Publickey authentication enabled Stelnet client configuration example

As shown in Figure 112, Switch B acts as the Stelnet server, and it uses publickey authentication and the DSA public key algorithm.

Establish an Stelnet connection between Switch A and Switch B, so that you can log in to Switch B to configure and manage Switch B.

In the server configuration, the client's host public key is required. Generate a DSA key pair on the client before configuring the Stelnet server.

1. Configure the Stelnet client:

   # Assign an IP address to VLAN-interface 2.

   <SwitchA> system-view
   [SwitchA] interface vlan-interface 2
   [SwitchA-Vlan-interface2] ip address 192.168.1.56 255.255.255.0
   [SwitchA-Vlan-interface2] quit
   

   # Generate a DSA key pair.

   [SwitchA] public-key local create dsa
   The range of public key modulus is (512 ~ 2048).
   If the key modulus is greater than 512, it will take a few minutes.
   Press CTRL+C to abort.
   Input the modulus length [default = 1024]:
   Generating Keys...
   .++++++++++++++++++++++++++++++++++++++++++++++++++*
   ........+......+.....+......................................+
   ...+.................+..........+...+
   Create the key pair successfully.
   

   # Export the DSA host public key to a public key file named key.pub.

   [SwitchA] public-key local export dsa ssh2 key.pub
   [SwitchA] quit
   

   # Transmit the public key file key.pub to the server through FTP or TFTP. (Details not shown.)

2. Configure the Stelnet server:

   # Generate RSA key pairs.

   <SwitchB> system-view
   [SwitchB] public-key local create rsa
   The range of public key modulus is (512 ~ 2048)
   If the key modulus is greater than 512, it will take a few minutes.
   Press CTRL+C to abort.
   Input the modulus length [default = 1024]:
   Generating Keys...
   ........................++++++
   ...................++++++
   ..++++++++
   ............++++++++
   Create the key pair successfully.
   

   # Generate a DSA key pair.

   [SwitchB] public-key local create dsa
   The range of public key modulus is (512 ~ 2048).
   If the key modulus is greater than 512, it will take a few minutes.
   Press CTRL+C to abort.
   Input the modulus length [default = 1024]:
   Generating Keys...
   .++++++++++++++++++++++++++++++++++++++++++++++++++*
   ........+......+.....+......................................+
   ...+.................+..........+...+
   Create the key pair successfully.
   

   # Generate an ECDSA key pair.

   [SwitchB] public-key local create ecdsa secp256r1
   Generating Keys...
   .
   Create the key pair successfully.
   

   # Enable the Stelnet server.

   [SwitchB] ssh server enable
   

   # Assign an IP address to VLAN-interface 2. The Stelnet client uses this address as the destination address for SSH connection.

   [SwitchB] interface vlan-interface 2
   [SwitchB-Vlan-interface2] ip address 192.168.1.40 255.255.255.0
   [SwitchB-Vlan-interface2] quit
   

   # Set the authentication mode to AAA for user lines.

   [SwitchB] line vty 0 63
   [SwitchB-line-vty0-63] authentication-mode scheme
   [SwitchB-line-vty0-63] quit
   

   # Import the peer public key from the public key file key.pub, and name it switchkey.

   [SwitchB] public-key peer switchkey import sshkey key.pub
   

   # Create an SSH user named client002. Specify the authentication method as publickey for the user. Assign the public key switchkey to the user.

   [SwitchB] ssh user client002 service-type stelnet authentication-type publickey assign publickey switchkey
   

   # Create a local device management user named client002.

   [SwitchB] local-user client002 class manage
   

   # Authorize local user client002 to use the SSH service.

   [SwitchB-luser-manage-client002] service-type ssh
   

   # Assign the network-admin user role to local user client002.

   [SwitchB-luser-manage-client002] authorization-attribute user-role network-admin
   [SwitchB-luser-manage-client002] quit
   

3. Establish an SSH connection to the Stelnet server 192.168.1.40.

   <SwitchA> ssh2 192.168.1.40 identity-key dsa
   Username: client002
   Press CTRL+C to abort.
   Connecting to 192.168.1.40 port 22.
   The server is not authenticated. Continue? [Y/N]:y
   Do you want to save the server public key? [Y/N]:n
   Enter a character ~ and a dot to abort.
   
   ******************************************************************************
   * Copyright (c) 2010-2015 Hewlett Packard Enterprise Development LP          *
   * Without the owner's prior written consent,                                 *
   * no decompiling or reverse-engineering shall be allowed.                    *
   ******************************************************************************
   
   <SwitchB>
   

   Select Yes to access the server and download the server's host public key. At the next connection attempt, the client authenticates the server by using the saved server's host public key on the client.