CLI: Example for Configuring the FW as an SFTP Server (RSA Authentication)

Procedure

1. Generate an RSA public key on the PC.
   1. Install the PuTTY software. Details are omitted.
   2. Use the PuTTYgen tool to generate a local RSA key pair (the following uses PuTTYgen0.60 as an example).
      1. Double-click PuTTYgen.exe. The interface shown in Figure 2 is displayed. In Parameters, set Type of key to generate to SSH-2 RSA. Click Generate. The PC starts to generate a local RSA key pair.
         Figure 2 Selecting the SSH version for generating the local RSA key pair
         
         
      2. Figure 3 shows the interface for generating a local RSA key pair. You must move the mouse continuously during the generation of the local RSA key pair. Move the pointer only in the window other than the progress bar in green. Otherwise, the progress bar suspends, and the generation of the key pair stops.
         Figure 3 Generating a local RSA key pair
         
         
      3. Figure 4 shows the generation of the local RSA key pair. Do as follows to save the RSA key pair in the specified format:
         • OpenSSH: Copy the marked content in the Key text box.
         • PEM: Click Save public key, enter public for the name of the public key file, and click Save. Click Save private key, enter private for the name of the private key file, and click Save.
         

         To enhance security, you must enter a password in the Key passphrase text box and enter the password again in the Confirm passphrase text box to set a password for using this key pair.

         Figure 4 Saving a local RSA key pair
         
         

2. Configure the FW.
   1. Set an IP address for interface GigabitEthernet 0/0/3 and assign the interface to a security zone.

      <FW> system-view
      [FW] interface GigabitEthernet 0/0/3
      [FW-GigabitEthernet0/0/3] ip address 10.3.0.1 24
      [FW-GigabitEthernet0/0/3] service-manage enable
      [FW-GigabitEthernet0/0/3] service-manage ssh permit
      [FW-GigabitEthernet0/0/3] quit
      [FW] firewall zone trust
      [FW-zone-trust] add interface GigabitEthernet 0/0/3
      [FW-zone-trust] quit

   2. Configure a security policy for the Local-Trust interzone to permit the SSH service.

      [FW] security-policy
      [FW-policy-security] rule name policy_sftp
      [FW-policy-security-rule-policy_sftp] service ssh
      [FW-policy-security-rule-policy_sftp] source-zone trust
      [FW-policy-security-rule-policy_sftp] destination-zone local
      [FW-policy-security-rule-policy_sftp] source-address 10.3.1.0 24
      [FW-policy-security-rule-policy_sftp] action permit
      [FW-policy-security-rule-policy_sftp] quit
      [FW-policy-security] quit

   3. Enable the SFTP service.

      [FW] sftp server enable

   4. Generate a local key pair.

      [FW] rsa local-key-pair create
      The key name will be: FW_Host    
      
      The range of public key size is (2048 ~ 2048). 
      NOTES: If the key modulus is greater than 512, 
              it will take a few minutes.
      Input the bits in the modulus[default = 2048]:2048
      Generating keys...
      .+++++
      ........................++
      ....++++
      ...........++

   5. Save the RSA public key of the intranet PC. In this example, the RSA public key is saved in the OpenSSH coding format.

      [FW] rsa peer-public-key key_pc encoding-type openssh
      Enter "RSA public key" view, return system view with "peer-public-key end". 
      [FW-rsa-public-key] public-key-code begin
      Enter "RSA key code" view, return last view with "public-key-code end". 
      [FW-rsa-key-code] ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBwsFDGbVAbK35ecJqsioQ3BdTCa1+eU3i13YQBHvBltIdI9bOMKYEYJbjuY4UYXkdtwA2ar6LWTI8X1hHbtYGqPk2MvjSF0hXn1DBabNUXbLRyzWAhaopcsTbGboU88cQ6fe/DqE9jUpNLsPdg4EXz1LMyLNe134JCSe3Ufh7o/w== rsa-key-20140515
      [FW-rsa-key-code] public-key-code end
      [FW-rsa-public-key] peer-public-key end

   6. Configure the VTY UI.

      [FW] user-interface vty 0 4
      [FW-ui-vty0-4] authentication-mode aaa
      [FW-ui-vty0-4] user privilege level 3
      [FW-ui-vty0-4] protocol inbound all
      [FW-ui-vty0-4] quit

   7. Create an SFTP administrator account and specify an authentication mode and a service type.

      # Create SFTP administrator account sftpadmin_a and set the authentication mode to RSA, service type to SFTP, and service directory to hda1:.

      [FW] aaa
      [FW-aaa] manager-user sftpadmin_a
      [FW-aaa-manager-user-sftpadmin_a] level 3
      [FW-aaa-manager-user-sftpadmin_a] service-type ssh
      [FW-aaa-manager-user-sftpadmin_a] quit
      [FW-aaa] quit

   8. Set the authentication mode to RSA.

      [FW] ssh user sftpadmin_a authentication-type rsa

   9. Bind an RSA public key to the SFTP account.

      [FW] ssh user sftpadmin_a assign rsa-key key_pc

   10. Configure command-specific authorization for an SSH user.

       [FW] ssh user sftpadmin_a authorization-cmd aaa

   11. Set the service type to SFTP for the SSH account.

       [FW] ssh user sftpadmin_a service-type sftp

   12. Configure an SFTP service authorization directory for the SSH user.

       [FW] ssh user sftpadmin_a sftp-directory hda1:

3. Configure the administrator PC.
   1. Set the IP address and subnet mask of the administrator PC to 10.3.1.100/255.255.255.0.
   2. Install the PuTTY software. Details are omitted.
   3. Use the PuTTY to log in to the FW through SFTP (the following uses PuTTY0.60 as an example).
      1. Double-click PuTTY.exe. The interface shown in Figure 5 is displayed. Enter the IP address of the SSH server in the Host Name (or IP address) text box.
         Figure 5 Entering the IP address of the SSH server
         
         
      2. Choose Connection > SSH in the left Category navigation tree. The interface shown in Figure 6 is displayed. In the Protocol options area, set Preferred SSH protocol version to 2.
         Figure 6 Setting the SSH protocol version
         
         
      3. Select Auth in SSH. The dialog box shown in Figure 7 is displayed. Click Browse, import the private key file private.ppk in the saved RSA key pair.
         Figure 7 Importing the private key in the RSA key pair
         
         
      4. Click Session, enter ssh-rsa in the Saved Sessions text box, and click Save to save the SSH session, as shown in Figure 8.
         Figure 8 Importing the private key in the RSA key pair
         
         
      5. Double-click PSFPT.exe, enter open ssh-rsa and press Enter (ssh-rsa is the name of the saved PyTTY session), and then enter SSH administrator account sshadmin_b and press Enter. You can access the file directory on FW, as shown in Figure 9.
         Figure 9 SFTP login page
         
         

4. Download files from the FW.
   Figure 10 Downloading files from the FW