< Home

Configuring the FW as an SFTP Server

This section describes how to configure the FW as an SFTP server.

Context

  • These SSH user authentication modes are available: RSA, DSA, ECC, password, password-RSA, password-DSA, password-ECC and all. Password authentication depends on Authentication, Authorization and Accounting (AAA). Before a user logs in to the device in password, password-ECC, password-RSA or password-DSA authentication mode, you must create a local user with the specified user name in the AAA view.

    • Password-RSA authentication depends on both password authentication and RSA authentication.
    • Password-DSA authentication depends on both password authentication and DSA authentication.
    • Password-ECC authentication depends on both password authentication and ECC authentication.
    • All authentication depends on either of the following authentications: password authentication, ECC authentication, DSA authentication or RSA authentication.

  • The device must be configured to generate local RSA, DSA or ECC key pairs, which are a key part of the SSH login process. If an SSH user logs in to an SSH server in password authentication mode, configure the server to generate a local RSA, DSA or ECC key pair. If an SSH user logs in to an SSH server in RSA, DSA or ECC authentication mode, configure both the server and the client to generate local RSA, DSA or ECC key pairs.

    RSA key and DSA key are algorithms for user authentication in SSH. Compared with RSA authentication, DSA authentication adopts the DSA encryption mode and is widely used. In many cases, SSH only supports DSA to authenticate the server and the client. When the RSA, DSA or ECC authentication mode is used, the priority of the users depends on the priority of the VTY user interfaces used for login.

In all authentication mode, the user priority depends on the authentication mode selected.

  • If password authentication is selected, the user priority is the same as that specified on the AAA module.
  • If RSA/DSA/ECC authentication is selected, the user priority depends on the priority of the VTY window used during user access.

If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA/DSA/ECC authentication modes. Set relevant parameters as needed.

Procedure

  1. Access the system view.

    system-view

  2. Enable the SFTP server function.

    sftp [ ipv4 | ipv6 ] server enable

  3. Configure the VTY UI.
    1. Access the VTY UI.

      user-interface [ ui-type ] first-ui-number [ last-ui-number ]

    2. Set the authentication mode to AAA.

      authentication-mode aaa

    3. Configure SSH.

      protocol inbound ssh

    4. Configure a VTY UI level.

      user privilege level level

      To ensure that administrators can log in to the FW, set the VTY UI level to be 3 or higher.

  4. Create an SFTP administrator.
    1. Access the AAA view.

      aaa

    2. Configure an administrator account and access the administrator view.

      manager-user user-name

    3. Configure a level for the administrator.

      level level

      To ensure that the administrator can log in to the FW, set the administrator level to be 3 or higher.

    4. Set the service type to SSH for the administrator.

      service-type ssh

    5. Return to the system view.

      quit

  5. Create an RSA, DSA or ECC key pair.
    • Run the rsa local-key-pair create command to create a local RSA key pair.

      • You need to run the rsa local-key-pair create command to generate the local RSA key pair before performing other SSH configurations. The host key pair length and server key pair length range from 512 to 2048, in bits.

        The default value is 2048 bit. As for version upgrade, if the original key pair length is smaller than 1024 bits, you are advised to run the command after the upgrade.

      • After creating a local RSA key pair, you can run the display rsa local-key-pair public command to view the public key in the local key pair.

      • You can run the rsa local-key-pair destroy to clear all local RSA key pairs, the host key pairs and host key pairs.

        After running the rsa local-key-pair destroy command, check whether all local RSA key pairs are cleared. The command configuration takes effect only once and is not saved into the configuration file.

    • Run the dsa local-key-pair create command to create a local DSA key pair.

      • You need to run the dsa local-key-pair create command to generate the local DSA key pair before performing other SSH configurations. The host key pair length and server key pair length can be 1024 bits or 2048 bits. The default key pair length is 2048 bits.

      • After creating the local DSA key pair, you can run the display dsa local-key-pair public command to view the public key in the local key pair.

      • You can run the dsa local-key-pair destroy to clear all local DSA key pairs, the host key pairs and host key pairs.

        After running the dsa local-key-pair destroy command, check whether all local DSA key pairs are cleared. The command configuration takes effect only once and is not saved into the configuration file.

    • Run the ecc local-key-pair create command to generate the ECC local-key-pair.

      • You must configure the ecc local-key-pair create command to generate a local key pair before completing other SSH configurations. The length of the host key pair can be 256, 384, 521 bits. By default, the length of the key pair is 521 bits.

      • After a local key pair is generated, you can run the display ecc local-key-pair public command to view the public key in the local key pair.

      • To clear the local ECC key pair, run the ecc local-key-pair destroy command to destroy all local DSA key-pairs.

        Check whether all local ECC key pairs are destroyed after running the ecc local-key-pair destroy command. The ecc local-key-pair destroy command configuration takes effect only once and therefore will not be saved in the configuration file.

  6. Create an SSH user.

    ssh user username

  7. Select one authentication mode for the SFTP account.

    Configure the password authentication mode.
    1. Run the ssh user username authentication-type password command to set the authentication mode to password.
    2. Run the aaa command to access the AAA view.
    3. Run the manager-user user-name command to enter the administrator view.
    4. Run the password [ ciphercipher-password ] command to set a password for the SFTP account.
    NOTE:

    The interactive mode is recommended for creating administrator passwords because the passwords configured using the cipher cipher-password command are not safe.

    Configure the RSA authentication mode.
    1. Run the ssh user username authentication-type rsa command to set the authentication mode to RSA.

    2. Bind the SFTP account with the RSA public key on the client.

      1. Run the rsa peer-public-key key-name [ encoding-type { der | pem | openssh } ] command to access the RSA public key view.
      2. Run the public-key-code begin command to access public key editing view.
      3. Enter the RSA public key of the client through typing or copy and paste.
      4. Run the public-key-code end command to return to the RSA public key view.
      5. Run the peer-public-key end command to return to the system view.
      6. Run the ssh user user-name assign rsa-key key-name command to bind an RSA public key to the SFTP account.

    Configure the DSA authentication mode.
    1. Run the ssh user username authentication-type dsa command to set the authentication mode to DSA.

    2. Bind the SFTP account with the DSA public key on the client.

      1. Run the dsa peer-public-key key-name [ encoding-type { der | pem | openssh } ] command to access the DSA public key view.
      2. Run the public-key-code begin command to access public key editing view.
      3. Enter the DSA public key of the client through typing or copy and paste.
      4. Run the public-key-code end command to return to the DSA public key view.
      5. Run the peer-public-key end command to return to the system view.
      6. Run the ssh user user-name assign dsa-key key-name command to bind a DSA public key to the SFTP account.

    Configure the ECC authentication mode.
    1. Run the ssh user username authentication-type ecc command to set the authentication mode to ECC.

    2. Bind the SFTP account with the ECC public key on the client.

      1. Run the ecc peer-public-key key-name encoding-type { der | pem | openssh } command to access the ECC public key view.
      2. Run the public-key-code begin command to access public key editing view.
      3. Enter the DSA public key of the client through typing or copy and paste.
      4. Run the public-key-code end command to return to the DSA public key view.
      5. Run the peer-public-key end command to return to the system view.
      6. Run the ssh user user-name assign ecc-key key-name command to bind an ECC public key to the SFTP account.

    Configure the all authentication mode.

    The server can authenticate the client by checking both the public key and the password, and the authentication succeeds when either of them is consistent with that configured on the server.

    NOTE:

    In all authentication mode, the user priority depends on the authentication mode selected.

    • If password authentication is selected, the user priority is the same as that specified on the AAA module.
    • If RSA/DSA/ECC authentication is selected, the user priority depends on the priority of the VTY window used during user access.

    If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA/DSA/ECC authentication modes. Set relevant parameters as needed.

    Configure the password-rsa authentication mode.

    Password-RSA authentication indicates that both password authentication and RSA authentication are implemented.

    Configure the password-dsa authentication mode.

    Password-DSA authentication indicates that both password authentication and DSA authentication are implemented.

    Configure the password-ecc authentication mode.

    Password-ECC authentication indicates that both password authentication and ECC authentication are implemented.

  8. Optional: Configure command-specific authorization for an SSH user.

    Run the ssh user user-name authorization-cmd aaa command to configure command-specific authorization for a specific SSH user.

    After configuring command-specific authorization for the SSH user, you need to configure AAA authorization. Otherwise, command-specific authorization does not take effect for the SSH user.

  9. Set the service type to SFTP for the SSH account.

    ssh user username service-type sftp

  10. Configure an SFTP service authorization directory for the SSH user.

    ssh user username sftp-directory directoryname

  11. Optional: Set other parameters for the SFTP server.

    Set a service port number for the SFTP server.

    ssh server port port-number

    NOTE:

    The port-number value ranges from 1025 to 55535.

    By default, the FW serving as the SFTP server uses port 22.

    Set the timeout duration of SFTP authentication.

    ssh server timeout seconds

    Set the number of SFTP authentication attempts.

    ssh server authentication-retries times

    Set the interval for updating SFTP server key pairs.

    ssh server rekey-interval interval

    Enable the backward compatibility function.

    ssh server compatible-ssh1x enable

    Specify a source interface.

    ssh server-source -i loopback interface-number

    Configure an ACL for the SSH server.

Parent Topic: Transferring Files
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >