SFTP configuration example based on 192-bit Suite B algorithms

As shown in Figure 117, Switch A acts as an SFTP client (SSH2). Switch B acts as the SFTP server (SSH2), and it uses publickey authentication.

Configure Switch A to establish an SFTP connection to Switch B based on the 192-bit Suite B algorithms. After the connection is established, you can log in to Switch B as a network-admin to manage and transfer files.

1. Generate the client's certificate and the server's certificate. (Details not shown.)

   You must first configure the certificates of the server and the client because they are required for identity authentication between the two parties.

   In this example, the server's certificate file is ssh-server-ecdsa384.p12 and the client's certificate file is ssh-client-ecdsa384.p12.

2. Configure the SFTP client:

   # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP client through FTP or TFTP. (Details not shown.)

   # Create a PKI domain named server384 for verifying the server's certificate and enter its view.

   <SwitchA> system-view
   [SwitchA] pki domain server384
   

   # Disable CRL checking.

   [SwitchA-pki-domain-server384] undo crl check enable
   [SwitchA-pki-domain-server384] quit
   

   # Import local certificate file ssh-server-ecdsa384.p12 to PKI domain server384.

   [SwitchA] pki import domain server384 p12 local filename ssh-server-ecdsa384.p12
   The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-).
   Please enter the key pair name[default name: server384]:
   

   # Display information about local certificates in PKI domain server384.

   [SwitchA] display pki certificate domain server384 local
   Certificate:
       Data:
           Version: 3 (0x2)
           Serial Number: 1 (0x1)
       Signature Algorithm: ecdsa-with-SHA384
           Issuer: C=CN, ST=abc, L=abc, O=abc, OU=Software, CN=SuiteB CA
           Validity
               Not Before: Aug 20 10:08:41 2015 GMT
               Not After : Aug 19 10:08:41 2016 GMT
           Subject: C=CN, ST=abc, O=abc, OU=Software, CN=ssh server
           Subject Public Key Info:
               Public Key Algorithm: id-ecPublicKey
                   Public-Key: (384 bit)
                   pub:
                       04:4a:33:e5:99:8d:49:45:a7:a3:24:7b:32:6a:ed:
                       b6:36:e1:4d:cc:8c:05:22:f4:3a:7c:5d:b7:be:d1:
                       e6:9e:f0:ce:95:39:ca:fd:a0:86:cd:54:ab:49:60:
                       10:be:67:9f:90:3a:18:e2:7d:d9:5f:72:27:09:e7:
                       bf:7e:64:0a:59:bb:b3:7d:ae:88:14:94:45:b9:34:
                       d2:f3:93:e1:ba:b4:50:15:eb:e5:45:24:31:10:c7:
                       07:01:f9:dc:a5:6f:81
                   ASN1 OID: secp384r1
                   NIST CURVE: P-384
           X509v3 extensions:
               X509v3 Basic Constraints:
                   CA:FALSE
               Netscape Comment:
                   OpenSSL Generated Certificate
               X509v3 Subject Key Identifier:
                   10:16:64:2C:DA:C1:D1:29:CD:C0:74:40:A9:70:BD:62:8A:BB:F4:D5
               X509v3 Authority Key Identifier:
                   keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22
   
       Signature Algorithm: ecdsa-with-SHA384
            30:65:02:31:00:80:50:7a:4f:c5:cd:6a:c3:57:13:7f:e9:da:
            c1:72:7f:45:30:17:c2:a7:d3:ec:73:3d:5f:4d:e3:96:f6:a3:
            33:fb:e4:b9:ff:47:f1:af:9d:e3:03:d2:24:53:40:09:5b:02:
            30:45:d1:bf:51:fd:da:22:11:90:03:f9:d4:05:ec:d6:7c:41:
            fc:9d:a1:fd:5b:8c:73:f8:b6:4c:c3:41:f7:c6:7f:2f:05:2d:
            37:f8:52:52:26:99:28:97:ac:6e:f9:c7:01
   
   

   # Create a PKI domain named client384 for the client's certificate and enter its view.

   [SwitchA] pki domain client384
   

   # Disable CRL checking.

   [SwitchA-pki-domain-client384] undo crl check enable
   [SwitchA-pki-domain-client384] quit
   

   # Import local certificate file ssh-client-ecdsa384.p12 to PKI domain client384.

   [SwitchA] pki import domain client384 p12 local filename ssh-client-ecdsa384.p12
   The system is going to save the key pair. You must specify a key pair name, which is a case-insensitive string of 1 to 64 characters. Valid characters include a to z, A to Z, 0 to 9, and hyphens (-).
   Please enter the key pair name[default name: client384]:
   

   # Display information about local certificates in PKI domain client384.

   [SwitchA]display pki certificate domain client384 local
   Certificate:
       Data:
           Version: 3 (0x2)
           Serial Number: 2 (0x2)
       Signature Algorithm: ecdsa-with-SHA384
           Issuer: C=CN, ST=abc, L=abc, O=abc, OU=Software, CN=SuiteB CA
           Validity
               Not Before: Aug 20 10:10:59 2015 GMT
               Not After : Aug 19 10:10:59 2016 GMT
           Subject: C=CN, ST=abc, O=abc, OU=Software, CN=ssh client
           Subject Public Key Info:
               Public Key Algorithm: id-ecPublicKey
                   Public-Key: (384 bit)
                   pub:
                       04:85:7c:8b:f4:7a:36:bf:74:f6:7c:72:f9:08:69:
                       d0:b9:ac:89:98:17:c9:fc:89:94:43:da:9a:a6:89:
                       41:d3:72:24:9b:9a:29:a8:d1:ba:b4:e5:77:ba:fc:
                       df:ae:c6:dd:46:72:ab:bc:d1:7f:18:7d:54:88:f6:
                       b4:06:54:7e:e7:4d:49:b4:07:dc:30:54:4b:b6:5b:
                       01:10:51:6b:0c:6d:a3:b1:4b:c9:d9:6c:d6:be:13:
                       91:70:31:2a:92:00:76
                   ASN1 OID: secp384r1
                   NIST CURVE: P-384
           X509v3 extensions:
               X509v3 Basic Constraints:
                   CA:FALSE
               Netscape Comment:
                   OpenSSL Generated Certificate
               X509v3 Subject Key Identifier:
                   BD:5F:8E:4F:7B:FE:74:03:5A:D1:94:DB:CA:A7:82:D6:F7:78:A1:B0
               X509v3 Authority Key Identifier:
                   keyid:5A:BE:85:49:16:E5:EB:33:80:25:EB:D8:91:50:B4:E6:3E:4F:B8:22
   
       Signature Algorithm: ecdsa-with-SHA384
            30:66:02:31:00:d2:06:fa:2c:0b:0d:f0:81:90:01:c3:3d:bf:
            97:b3:79:d8:25:a0:e2:0e:ed:00:c9:48:3e:c9:71:43:c9:b4:
            2a:a6:0a:27:80:9e:d4:0f:f2:db:db:5b:40:b1:a9:0a:e4:02:
            31:00:ee:00:e1:07:c0:2f:12:3f:88:ea:fe:19:05:ef:56:ca:
            33:71:75:5e:11:c9:a6:51:4b:3e:7c:eb:2a:4d:87:2b:71:7c:
            30:64:fe:14:ce:06:d5:0a:e2:cf:9a:69:19:ff
   

   # Assign an IP address to VLAN-interface 2.

   [SwitchA] interface vlan-interface 2
   [SwitchA-Vlan-interface2] ip address 192.168.0.2 255.255.255.0
   [SwitchA-Vlan-interface2] quit
   [SwitchA] quit
   

3. Establish an SFTP connection to the SFTP server based on the 192-bit Suite B algorithms:

   # Establish an SFTP connection to the server at 192.168.0.1.

   <SwitchA> sftp 192.168.0.1 suite-b 192-bit pki-domain client384 server-pki-domain server384
   Username: client001
   Press CTRL+C to abort.
   Connecting to 192.168.0.1 port 22.
   sftp>
   

	NOTE: You can modify the pkix version of the client software OpenSSH to support Suite B. This example uses an HPE switch as an SFTP client.

1. Configure the SFTP server:

   # Upload the server's certificate file ssh-server-ecdsa384.p12 and the client's certificate file ssh-client-ecdsa384.p12 to the SFTP server through FTP or TFTP. (Details not shown.)

   # Create a PKI domain named client384 for verifying the client's certificate and import the file of the client's certificate to this domain. (Details not shown.)

   # Create a PKI domain named server384 for the server's certificate and import the file of the server's certificate to this domain. (Details not shown.)

   # Specify Suite B algorithms for algorithm negotiation.

   [SwitchB] ssh2 algorithm key-exchange ecdh-sha2-nistp384
   [SwitchB] ssh2 algorithm cipher aes256-gcm
   [SwitchB] ssh2 algorithm public-key x509v3-ecdsa-sha2-nistp384
   

   # Specify server384 as the PKI domain of the server's certificate.

   [SwitchB] ssh server pki-domain server384
   

   # Enable the SFTP server.

   [SwitchB] sftp server enable
   

   # Assign an IP address to VLAN-interface 2.

   [SwitchB] interface vlan-interface 2
   [SwitchB-Vlan-interface2] ip address 192.168.0.1 255.255.255.0
   [SwitchB-Vlan-interface2] quit
   

   # Set the authentication mode to AAA for user lines.

   [SwitchB] line vty 0 15
   [SwitchB-line-vty0-15] authentication-mode scheme
   [SwitchB-line-vty0-15] quit
   

   # Create a local device management user named client001. Authorize the user to use the SSH service and assign the network-admin user role to the user.# Create a local device management user named client001. Authorize the user to use the SSH service and assign the network-admin user role to the user.

   [SwitchB] local-user client001 class manage
   [SwitchB-luser-manage-client001] service-type ssh
   [SwitchB-luser-manage-client001] authorization-attribute user-role network-admin
   [SwitchB-luser-manage-client001] quit
   

   # Create an SSH user named client001. Specify the publickey authentication method for the user and specify client384 as the PKI domain for verifying the client's certificate.

   [Switch] ssh user client001 service-type sftp authentication-type publickey assign pki-domain client384
   

2. Establish an SFTP connection to the SFTP server based on the 192-bit Suite B algorithms:

   # Establish an SFTP connection to the server at 192.168.0.1.

   <SwitchA> sftp 192.168.0.1 suite-b 192-bit pki-domain client384 server-pki-domain server384
   Username: client001
   Press CTRL+C to abort.
   Connecting to 192.168.0.1 port 22.
   sftp>