网工知识点
目标
通过STelnet登录其他设备配置的示例。在本示例中,通过在STelnet客户端和SSH服务器端生成本地密钥对,在SSH服务器端生成DSA公钥、并为用户绑定该DSA公钥,实现Stelnet客户端连接SSH服务器。
组网需求
网络中有大量设备需要管理与维护,用户不可能为每台设备连接用户终端,特别是终端与需要管理的设备之间无可达路由时,用户可以使用Telnet方式从当前设备登录到网络上另一台设备,从而实现对远程设备的管理与维护。但是Telnet缺少安全的认证方式,而且传输过程采用TCP进行明文传输,存在很大的安全隐患。
而STelnet一种安全的Telnet服务,建立在SSH连接的基础之上。SSH可以利用加密和强大的认证功能提供安全保障,保护设备不受诸如IP地址欺诈、简单密码截取等攻击。如图1所示,SSH服务器端STelnet服务使能后,STelnet客户端可以通过Password、DSA或password-dsa认证的方式登录到SSH服务器端。
配置思路
在SSH服务器上配置用户client001和client002,分别使用不同的认证方式登录SSH服务器。
分别在STelnet客户端Client002和SSH服务器端生成本地密钥对,并为用户client002绑定SSH客户端的DSA公钥,实现客户端登录服务器端时,对客户端进行验证。
SSH服务器端STelnet服务使能。
配置SSH用户client001和client002的服务方式为STelnet。
使能SSH客户端首次认证功能。
用户client001和client002分别以STelnet方式实现登录SSH服务器。
操作步骤
在服务器端生成本地密钥对:
SSH Server: sysname SSH Server dsa local-key-pair create
在服务器端创建SSH用户:
配置VTY用户界面:
SSH Server: user-interface vty 0 4 authentication-mode aaa user privilege level 3 protocol inbound ssh
创建SSH用户Client001。
新建用户名为Client001的SSH用户,且认证方式为password。
SSH Server: ssh user client001 ssh user client001 authentication-type password
为SSH用户Client001配置密码为Hello-huawei123。
SSH Server: aaa local-user client001 password irreversible-cipher $1c$B+]l(4ggX#$1=@gUd"ws<Gje'W@H,NID`lw.ejU&Y6sx;Fcp}Y%$ local-user client001 service-type ssh
创建SSH用户Client002。
新建用户名为Client002的SSH用户,且认证方式为DSA。
SSH Server: ssh user client002 ssh user client002 authentication-type dsa ssh authorization-type default root
配置服务器端DSA公钥:
客户端Client002生成客户端的本地密钥对:
client002: sysname client002 dsa local-key-pair create
查看客户端上生成DSA公钥。
<SSH Server>display dsa local-key-pair public ======================================================== Time of Key pair created : 2019-10-21 17:42:51 Key name : SSH Server_Host_DSA Key modulus : 2048 Key type : DSA Encryption Key ======================================================== Key code: 30820324 02820101 00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60 BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891 2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268 56A99ECF A5D80036 7B31A905 22F13949 6F4182DB FDAAB599 739AB021 85856A88 1F919736 8B92DBF6 849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7 505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35 A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714 B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F CD4EA0EE 501FC669 5D03D68D 519324E4 93 0215 00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE BB 02820100 3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD 96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42 21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6 5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4 2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7 4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7 9A56E32E C15A0659 3D17C407 29F587C7 74959017 62B08070 24564B2E E79C6E1D 86793548 76CC662A 1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278 26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976 4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62 A915EE63 F660C092 360C5D2D 796AF230 DB7461F7 C15B6DBA 65C9EFAB 247DB13D 4942E2FF 02820100 3F303344 31B9BAA5 95B73B53 171CAF84 AA60FD21 D94DEE5D C03862B8 D2FF4192 E04EA34D A1C9647F 6F5680DC 751308C0 27241663 8FA8AF8F E16AFB0D EE26CD14 43D431DD 69EC4366 CA617435 CF1E18D4 2D1B23FD DA855695 DA2D49DA B7548D17 0DE4D51F CD2766BF F9C1FA8E EB149D23 CC3D8BB1 21CD7A31 41C88A48 37BF5A8E 022F48D0 C289ABE2 681E4739 000DF7CE 0AC6C2EA DA3EE3B5 9243E6E0 1DDDED70 3984A632 9869AAAD 721BF6BE FD776254 493D787A E45CBCDB 34214F28 627AA812 D64D5991 475E964E 864A21DC A505A82B 6A886CEC F8298FD7 95938013 3D907169 2B215A77 82F14F72 53F2F7EA 85561071 B95B03A9 780CD4D0 37A51173 942D8ED6 Host public key for PEM format code: ---- BEGIN SSH2 PUBLIC KEY ---- AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQ IZrA9BrUe/HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZUwmhW qZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB+RlzaLktv2hJ0cdGuifhL5 iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQW srXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0w K5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07 dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYg XG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/t5pW4y7BWgZZPRfE Byn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrky eCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDA kjYMXS15avIw23Rh98Fbbbplye+rJH2xPUlC4v8AAAEAPzAzRDG5uqWVtztTFxyv hKpg/SHZTe5dwDhiuNL/QZLgTqNNoclkf29WgNx1EwjAJyQWY4+or4/havsN7ibN FEPUMd1p7ENmymF0Nc8eGNQtGyP92oVWldotSdq3VI0XDeTVH80nZr/5wfqO6xSd I8w9i7EhzXoxQciKSDe/Wo4CL0jQwomr4mgeRzkADffOCsbC6to+47WSQ+bgHd3t cDmEpjKYaaqtchv2vv13YlRJPXh65Fy82zQhTyhieqgS1k1ZkUdelk6GSiHcpQWo K2qIbOz4KY/XlZOAEz2QcWkrIVp3gvFPclPy9+qFVhBxuVsDqXgM1NA3pRFzlC2O 1g== ---- END SSH2 PUBLIC KEY ---- Public key code for pasting into OpenSSH authorized_keys file: ssh-dss AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQIZrA9BrUe/HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZUwmhWqZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB+RlzaLktv2hJ0cdGuifhL5iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6JbeccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQWsrXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0wK5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYgXG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/t5pW4y7BWgZZPRfEByn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrkyeCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDAkjYMXS15avIw23Rh98Fbbbplye+rJH2xPUlC4v8AAAEAPzAzRDG5uqWVtztTFxyvhKpg/SHZTe5dwDhiuNL/QZLgTqNNoclkf29WgNx1EwjAJyQWY4+or4/havsN7ibNFEPUMd1p7ENmymF0Nc8eGNQtGyP92oVWldotSdq3VI0XDeTVH80nZr/5wfqO6xSdI8w9i7EhzXoxQciKSDe/Wo4CL0jQwomr4mgeRzkADffOCsbC6to+47WSQ+bgHd3tcDmEpjKYaaqtchv2vv13YlRJPXh65Fy82zQhTyhieqgS1k1ZkUdelk6GSiHcpQWoK2qIbOz4KY/XlZOAEz2QcWkrIVp3gvFPclPy9+qFVhBxuVsDqXgM1NA3pRFzlC2O1g== dsa-key <SSH Server>
将客户端上产生的DSA公钥传送到服务器端。
SSH Server: dsa peer-public-key dsakey001 encoding-type der public-key-code begin 30820324 02820101 00DEDEBA 5C8244DC B8E69691 7CEFEBC0 B3E6FB60 BE8B9E36 D3E4EB9C D6EB7FD2 10219AC0 F41AD47B F1EACD43 5D39AFA8 FACB6A78 19305EE1 47E42891 2E60452B 37CA17D6 11C2EE4C 46B4BC77 2654C268 56A99ECF A5D80036 7B31A905 22F13949 6F4182DB FDAAB599 739AB021 85856A88 1F919736 8B92DBF6 849D1C74 6BA27E12 F98A28E4 B6D0587D 655979A7 505413E9 1EFC961C 3F792096 25CFA8D7 D469FA35 A39E37B6 14047D53 5DCD63AF 3058B3A2 5B79C714 B6326B7D B6067EBF 153CC1A7 20B0E1A7 E39C13FE B3BA26E6 B052DC5B FFEE7C5C 52148FE6 C240738F BB8F05D4 16B2B5DD 72E3629B B59244BF 9FA29C4F CD4EA0EE 501FC669 5D03D68D 519324E4 93 0215 00C6C484 E1F0076B 8AFCAD30 2B98B50A 3A542ABE BB 02820100 3AC11746 EE959CBD 30F669C5 7E290BC4 7CB5BBFD 96AE9215 7A29C723 72FE8A02 EBED3B76 BE810B42 21AD8D32 F7723F83 59F46B66 FF7805CC 3F86D5D6 5BD424BD 70677EFF 1ACF9B3C CE02CD40 46560DA4 2036205C 6EFAB148 66E6A106 0DF6258B EE31CFE7 4B6C59B4 6FE59A9F BE64F982 EC36A669 FF597FB7 9A56E32E C15A0659 3D17C407 29F587C7 74959017 62B08070 24564B2E E79C6E1D 86793548 76CC662A 1D3DE1D1 2C79E102 C0B10E5C 9C4428B3 AEB93278 26D4CDE5 189A93EA 531E0FF8 2199EF35 DF038976 4538434F F39924F0 5BF17AC8 8E340991 B5EA0A62 A915EE63 F660C092 360C5D2D 796AF230 DB7461F7 C15B6DBA 65C9EFAB 247DB13D 4942E2FF 02820100 238A5AD0 30ADABD1 DF78962C 5D892855 A0A8FF60 372399A4 7A82A7B9 690CC63B C00A2309 76BD4916 57E1D3A3 47A29A69 04FDDA30 B9129627 5120AF3B 39795C96 72BDC020 879DFCB1 A26662A7 2F2F7427 CD37E76C C97A0B70 369AD675 63D15517 8CB97C8E 719BE7B4 F8D41F8E 101A2D15 41B6FD67 75981B42 42654BC1 14B27872 DE8E8EF7 EE81D8DA 39C83F25 7328D16A 47BE3F18 CA1BA360 3C1643AD 4E3948AE 91628480 15AE9AD3 9433CF76 B9804EEA 8719B713 3717907A 1E8725A3 E70AEF1E AABEBDB4 420A8C6B 81FFF8FF 3878C505 EBB2D753 652B4AF9 953CFABD FCF4485D 0DCCE947 911B2740 5821D123 BEA66BD7 3FD3DBC4 C3368F3C 05305EC6 EAE8021A public-key-code end peer-public-key end
为SSH用户Client002绑定SSH客户端的DSA公钥。
SSH Server: ssh user client002 assign dsa-key dsakey001
SSH服务器端STelnet服务使能:
使能STelnet服务功能。
SSH Server: stelnet server enable
配置SSH用户Client001、Client002的服务方式为STelnet:
SSH Server: ssh user client001 service-type stelnet ssh user client002 service-type stelnet
STelnet客户端连接SSH服务器:
第一次登录,需要使能SSH客户端首次认证功能。
使能客户端Client001首次认证功能。
client001: sysname client001 ssh client first-time enable
使能客户端Client002首次认证功能:
client002: ssh client first-time enable
STelnet客户端Client001用password认证方式连接SSH服务器,输入配置的用户名和密码。
[~client001]stelnet 1.1.1.1 Trying 1.1.1.1 ... Press CTRL + K to abort Connected to 1.1.1.1 ... The server is not authenticated. Continue to access it? [Y/N]: y Save the server's public key? [Y/N]: y The server's public key will be saved with the name 1.1.1.1. Please wait... Please input the username: client001 Enter password: Warning: The initial password poses security risks. The password needs to be changed. Change now? [Y/N]:n Info: The max number of VTY users is 5, the number of current VTY users online is 1, and total number of terminal users online is 2. The current login time is 2019-10-21 17:47:53. First login successfully. <SSH Server>
STelnet客户端Clent002用DSA认证方式连接SSH服务器。
[~client002]stelnet 1.1.1.1 Trying 1.1.1.1 ... Press CTRL + K to abort Connected to 1.1.1.1 ... The server is not authenticated. Continue to access it? [Y/N]: y Save the server's public key? [Y/N]: y The server's public key will be saved with the name 1.1.1.1. Please wait... Please input the username: client002 Info: The max number of VTY users is 5, the number of current VTY users online is 1, and total number of terminal users online is 2. The current login time is 2019-10-21 17:54:50. <SSH Server>
如果登录成功,用户将进入用户视图。如果登录失败,用户将收到Session is disconnected的信息。
验证配置结果:
配置完成后,在SSH服务器端执行display ssh server status命令、display ssh server session,可以查看到STelnet服务已经使能,并且STelnet客户端已经成功连接到SSH服务器。
查看SSH状态信息。
<SSH Server>dis ssh server status SSH Version : 2.0 SSH authentication timeout (Seconds) : 60 SSH authentication retries (Times) : 3 SSH server key generating interval (Hours) : 0 SSH version 1.x compatibility : Disable SSH server keepalive : Enable SFTP IPv4 server : Disable SFTP IPv6 server : Disable STELNET IPv4 server : Enable STELNET IPv6 server : Enable SNETCONF IPv4 server : Disable SNETCONF IPv6 server : Disable SNETCONF IPv4 server port(830) : Disable SNETCONF IPv6 server port(830) : Disable SCP IPv4 server : Disable SCP IPv6 server : Disable SSH server DES : Disable SSH IPv4 server port : 22 SSH IPv6 server port : 22 SSH server source address : 0.0.0.0 SSH ipv6 server source address : 0::0 SSH ipv6 server source vpnName : ACL name : ACL number : ACL6 name : ACL6 number : SSH server ip-block : Enable <SSH Server>
查看SSH服务器的连接信息:
<SSH Server>dis ssh server session -------------------------------------------------------------------------------- Session : 1 Conn : VTY 0 Version : 2.0 State : Started Username : client001 Retry : 1 CTOS Cipher : aes256-ctr STOC Cipher : aes256-ctr CTOS Hmac : hmac-sha2-256 STOC Hmac : hmac-sha2-256 CTOS Compress : none STOC Compress : none Kex : diffie-hellman-group14-sha1 Public Key : ECC Service Type : stelnet Authentication Type : password Connection Port Number : 22 Idle Time : 00:01:02 Total Packet Number : 24 Packet Number after Rekey : 24 Total Data(MB) : 0 Data after Rekey(MB) : 0 Time after Session Established(Minute) : 1 Time after Rekey(Minute) : 1 -------------------------------------------------------------------------------- <SSH Server>
查看SSH用户信息:
<SSH Server>dis ssh user-information -------------------------------------------------------------------------------- User Name : client001 Authentication-Type : password User-public-key-name : User-public-key-type : - Sftp-directory : Service-type : stelnet User Name : client002 Authentication-Type : dsa User-public-key-name : dsakey001 User-public-key-type : - Sftp-directory : Service-type : stelnet -------------------------------------------------------------------------------- Total 2, 2 printed <SSH Server>
推荐阅读
>>>【独家首发】新版HCIE考试解读直播回顾
>>> 重磅!华为HCIE认证改版升级通知!
>>>【命令解析】Linux用户行为的常用命令
>>> 网工必备通信基础知识,还不知道你就out了?
>>>【必备干货】网工入门必会桥接教程,外网+GNS3+Vmware
>>>【技术指南】5分钟搞清楚OSPF链路状态路由协议
网工界市场认可度极高的华为认证,你考了吗?
拿下华为HCIE认证之后,你可以:
跨越90%企业的招聘硬门槛
增加70%就业机会
拿下BAT全国TOP100大厂敲门砖
体系化得到网络技术硬实力
技术大佬年薪可达30w+
