Publickey authentication enabled Stelnet client configuration example

As shown in Figure 162, Router B acts as the Stelnet server, and it uses publickey authentication and the DSA public key algorithm.

Establish an Stelnet connection between Router A and Router B, so you can log in to Router B as a network administrator to configure and manage Router B.

In the server configuration, the client's host public key is required. Generate a DSA key pair on the client before configuring the Stelnet server.

1. Configure the Stelnet client:

   # Assign an IP address to interface GigabitEthernet 1/0/1.

   <RouterA> system-view
   [RouterA] interface gigabitethernet 1/0/1
   [RouterA-GigabitEthernet1/0/1] ip address 192.168.1.56 255.255.255.0
   [RouterA-GigabitEthernet1/0/1] quit
   

   # Generate a DSA key pair.

   [RouterA] public-key local create dsa
   The range of public key modulus is (512 ~ 2048).
   If the key modulus is greater than 512, it will take a few minutes.
   Press CTRL+C to abort.
   Input the modulus length [default = 1024]:
   Generating Keys...
   .++++++++++++++++++++++++++++++++++++++++++++++++++*
   ........+......+.....+......................................+
   ...+.................+..........+...+
   Create the key pair successfully.
   

   # Export the DSA host public key to a public key file named key.pub.

   [RouterA] public-key local export dsa ssh2 key.pub
   [RouterA] quit
   

   # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.)

2. Configure the Stelnet server:

   # Generate RSA key pairs.

   <RouterB> system-view
   [RouterB] public-key local create rsa
   The range of public key modulus is (512 ~ 2048).
   If the key modulus is greater than 512, it will take a few minutes.
   Press CTRL+C to abort.
   Input the modulus length [default = 1024]:
   Generating Keys...
   ........................++++++
   ...................++++++
   ..++++++++
   ............++++++++
   Create the key pair successfully.
   

   # Generate a DSA key pair.

   [RouterB] public-key local create dsa
   The range of public key modulus is (512 ~ 2048).
   If the key modulus is greater than 512, it will take a few minutes.
   Press CTRL+C to abort.
   Input the modulus length [default = 1024]:
   Generating Keys...
   .++++++++++++++++++++++++++++++++++++++++++++++++++*
   ........+......+.....+......................................+
   ...+.................+..........+...+
   Create the key pair successfully.
   

   # Generate an ECDSA key pair.

   [RouterB] public-key local create ecdsa secp256r1
   Generating Keys...
   .
   Create the key pair successfully.
   

   # Enable the Stelnet server.

   [RouterB] ssh server enable
   

   # Assign an IP address to interface GigabitEthernet 1/0/1. The Stelnet client uses this address as the destination address for SSH connection.

   [RouterB] interface gigabitethernet 1/0/1
   [RouterB-GigabitEthernet1/0/1] ip address 192.168.1.40 255.255.255.0
   [RouterB-GigabitEthernet1/0/1] quit
   

   # Set the authentication mode to AAA for the user lines.

   [RouterB] line vty 0 63
   [RouterB-line-vty0-63] authentication-mode scheme
   [RouterB-line-vty0-63] quit
   

   # Import the peer public key from the public key file key.pub, and name it clientkey.

   [RouterB] public-key peer clientkey import sshkey key.pub
   

   # Create an SSH user named client002. Specify the authentication method as publickey for the user, and assign the public key clientkey to the user.

   [RouterB] ssh user client002 service-type stelnet authentication-type publickey assign publickey clientkey
   

   # Create a local device management user named client002.

   [RouterB] local-user client002 class manage
   

   # Authorize local user client002 to use the SSH service.

   [RouterB-luser-manage-client002] service-type ssh
   

   # Assign the network-admin user role to local user client002.

   [RouterB-luser-manage-client002] authorization-attribute user-role network-admin
   [RouterB-luser-manage-client002] quit
   

3. Establish an SSH connection to Stelnet server 192.168.1.40.

   <RouterA> ssh2 192.168.1.40 identity-key dsa
   Username: client002
   Press CTRL+C to abort.
   Connecting to 192.168.1.40 port 22.
   The server is not authenticated. Continue? [Y/N]:y
   Do you want to save the server public key? [Y/N]:n
   Enter a character ~ and a dot to abort.
   
   ******************************************************************************
   * Copyright (c) 2010-2016 Hewlett Packard Enterprise Development LP          *
   * Without the owner's prior written consent,                                 *
   * no decompiling or reverse-engineering shall be allowed.                    *
   ******************************************************************************
   
   <RouterB>
   

   If you select to save the server's host public key, the client uses the saved server's host public key to authenticate the server at the next connection attempt.