概念
SSH全称安全外壳(Secure Shell)协议,这个协议的目的就是为了取代缺乏机密性保障的远程管理协议,SSH基于TCP协议的加密通道,让客户端使用服务器的RSA公钥来验证SSHv2服务器的身份。
创建密钥对
在充当SSH服务器的路由器上创建本地密钥对;本例中是AR1充当服务器,AR4充当客户端。
密钥对是一个公钥一个密钥,信息用公钥加密就用私钥解密,服务器会将公钥给客户端,客户端使用私钥加密数据之后,数据只能服务器的私钥才能解开,确保了数据安全性。
AR1\]rsa local-key-pair create The key name will be: Host % RSA keys defined for Host already exist. Confirm to replace them? (y/n)\[n\]:y The range of public key size is (512 \~ 2048). NOTES: If the key modulus is greater than 512, It will take a few minutes. Input the bits in the modulus\[default = 512\]:512 Generating keys... .............++++++++++++ .++++++++++++ ................................................................................ .................++++++++ .........++++++++
启用SSH服务器进程
路由器默认 SSH服务是没开启的,需要手动开启。
AR1\]stelnet server enable Info: Succeeded in starting the STELNET server.
修改VTY虚拟接口的入站协议
SSH协议支持的认证模式只有aaa
AR1\]user-interface vty 0 4 \[AR1-ui-vty0-4\]authentication-mode aaa # VTY接口允许接受的入站协议修改为SSH \[AR1-ui-vty0-4\]protocol inbound ssh
设置aaa参数
创建的用户名为user1,密码为huawei
AR1\]aaa \[AR1-aaa\]local-user user1 password cipher huawei Info: Add a new user. # 指定这个用户使用的协议,只能是ssh \[AR1-aaa\]local-user user1 service-type ssh
设置SSH的认证类型
AR1\]ssh user user1 authentication-type ? all All authentication, password or RSA password Password authentication password-rsa Both password and RSA rsa RSA authentication \[AR1\]ssh user user1 authentication-type password Authentication type setted, and will be in effect next time
AR4(client)访问AR1(Server)
尝试连接时系统提示错误同时要求管理员运行, "ssh client first-time enable" 才能开启首次访问功能,没有这条命令那么服务器发给客户端的公钥,客户端无法保存,所以这才命令在SSH客户端上必不可少。
AR4\]stelnet 192.168.28.1 Please input the username:user1 Trying 192.168.28.1 ... Press CTRL+K to abort Connected to 192.168.28.1 ... Error: Failed to verify the server's public key. Please run the command "ssh client first-time enable"to enable the first-time ac cess function and try again. # 会报错
启用SSH首次访问功能并连接SSH服务器
AR4\]ssh client first-time enable \[AR4\]stelnet 192.168.28.1 Please input the username:user1 Trying 192.168.28.1 ... Press CTRL+K to abort Connected to 192.168.28.1 ... The server is not authenticated. Continue to access it? (y/n)\[n\]:y Mar 28 2023 17:25:32-08:00 AR4 %%01SSH/4/CONTINUE_KEYEXCHANGE(l)\[0\]:The server h ad not been authenticated in the process of exchanging keys. When deciding wheth er to continue, the user chose Y. \[AR4
Save the server's public key? (y/n)[n]:y
The server's public key will be saved with the name 192.168.28.1. Please wait...
Mar 28 2023 17:25:34-08:00 AR4 %%01SSH/4/SAVE_PUBLICKEY(l)[1]:When deciding whet
her to save the server's public key 192.168.28.1, the user chose Y.
AR4
Enter password:
<AR1>
查看SSH状态、SSH访问情况
在服务器上查看SSH状态,显示SSH的版本,显示SSH的功能是否启用
AR1\] display ssh server status SSH version :1.99 SSH connection timeout :60 seconds SSH server key generating interval :0 hours SSH Authentication retries :3 times SFTP Server :Disable Stelnet server :Enable # 查看会话 \[AR1\] display ssh server session -------------------------------------------------------------------- Conn Ver Encry State Auth-type Username -------------------------------------------------------------------- VTY 1 2.0 AES run password user1 -------------------------------------------------------------------- \[AR1