Publickey authentication enabled SFTP client configuration example
Network requirements
As shown in Figure 165, Router B acts as the SFTP server, and it uses publickey authentication and the RSA public key algorithm.
Establish an SFTP connection between Router A and Router B, so you can log in to Router B as a network administrator to manage and transfer files.
Figure 160: Network diagram
Configuration procedure
In the server configuration, the client's host public key is required. Generate RSA key pairs on the client before configuring the SFTP server.
Configure the SFTP client:
# Assign an IP address to interface GigabitEthernet 1/0/1.
<RouterA> system-view [RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] ip address 192.168.0.2 255.255.255.0 [RouterA-GigabitEthernet1/0/1] quit
# Generate RSA key pairs.
[RouterA] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ........................++++++ ...................++++++ ..++++++++ ............++++++++ Create the key pair successfully.
# Export the host public key to a public key file named pubkey.
[RouterA] public-key local export rsa ssh2 pubkey [RouterA] quit
# Transmit the public key file pubkey to the server through FTP or TFTP. (Details not shown.)
Configure the SFTP server:
# Generate RSA key pairs.
<RouterB> system-view [RouterB] public-key local create rsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... ........................++++++ ...................++++++ ..++++++++ ............++++++++ Create the key pair successfully.
# Generate a DSA key pair.
[RouterB] public-key local create dsa The range of public key modulus is (512 ~ 2048). If the key modulus is greater than 512, it will take a few minutes. Press CTRL+C to abort. Input the modulus length [default = 1024]: Generating Keys... .++++++++++++++++++++++++++++++++++++++++++++++++++* ........+......+.....+......................................+ ...+.................+..........+...+ Create the key pair successfully.
# Generate an ECDSA key pair.
[RouterB] public-key local create ecdsa secp256r1 Generating Keys... . Create the key pair successfully.
# Enable the SFTP server.
[RouterB] sftp server enable
# Assign an IP address to interface GigabitEthernet 1/0/1. The client uses this address as the destination address for SSH connection.
[RouterB] interface gigabitethernet 1/0/1 [RouterB-GigabitEthernet1/0/1] ip address 192.168.0.1 255.255.255.0 [RouterB-GigabitEthernet1/0/1] quit
# Import the peer public key from the public key file pubkey, and name it routerkey.
[RouterB] public-key peer routerkey import sshkey pubkey
# Create an SSH user named client001. Specify the service type as sftp and the authentication method as publickey for the user. Assign the public key routerkey to the user.
[RouterB] ssh user client001 service-type sftp authentication-type publickey assign publickey routerkey
# Create a local device management user named client001.
[RouterB] local-user client001 class manage
# Authorize local user client001 to use the SSH service.
[RouterB-luser-manage-client001] service-type ssh
# Assign the network-admin user role and the working directory flash:/ to local user client001.
[RouterB-luser-manage-client001] authorization-attribute user-role network-admin work-directory flash:/ [RouterB-luser-manage-client001] quit
Establish a connection between the SFTP client and the SFTP server:
# Establish a connection to the SFTP server and enter SFTP client view.
<RouterA> sftp 192.168.0.1 identity-key rsa Username: client001 Press CTRL+C to abort. Connecting to 192.168.0.1 port 22. The server is not authenticated. Continue? [Y/N]:y Do you want to save the server public key? [Y/N]:n sftp>
# Display files under the current directory of the server, delete the file z, and verify the result.
sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub -rwxrwxrwx 1 noone nogroup 0 Sep 01 08:00 z sftp> delete z Removing /z sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub
# Add a directory new1 and verify the result.
sftp> mkdir new1 sftp> dir -l -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:30 new1
# Rename the directory new1 to new2 and verify the result.
sftp> rename new1 new2 sftp> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new -rwxrwxrwx 1 noone nogroup 225 Sep 01 06:55 pub drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2
# Download file pubkey2 from the server and save it as a local file named public.
sftp> get pubkey2 public Fetching / pubkey2 to public /pubkey2 100% 225 1.4KB/s 00:00
# Upload a local file named pu to the server, save it as puk, and verify the result.
sftp> put pu puk Uploading pu to / puk sftp> dir -rwxrwxrwx 1 noone nogroup 1759 Aug 23 06:52 config.cfg -rwxrwxrwx 1 noone nogroup 225 Aug 24 08:01 pubkey2 -rwxrwxrwx 1 noone nogroup 283 Aug 24 07:39 pubkey drwxrwxrwx 1 noone nogroup 0 Sep 01 06:22 new drwxrwxrwx 1 noone nogroup 0 Sep 02 06:33 new2 -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:35 pub -rwxrwxrwx 1 noone nogroup 283 Sep 02 06:36 puk sftp>
# Exit SFTP client view.
sftp> quit <RouterA>