组网需求
工作单位需要为某业务系统进行等保三级,要求登录交换机方式除账号密码认证方式外还需要其他登录方式.选择publickey认证方式远程登录交换机,如图所示,Server地址为192.168.1.1,client地址为192.168.1.2.希望Client远程管理Server时,不需要输入密码即可登录.
配置思路
通过Server上配置ssh server功能,实现Client无需密码即可登录Sever.
操作步骤
1.Server使能ssh server服务
<HUAWEI> system-view
[HUAWEI] sysname server
[server]stelnet server enable2.Server配置Ge0/0/0接口IP地址
[server]
[server]int g0/0/0
[server-GigabitEthernet0/0/0]ip add 192.168.1.1 243.Server创建AAA本地用户模板
[server]aaa
#创建用户admin,密码123456
[server-aaa]local-user admin password cipher 123456
#用户admin应用于ssh及terminal服务中
[server-aaa]local-user admin service-type ssh terminal
#用户admin级别为15(最高等级)
[server-aaa]local-user admin privilege level 154.Server配置vty认证模式为AAA
[server]user-interface vty 0 4
#配置认证模式为AAA
[server-ui-vty0-4]authentication-mode aaa
#配置vty使用协议为ssh
[server-ui-vty0-4]protocol inbound ssh5.Client配置Ge0/0/0接口IP地址
<HUAWEI> system-view
[HUAWEI] sysname client
[client]int g0/0/0
[client-GigabitEthernet0/0/0]ip add 192.168.1.2 246.Client配置ssh client功能
[client]ssh client first-time enable7.Client创建本地秘钥
[client]rsa local-key-pair create
The key name will be: Host
% RSA keys defined for Host already exist.
Confirm to replace them? (y/n)[n]:y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys...
.........................++++++++++++
...++++++++++++
......++++++++
..............................++++++++8.查询并复制Client创建的本地公钥
[client]display rsa local-key-pair public
=====================================================
Time of Key pair created: 2024-05-08 21:49:58-08:00
Key name: Host #公钥
Key type: RSA encryption Key
=====================================================
Key code:
3047
0240
E41666EE 3582CF05 40E086EF 166D8598 E92A2FFD
F9F73C9A ED858EB8 D7EF8C7B A5B28569 24CB99E9
1376A262 8D26E2C3 E8B6F17D 796148FF DA27D19C
827ABF65
0203
010001
=====================================================
Time of Key pair created: 2024-05-08 21:50:01-08:00
Key name: Server #私钥
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
D646335C 9EE3087A AC23BBA6 B884820D 052F1EA8
9D16A9BE 4B006A29 062DB989 F2D20E4C AB954E64
FCAD8614 0150BB0D 58396938 A2121F99 4F5824CA
9DAA6C15 C5A46FE2 34B2AC99 86A93B28 ECD6072D
D653E8F5 6A0A0A96 AC64DDD2 758213B1
0203
0100019.Server注册Client的公钥
#创建名为client的秘钥
[server]rsa peer-public-key client
[server-rsa-public-key]public-key-code begin
[server-rsa-key-code]3047
[server-rsa-key-code]
[server-rsa-key-code] 0240
[server-rsa-key-code]
[server-rsa-key-code] E41666EE 3582CF05 40E086EF 166D8598 E92A2FFD
[server-rsa-key-code]
[server-rsa-key-code] F9F73C9A ED858EB8 D7EF8C7B A5B28569 24CB99E9
[server-rsa-key-code]
[server-rsa-key-code] 1376A262 8D26E2C3 E8B6F17D 796148FF DA27D19C
[server-rsa-key-code]
[server-rsa-key-code] 827ABF65
[server-rsa-key-code]
[server-rsa-key-code] 0203
[server-rsa-key-code]
[server-rsa-key-code] 010001
[server-rsa-key-code]public-key-code end
[server-rsa-public-key]peer-public-key end10.Server为admin用户分配秘钥并选择身份认证方式
#为用户分配秘钥
[server]ssh user admin assign rsa-key client
#选择身份整整方式为all,包含password、rsa、password-rsa
[server]ssh user admin authentication-type all11.验证client远程登陆sever,无需输入密码
[client]stelnet 192.168.1.1
Please input the username:admin #提示输入用户名
Trying 192.168.1.1 ...
Press CTRL+K to abort
Connected to 192.168.1.1 ...
The server is not authenticated. Continue to access it? (y/n)[n]:y #提示Sever没有被认证,是否接入
May 8 2024 22:05:36-08:00 client %%01SSH/4/CONTINUE_KEYEXCHANGE(l)[0]:The serve
r had not been authenticated in the process of exchanging keys. When deciding wh
ether to continue, the user chose Y.
[client]
Save the server's public key? (y/n)[n]:y #提示是否保存Server的公钥
The server's public key will be saved with the name 192.168.1.1. Please wait...
May 8 2024 22:05:44-08:00 client %%01SSH/4/SAVE_PUBLICKEY(l)[1]:When deciding w
hether to save the server's public key 192.168.1.1, the user chose Y.
[client]
#登陆成功
<server>12.Server配置admin的身份认证方式调整为password
[server]ssh user admin authentication-type password13.验证client远程登陆sever,需要输入密码
[client]stelnet 192.168.1.1
Please input the username:admin #提示输入用户名
Trying 192.168.1.1 ...
Press CTRL+K to abort
Connected to 192.168.1.1 ...
Enter password: #要求输入密码
-----------------------------------------------------------------------------
User last login information:
-----------------------------------------------------------------------------
Access Type: SSH
IP-Address : 192.168.1.2 ssh
Time : 2024-05-08 22:05:45-08:00
-----------------------------------------------------------------------------
<server>其他问题
现实场景中,需要使用PC通过shell工具远程登录设备,但由于ENSP模拟器中设备版本较旧,shell工具导出的公钥无法在设备上注册,只能通过使用另外一台设备充当client,生成指定公钥实现。
真机设备操作
PC可以和设备互相ping通
略设备开启ssh功能并创建相应用户
<HUAWEI> system-view
[HUAWEI] sysname server
#开启ssh server功能
[server]stelnet server enable
[server]aaa
#创建用户admin,密码123456
[server-aaa]local-user admin password cipher Aa123456
#用户admin应用于ssh及terminal服务中
[server-aaa]local-user admin service-type ssh terminal
#用户admin级别为15(最高等级)
[server-aaa]local-user admin privilege level 15
[server]user-interface vty 0 4
#配置认证模式为AAA
[server-ui-vty0-4]authentication-mode aaa
#配置vty使用协议为ssh
[server-ui-vty0-4]protocol inbound ssh
#开启ssh client功能,自测ssh登录
[server]ssh client first-time enable
#配置允许所有接口通过ssh访问设备
[server]ssh server-source all-interface设备测试stelnet自身可以登录
[server]stelnet 127.0.0.1
Please input the username:admin
Trying 127.0.0.1 ...
Press CTRL+K to abort
Connected to 127.0.0.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
[server]dis users
User-Intf Delay Type Network Address AuthenStatus AuthorcmdFlag
0 CON 0 00:00:00 pass no Username : Unspecified
+ 34 VTY 0 00:00:00 SSH 127.0.0.1 pass no Username : admin终端生成公钥与私钥
每个终端软件各不相同,自行百度设备注册终端生成的公钥
[server]rsa peer-public-key admin encoding-type openssh
[server-rsa-public-key]public-key-code begin
[server-rsa-key-code]#将终端软件生成的openssh公钥复制粘贴
[server-rsa-key-code]public-key-code end
[server-rsa-public-key]peer-public-key end
#为用户分配秘钥
[server]ssh user admin assign rsa-key client
#选择身份整整方式为all,包含password、rsa、password-rsa
[server]ssh user admin authentication-type all
