目录
背景
实验内容
实验目的
实验步骤
实验拓扑
详细配置过程
基础配置
配置SSH server
配置SSH client
配置SFTP server 与client
背景
由于Telnet缺少安全的认证方式,而且传输过程采用的是TCP进行明文传输。单纯的提供Telnet服务容易招致主机IP地址欺骗、路由欺骗等恶意攻击。
STelnet是在传统不安全的网络环境中,服务器通过对用户端的认证及双向的数据加密,为网络终端访问提供安全的Telnet服务。
实验内容
假定R1模拟PC,作为SSH的client;R2作为SSH的server,模拟远程用户端R1通过SSH协议远程登录到R2上进行各种配置。本实验通过password认证方式来实现。
实验目的
1、理解SSH的应用场景;
2、理解SSH协议的原理;
3、掌握配置SSH Password认证的方法;
4、掌握SFTP的配置。
实验步骤
1、基本配置(端口、地址);
2、配置SSH server;
3、配置SSH client;
4、配置SFTP server 与client;
实验拓扑
详细配置过程
基础配置
第一步:基本配置
把路由器相应的端口与IP地址配置好(配置方法一样,此处仅提供R2)[Huawei]interface g0/0/0
[Huawei-GigabitEthernet0/0/0]ip address 192.168.1.2 24
[Huawei-GigabitEthernet0/0/0]q
[Huawei]ping 192.168.1.1 //测试连通性
PING 192.168.1.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.1.1: bytes=56 Sequence=1 ttl=255 time=70 ms
Reply from 192.168.1.1: bytes=56 Sequence=2 ttl=255 time=30 ms
Reply from 192.168.1.1: bytes=56 Sequence=3 ttl=255 time=20 ms
Reply from 192.168.1.1: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 192.168.1.1: bytes=56 Sequence=5 ttl=255 time=20 ms--- 192.168.1.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/32/70 ms[Huawei]
配置SSH server
第二步:配置SSH server
[Huawei]sysname R2
[R2]rsa local-key-pair create //生成本地RSA主机密钥对
The key name will be: Host
% RSA keys defined for Host already exist.
Confirm to replace them? (y/n)[n]:y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:512
Generating keys...
.....................................++++++++++++
..++++++++++++
...++++++++
...........++++++++[R2]display rsa local-key-pair public //查看本地密钥对中的公钥部分信息
=====================================================
Time of Key pair created: 2024-01-22 09:38:05-08:00
Key name: Host
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
C57F8D4C 18F41CD8 DA37C728 3A808DA0 FDEB3DBE
6C85E65D E0E68C42 2C5B98AE 06C4F280 1D588A25
BFE53FA3 536D6FD2 EAB508DC 5ED74308 28FE4113
1A67D39D
0203
010001=====================================================
Time of Key pair created: 2024-01-22 09:38:06-08:00
Key name: Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
9DA63159 C8184ED7 8584EDD7 187F2B96 404F000C
2BDE985B 293D511D 9510D6C9 423CB167 4741EBC3
75785A52 A9AFD0DB 9ABC60C5 95BDEE76 828C7CD7
DECF5A43 A98B66F6 D1429168 2900F59B AAC07F90
D55D0357 408D0A9F 00D50516 075A1AF9
0203
010001[R2]user-interface vty 0 4 //进入vty控制台 0 4 代表最多可以同时登录5个用户
[R2-ui-vty0-4]authentication-mode aaa //创建本地用户并启用AAA验证
[R2-ui-vty0-4]protocol inbound ssh //指定VTY类型用户界面只支持SSH协议,设备将自动禁止Telnet功能
[R2-ui-vty0-4]q[R2]aaa
[R2-aaa]local-user admin password cipher admin123 配置用户名、密码(密文)
[R2-aaa]local-user admin service-type ssh //配置本地用户的接入类型为SSH
[R2-aaa]q
[R2]ssh user admin authentication-type password //使用SSH user命令新建SSH用户,用户名为admin,指定认证方式为password,即密码认证方式
Authentication type setted, and will be in effect next time[R2]stelnet server enable //启用SSH服务器功能
Info: Succeeded in starting the STELNET server.
[R2]display ssh user-information admin //在SSH服务器端查看SSH用户的配置信息
-------------------------------------------------------------------------------Username Auth-type User-public-key-name
-------------------------------------------------------------------------------
admin password null
-------------------------------------------------------------------------------
[R2]display ssh server status //查看SSH服务器全局配置信息
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH Authentication retries :3 times
SFTP Server :Disable
Stelnet server :Enable
[R2]
配置SSH client
第三步:配置SSH client
[Huawei]sysname R1
[R1]ssh client first-time enable
[R1]stelnet 192.168.1.2 //使用stelnet命令连接SSH服务器
Please input the username:admin //输入用户名admin
Trying 192.168.1.2 ...
Press CTRL+K to abort
Connected to 192.168.1.2 ...
The server is not authenticated. Continue to access it? (y/n)[n]:y
Jan 22 2024 10:00:55-08:00 R1 %%01SSH/4/CONTINUE_KEYEXCHANGE(l)[0]:The server ha
d not been authenticated in the process of exchanging keys. When deciding whethe
r to continue, the user chose Y.
[R1]
Save the server's public key? (y/n)[n]:y
The server's public key will be saved with the name 192.168.1.2. Please wait...Jan 22 2024 10:01:00-08:00 R1 %%01SSH/4/SAVE_PUBLICKEY(l)[1]:When deciding wheth
er to save the server's public key 192.168.1.2, the user chose Y.
[R1]
Enter password: //输入密码(admin123)
<R2>
/*在R2输入如下命令查看SSH服务器端的当前会话连接信息*/
<R2>display ssh server session
--------------------------------------------------------------------
Conn Ver Encry State Auth-type Username
--------------------------------------------------------------------
VTY 0 2.0 AES run password admin
--------------------------------------------------------------------
<R2>
配置SFTP server 与client
第四步:配置SFTP server 与client
<R2>sys
[R2]aaa //进入aaa视图
[R2-aaa]local-user admin1 password cipher admin1123 //创建一个用户:用户名:admin1;密码:admin1123(密文方式显示)
Info: Add a new user.
[R2-aaa]local-user admin1 service-type ssh //配置本地用户接入类型为SSH
[R2-aaa]local-user admin1 privilege level 3 //配置本地用户优先级为3
[R2-aaa]local-user admin1 ftp-directory flash: //指定FTP用户的可访问目录。默认为空,若不配置,FTP用户将无法登录
[R2-aaa]q
[R2]ssh user admin1 authentication-type password //使用ssh user命令新建SSH用户admin1 ,认证方式为password
Authentication type setted, and will be in effect next time
[R2]sftp server enable //开启SFTP服务器功能。(可以通过display ssh server status
命令查看SSH服务器的配置信息)
Info: Succeeded in starting the SFTP server.
/*在R1上使用sftp命令连接SSH服务器,并输入用户名(admin1)和密码(admin1123)*/
<R1>sys
Enter system view, return user view with Ctrl+Z.
[R1]sftp 192.168.1.2
Please input the username:admin1
Trying 192.168.1.2 ...
Press CTRL+K to abort
Enter password:
sftp-client>
sftp-client>
/*在R2上查看SSH会话连接信息*/
[R2]display ssh server session
--------------------------------------------------------------------
Conn Ver Encry State Auth-type Username
--------------------------------------------------------------------
VTY 0 2.0 AES run password admin1
--------------------------------------------------------------------
[R2]
