< Home

CLI: Example for Logging in to the CLI Using STelnet (Password Authentication)

This section provides an example for configuring the administrator PC as the STelnet client and FW as the STelnet server, and how to use STelnet to log in to the VTY administrator interface of the FW after password authentication.

Networking Requirements

Figure 1 shows that the FW has an administrator. The administrator wants to use STelnet to log in to the VTY administrator interface of the FW after password authentication and manage and maintain the FW.

Figure 1 Networking diagram of using STelnet to log in to the CLI (password authentication)

Data Planning

Item

Data

FW

SSH account

sshadmin

Authentication mode

Password

Password

Mydevice@123

Service type

STelnet

Administrator PC

SSH client software: PuTTY software (Windows XP operating system). The PuTTY software includes the PuTTY client for the STelnet service and the SFTP client PSFTP.

Configuration Roadmap

  1. Configure FW as the SSH server.
    • Enable the SSH service on the interface.
    • Configure the VTY administrator interface.
    • Create an SSH administrator account and specify the authentication type and service type.
    • Generate a local key pair.
    • Enable the STelnet service.
    • Configure the SSH service parameters.
  2. Configure the administrator PC as the SSH client.
    • Set an IP address for the administrator PC.
    • Install the PuTTY software.
    • Use PuTTY to log in to the FW through SSH.

The prerequisite is that IP addresses of the interface and administrator PC, security zone, route, and security policies have been configured. The following example introduces content related only to the administrator.

Procedure

  1. Configure the FW.
    1. Enable the SSH service on interface GigabitEthernet 0/0/3.

      <FW> system-view
[FW] interface GigabitEthernet 0/0/3
[FW-GigabitEthernet0/0/3] service-manage enable
[FW-GigabitEthernet0/0/3] service-manage ssh permit
[FW-GigabitEthernet0/0/3] quit

    2. Configure VTY administrator interfaces that support AAA.

      [FW] user-interface vty 0 4
[FW-ui-vty0-4] authentication-mode aaa
[FW-ui-vty0-4] protocol inbound ssh
[FW-ui-vty0-4] user privilege level 3
[FW-ui-vty0-4] quit

    3. Create SSH administrator account sshadmin and set the authentication type and service type to Password and Stelnet. In this example, local authentication is used.

      If server authentication is used, configure an authentication scheme and a server template, and bind the authentication scheme and server template in the administrator view. For details, see the configuration steps in CLI: Example for Logging in to the CLI Using the Telnet (RADIUS Server Authentication) and CLI: Example for Logging in to the CLI Using the Telnet (HWTACACS Server Authentication).

      [FW] aaa
[FW-aaa] manager-user sshadmin
[FW-aaa-manager-user-sshadmin] password
Enter Password: 
Confirm Password:   
[FW-aaa-manager-user-sshadmin] service-type ssh
[FW-aaa-manager-user-sshadmin] quit
[FW-aaa] bind manager-user sshadmin role system-admin
[FW-aaa] quit
[FW] ssh authentication-type default password

      For an SSH administrator using password authentication: If local authentication is used, the level of the SSH administrator relies on the locally configured administrator level (the bind manager-user manager-name role role-name command is used to bind the administrator account to a role, or the level level command is used to configure the permission level of the administrator account). If server authentication is used, the level of the SSH administrator relies on the authorization level returned by the server. If the server does not return the authorization level, the level of the SSH administrator relies on the VTY interface level (the user privilege level level command is used to configure the administrator interface level).

      To ensure that the administrator can log in to the device, you are advised to set the administrator level to 3 or higher.

    4. Generate a local key pair.

      [FW] rsa local-key-pair create
The key name will be: FW_Host
The range of public key size is (2048 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
        it will take a few minutes.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
.+++++
........................++
....++++
...........++

    5. Enable the STelnet service.

      [FW] stelnet server enable

    6. Configure the administrator as an STelnet administrator.

      [FW] ssh user sshadmin
[FW] ssh user sshadmin authentication-type password
[FW] ssh user sshadmin service-type stelnet

    7. Optional: Set the SSH server parameters.

      # Set the listening port of the SSH server to 22, authentication timeout period 80 seconds, number of authentication retries to 4, update interval of the key pair to 1 hour, and enable the backward compatibility function.

      If the default SSH port number 22 is changed, the service-manage function does not take effect for the protocol. You need to configure a security policy to allow the protocol to access the device.

      [FW] ssh server port 1025
[FW] ssh server timeout 80
[FW] ssh server authentication-retries 4
[FW] ssh server rekey-interval 1
[FW] ssh server compatible-ssh1x enable

  2. Configure the administrator PC as the SSH client.
    1. Set the IP address and subnet mask of the administrator PC to 10.2.0.100 and 255.255.255.0.
    2. Install the PuTTY software. Details are omitted.
    3. Use the PuTTY software to log in to the FW through STelnet. (The following example uses PuTTY0.60.)

      1. Double-click PuTTY.exe. The interface shown in Figure 2 is displayed. Enter the IP address of the SSH server in the Host Name (or IP address) text box.
        Figure 2 Entering the IP address of the SSH server
      2. Choose Connection > SSH in the left Category tree. The interface shown in Figure 3 is displayed. In Protocol options, set Preferred SSH protocol version to 2 and click Open.
        Figure 3 Setting SSH protocol version
      3. Dialog box shown in Figure 4 is displayed upon the first login. Click Yes.
        Figure 4 PuTTY security alert
      4. In the login page that is displayed, enter SSH administrator account sshadmin and press Enter. Enter Mydevice@123 and press Enter again. You can log in to FW.

Configuration Scripts

#         
interface GigabitEthernet0/0/3 
 ip address 10.3.0.1 255.255.255.0  
 service-manage enable
 service-manage ssh permit 
#
user-interface vty 0 4 
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh
#  
manager-user sshadmin  
 password cipher %@%@fPXYG8r|>17U(MYaBLw0OE<3BRR/*~[B0>uW"^/){U_>wKB=%@%@
 service-type ssh 
 level 15

bind manager-user sshadmin role system-admin
#
stelnet server enable
ssh user sshadmin                                                               
ssh user sshadmin authentication-type password                                  
ssh user sshadmin service-type stelnet                                          
ssh server port 22
ssh server timeout 80
ssh server authentication-retries 4
ssh server rekey-interval 1
ssh server compatible-ssh1x enable
#
return
Parent Topic: Logging In to the Device
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >