telnet与ssh的原始笔记
H3C交换机路由器远程登录配置,涵盖Telnet和SSH两种协议
一、基础环境准备
1. 配置管理VLAN与IP地址
system-view
vlan 100 # 创建管理VLAN(示例为VLAN 100)
interface Vlan-interface 100 # 进入VLAN接口
ip address 192.168.1.1 255.255.255.0 # 配置管理IP
quit
2. 确保物理接口属于管理VLAN
interface GigabitEthernet1/0/1 # 进入连接管理终端的端口
port link-type access # 设置为Access模式
port access vlan 100 # 将端口划入VLAN 100
quit
二、Telnet配置
1. 开启Telnet服务
telnet server enable # 全局启用Telnet服务
2. 配置用户认证方式(推荐AAA认证)
local-user admin # 创建用户(如admin)
password simple Admin@123 # 设置密码(明文,生产环境建议用密文)
service-type telnet # 允许用户使用Telnet
authorization-attribute user-role level-15 # 赋予最高权限(level-15)
quit
3. 配置VTY虚拟终端
user-interface vty 0 4 # 进入VTY0-4线路(支持5个并发登录)
authentication-mode scheme # 认证方式为AAA(scheme)
protocol inbound telnet # 允许Telnet协议接入
idle-timeout 10 0 # 设置空闲超时为10分钟(0秒)
quit
4. 限制访问源IP(可选安全增强)
acl basic 2000 # 创建基本ACL 2000
rule permit source 192.168.1.0 0.0.0.255 # 仅允许192.168.1.0/24网段访问
user-interface vty 0 4
acl 2000 inbound # 应用ACL到VTY线路
quit
三、SSH配置(更安全)
1. 生成RSA密钥对
public-key local create rsa # 生成RSA密钥(默认长度2048位)
2. 启用SSH服务
ssh server enable # 全局启用SSH服务
ssh server compatible-ssh1x disable # 禁用低版本SSH1(安全加固)
3. 配置SSH用户
local-user sshuser # 创建SSH专用用户(如sshuser)
password cipher Ssh@123! # 设置加密密码(cipher表示密文存储)
service-type ssh # 允许用户使用SSH
authorization-attribute user-role level-15
quit
4. 配置VTY支持SSH协议
authentication-mode scheme
protocol inbound ssh # 仅允许SSH协议接入
quit
四、安全加固建议
禁用Telnet(若仅用SSH):
undo telnet server enable
修改默认端口(可选):
ssh server port 2222 # 修改SSH端口为2222
启用ACL限制访问源(参考Telnet部分)。
定期更新密钥:
public-key local destroy rsa
public-key local create rsa
日志监控:
info-center enable # 启用日志功能
五、验证与测试
测试Telnet登录:
telnet 192.168.1.1 # 客户端使用Telnet连接交换机IP
测试SSH登录:
ssh -l sshuser 192.168.1.1 # 客户端使用SSH连接(用户名为sshuser)
查看在线用户:
display users # 查看当前登录用户
display ssh server status # 检查SSH服务状态
六、配置保存
save # 保存配置到设备闪存
----------------------我的实验过程
[H3C-MSR3620]dis cur
#
version 7.1.049, Release 0106P21
#
sysname H3C-MSR3620
#
password-recovery enable
#
vlan 1
#
controller Cellular0/0
#
controller Cellular0/1
#
interface Aux0
#
interface NULL0
#
interface GigabitEthernet0/0
port link-mode route
combo enable copper
#
interface GigabitEthernet0/1
port link-mode route
#
interface GigabitEthernet0/2用于连接该设备的IP
port link-mode route
ip address 192.168.2.254 255.255.255.0
#
scheduler logfile size 16
#
line class aux
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line aux 0
user-role network-admin
#
line vty 0 4配置虚拟终端5个
authentication-mode scheme
user-role network-operator//默认有
protocol inbound ssh//限制此5个终端登录协议为ssh,此行可无,在用户定义那里限制那个用户为ssh登录
#
line vty 5 63
user-role network-operator
#
ssh server enable启用ssh服务
#
domain system
#
aaa session-limit ftp 32
aaa session-limit telnet 32
aaa session-limit http 32
aaa session-limit ssh 32
aaa session-limit https 32
domain default enable system
#
role name level-0
description Predefined level-0 role
#
role name level-1
description Predefined level-1 role
#
role name level-2
description Predefined level-2 role
#
role name level-3
description Predefined level-3 role
#
role name level-4
description Predefined level-4 role
#
role name level-5
description Predefined level-5 role
#
role name level-6
description Predefined level-6 role
#
role name level-7
description Predefined level-7 role
#
role name level-8
description Predefined level-8 role
#
role name level-9
description Predefined level-9 role
#
role name level-10
description Predefined level-10 role
#
role name level-11
description Predefined level-11 role
#
role name level-12
description Predefined level-12 role
#
role name level-13
description Predefined level-13 role
#
role name level-14
description Predefined level-14 role
#
user-group system
#
local-user ssh class manage定义ssh登录的用户名密码,及对该用户授权的服务类型为ssh
password hash $h$6$Csbv+iXrh3WfzK2x$BKW/Ahy2TJjhkNlO8XZD/Ji5sY2zHnjXVWsEPzKtLNb/iCYkfUAGtXI3/QEw3IR3guHJzmwQkrigap1996ldsA==
service-type ssh
authorization-attribute user-role network-admin
authorization-attribute user-role network-operator
#
return
浙公网安备 33010602011771号