN+WADADA+O.O+FEARLESS+Hypeboy | Mnet 221129 방송 - 天天要聞](https://i.ytimg.com/vi/IJks7TIDfnk/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLBY-vECgvowNPEf_1BO1TlRrKZwjw)
