华为SSH实验 - 技术栈

华为SSH实验

实验拓扑：

实验要求：从SSH客户端AR1采用stelnet方式登录到SSH 服务器端。

实验步骤：

1.完成基本配置（略）

sys

Enter system view, return user view with Ctrl+Z.

$AR1$ sys CLIENT

$CLIENT$ INT g0/0/0

$CLIENT-GigabitEthernet0/0/0$ ip add 10.1.1.2 24

sys

Enter system view, return user view with Ctrl+Z.

$AR4$ sys SERVER

$SERVER$ INT g0/0/0

$SERVER-GigabitEthernet0/0/0$ ip add 10.1.1.2 24

2.在server端配置安全密钥对

$SERVER$ rsa local-key-pair create

The key name will be: Host

% RSA keys defined for Host already exist.

Confirm to replace them? (y/n) $n$ :y

The range of public key size is (512 ~ 2048).

NOTES: If the key modulus is greater than 512,

It will take a few minutes.

Input the bits in the modulus $default = 512$ :512

Generating keys...

...++++++++++++

...++++++++

SERVER

$SERVER$ dis rsa local-key-pair public 在服务器端查看刚刚配置的公钥

3.在服务器端创建VTY服务

$SERVER$ user-interface vty 0 4 启用VTY服务

$SERVER-ui-vty0-4$ authentication-mode aaa 认证模式采用AAA

$SERVER-ui-vty0-4$ protocol inbound ssh 定义流量（从外面进来的流量是ssh)

$SERVER-ui-vty0-4$ q

4.在服务端配置AAA服务

$SERVER$ aaa 启用AAA服务

$SERVER-aaa$ local-user zyh password cipher huawei 配置本地用户zyh密码是huawei

$SERVER-aaa$ local-user zyh service-type ssh 用户zyh服务类型是ssh

$SERVER-aaa$ local-user zyh privilege level 3 用户zyh的运行级别是三级

$SERVER-aaa$ q

5.在服务端配置SSH用户的访问认证方式并启用stelnet服务

$SERVER$ ssh user zyh authentication-type password

Authentication type setted, and will be in effect next time

$SERVER$ stelnet server enable 系统默认该服务是关闭的所以使用时候需要开启

6.配置客户端

sys

$CLIENT$ ssh client first-time enable 把客户端首次使用SSH开启

7.进行测试

$CLIENT$ stelnet 10.1.1.2

Please input the username:zyh

Trying 10.1.1.2 ...

Press CTRL+K to abort

Connected to 10.1.1.2 ...

The server is not authenticated. Continue to access it? (y/n) $n$ :y

Save the server's public key? (y/n) $n$ :y

The server's public key will be saved with the name 10.1.1.2. Please wait...

Enter password:

采用SSH服务安全登录到远程服务端设备，实验成功。

小结：采用stelnet登录目标设备的配置虽有有点繁琐，但安全性却有了极大的提升，特别是密钥对的强度选择和SSH协议的配合使用，安全有了很大的保证。