案例4 配置SSH协议

1.在华为设备上配置SSH协议

1.1 按图配置端口的ip地址，并做连通性测试

[R1]interface g0/0/0
[R1-GigabitEthernet0/0/0]ip address 202.100.1.1 255.255.255.252

[R2]int g0/0/0
[R2-GigabitEthernet0/0/0]ip address 202.100.1.2 255.255.255.252

[R1-GigabitEthernet0/0/0]ping 202.100.1.2
  PING 202.100.1.2: 56  data bytes, press CTRL_C to break
    Reply from 202.100.1.2: bytes=56 Sequence=1 ttl=255 time=110 ms
    Reply from 202.100.1.2: bytes=56 Sequence=2 ttl=255 time=30 ms
    Reply from 202.100.1.2: bytes=56 Sequence=3 ttl=255 time=20 ms
    Reply from 202.100.1.2: bytes=56 Sequence=4 ttl=255 time=40 ms
    Reply from 202.100.1.2: bytes=56 Sequence=5 ttl=255 time=20 ms

  --- 202.100.1.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 20/44/110 ms

1.2 在R1上完成SSH协议配置

[R1]aaa		//进入AAA模式
[R1-aaa]local-user ender password cipher qytang		//创建本地用户ender，密码为qytang
[R1-aaa]local-user ender privilege level 15		//该用户的级别为最高的15级
[R1-aaa]local-user ender service-type ssh		//该用户用于SSH登录
[R1-aaa]quit		//退出AAA模式
[R1]ssh user ender authentication-type password		//SSH用户ender通过密码进行认证
Authentication type setted, and will be in effect next time
[R1]stelnet server enable		//开启SSH服务，该服务默认处于关闭状态
Info: Succeeded in starting the STELNET server.		//SSH服务已成功开启
[R1]rsa local-key-pair create		//在设备上创建RSA的Key
The key name will be: Host
% RSA keys defined for Host already exist.
Confirm to replace them? (y/n)[n]:y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
       It will take a few minutes.
Input the bits in the modulus[default = 512]:768		//使用768位而非512位
Generating keys...
...++++++++
.....++++++++
......+++++++++
..................................................+++++++++

[R1]
[R1]user-interface vty 0 4		//进入VTY通道
[R1-ui-vty0-4]authentication-mode aaa		//在VTY通道的认证模式中选择AAA模式
[R1-ui-vty0-4]protocol inbound ssh		//VTY允许SSH登录
[R1-ui-vty0-4]

1.3 完成SSH登录测试

[R2]ssh client first-time enable		//第一次登陆时使用
[R2]stelnet 202.100.1.1
Please input the username:ender
Trying 202.100.1.1 ...
Press CTRL+K to abort
Connected to 202.100.1.1 ...
The server is not authenticated. Continue to access it? (y/n)[n]:y
Oct 18 2023 20:00:15-08:00 R2 %%01SSH/4/CONTINUE_KEYEXCHANGE(l)[1]:The server ha
d not been authenticated in the process of exchanging keys. When deciding whethe
r to continue, the user chose Y. 
[R2]
Save the server's public key? (y/n)[n]:y
The server's public key will be saved with the name 202.100.1.1. Please wait...

Oct 18 2023 20:00:19-08:00 R2 %%01SSH/4/SAVE_PUBLICKEY(l)[2]:When deciding wheth
er to save the server's public key 202.100.1.1, the user chose Y. 
[R2]
Enter password:
<R1>display users
  User-Intf    Delay    Type   Network Address     AuthenStatus    AuthorcmdFlag
  0   CON 0   00:02:21                                   pass                   
  Username : Unspecified

+ 129 VTY 0   00:00:00  SSH    202.100.1.2               pass                   
  Username : ender               


<R1>

2.在华三设备上配置SSH协议

2.1 配置端口并作连通性测试

[R1]interface GigabitEthernet 0/0/0
[R1-GigabitEthernet0/0/1]ip address 10.1.11.1 29

[SW1]interface GigabitEthernet 1/0/1
[SW1-GigabitEthernet1/0/1]port link-mode route
[SW1-GigabitEthernet1/0/1]ip address 10.1.11.2 29

[SW1-GigabitEthernet1/0/1]ping 10.1.11.1
Ping 10.1.11.1 (10.1.11.1): 56 data bytes, press CTRL+C to break
56 bytes from 10.1.11.1: icmp_seq=0 ttl=255 time=3.000 ms
56 bytes from 10.1.11.1: icmp_seq=1 ttl=255 time=2.000 ms

2.2 在R1上配置SSH协议

[R1]ssh server enable
[R1]local-user ender
New local user added.
[R1-luser-manage-ender]password simple qytang123456
[R1-luser-manage-ender]service-type ssh
[R1-luser-manage-ender]quit
[R1]user-interface vty 0 4
[R1-line-vty0-4]authentication-mode scheme
[R1-line-vty0-4]protocol inbound ssh
[R1-line-vty0-4]user-role level-15

2.3 在SW1上完成SSH登录测试

<SW1>ssh 10.1.11.1
Username: ender
Press CTRL+C to abort.
Connecting to 10.1.11.1 port 22.
The server is not authenticated. Continue? [Y/N]:y
Do you want to save the server public key? [Y/N]:y
ender@10.1.11.1's password:
Enter a character ~ and a dot to abort.
******************************************************************************
* Copyright (c) 2004-2022 New H3C Technologies Co., Ltd. All rights reserved.*
* Without the owner's prior written consent,                                 *
* no decompiling or reverse-engineering shall be allowed.                    *
******************************************************************************

<R1>system-view
System View: return to User View with Ctrl+Z.
[R1]