Configuring the FW as an SFTP Client

This section describes how to configure the FW as an SFTP client and how to log in to the SFTP server.

Procedure

Access the system view.
system-view

Enable first-time authentication or bind the RSA, DSA, or ECC public key to the SFTP server. First-time authentication is recommended.

When communicating with an SFTP server, the FW (SFTP client) needs to compare the public key sent by the server with the locally stored public key to check whether it is communicating with the correct server.

If the server public key is not obtained in advance and does not exist on theFW, enable first-time authentication on the FW to ensure that the FW can log in to the server.

If you have obtained the server public key in advance, you can copy the public key to the FW and bind the server to this public key. This method also ensures that the FW can log in to the server, but binding the server to the public key is complex. Therefore, first-time authentication is recommended.

Enable first-time authentication.	ssh client first-time enable
Bind the SFTP server to an RSA public key.	Access the public key view. rsa peer-public-key key-name [ encoding-type { der \| pem \| openssh } ] Access the public key editing view. public-key-code begin Enter the RSA public key through typing or copy and paste. Return to the public key view. public-key-code end Return to the system view. peer-public-key end Bind the SFTP server to the RSA public key. ssh client servername assign rsa-key keyname NOTE: If the binding between the SFTP server and the RSA public key becomes invalid, run the undo ssh client servername assign rsa-key command to cancel the binding and bind the SFTP server to a new RSA public key.
Bind the SFTP server to a DSA public key.	Access the public key view. dsa peer-public-key key-name [ encoding-type { der \| pem \| openssh } ] Access the public key editing view. public-key-code begin Enter the DSA public key through typing or copy and paste. Return to the public key view. public-key-code end Return to the system view. peer-public-key end Bind the SFTP server to the DSA public key. ssh client servername assign dsa-key keyname NOTE: If the binding between the SFTP server and the DSA public key becomes invalid, run the undo ssh client servername assign dsa-key command to cancel the binding and bind the SFTP server to a new DSA public key.
Bind the SFTP server to an ECC public key.	Access the public key view. ecc peer-public-key key-name [ encoding-type { der \| pem \| openssh } ] Access the public key editing view. public-key-code begin Enter the ECC public key through typing or copy and paste. Return to the public key view. public-key-code end Return to the system view. peer-public-key end Bind the SFTP server to the ECC public key. ssh client servername assign ecc-key keyname NOTE: If the binding between the SFTP server and the ECC public key becomes invalid, run the undo ssh client servername assign ecc-key command to cancel the binding and bind the SFTP server to a new ECC public key.

Optional: If the SFTP server uses RSA, DSA, or ECC authentication, bind the SFTP account of the FW to the RSA public key on the server as follows:

Generate the corresponding key pair on the FW based on the server authentication mode and obtain the public key.

The public key information to be copied is the Key code, Host public key for PEM format code, or Public key code for pasting into OpenSSH authorized_keys file (based on the server coding format) field below the sysname_Host field in the display rsa local-key-pair public command output.

RSA authentication	Run the rsa local-key-pair create command to generate an RSA key pair on the FW. Run the display rsa local-key-pair public command to view public key information of the generated RSA key pair.
DSA authentication	Run the dsa local-key-pair create command to generate a DSA key pair on the FW. Run the display dsa local-key-pair public command to view public key information of the generated DSA key pair.
ECC authentication	Run the ecc local-key-pair create command to generate an ECC key pair on the FW. Run the display ecc local-key-pair public command to view public key information of the generated ECC key pair.

Copy the public key information of the host key pair to the server, and bind the SFTP account on the FW to this public key. For details, refer to the SFTP server operation guide.

Log in to the SFTP server.
sftp [ -a source-address | -i interface-type interface-number ] host-ipv4 [ port ] [ [ public-net | -vpn-instance vpn-instance-name ] | prefer_kex { dh_group1 | dh_exchange_group | dh_group14_sha1 } | prefer_ctos_cipher prefer_ctos_cipher | prefer_stoc_cipher prefer_stoc_cipher | prefer_ctos_hmac prefer_ctos_hmac | prefer_stoc_hmac prefer_stoc_hmac| -ki aliveinterval | -kc alivecountmax | identity-key { dsa | rsa | ecc } | user-identity-key { rsa | dsa | ecc } ] ^*
If first-time authentication is enabled and the FW does not store the server public key, you need to determine whether to trust the server and whether to save the server public key upon first login. Select Y when prompted.
```
[sysname] sftp 10.2.2.1
Please input the username:sysname                                            
Trying 10.2.2.1 ...                                                             
Press CTRL+K to abort                                                          
Connected to 10.2.2.1       ...                                                 
The server is not authenticated. Continue to access it? [Y/N] :Y                
Save the server's public key? [Y/N] :Y                                          
The server's public key will be saved with the name 10.2.2.1. Please wait       .
..
```
To improve file transfer security, use AES128 preferentially as the encryption algorithm. DES and 3DES are not recommended. Use SHA1 or SHA1-96 preferentially as the HMAC algorithm. MD5 and MD5-96 are not recommended.