S6700 Example: Configuring a Device as an SCP Client

Networking Requirements

Compared with transferring files using the SFTP protocol, the SCP protocol can simplify the operation of users transferring files by combining the steps of user authentication, file transfer, and so on, to improve the configuration efficiency.

As shown in Figure 1, the device that is the SCP client and the server are routed to be reachable, and the file is downloaded from the SSH server to the client.

Figure 1 Configuring Access to Other Devices via SCP File Configuration Example Network Diagram

In this example, interface1 represents 10GE1/0/1.

Configuration Ideas

Use the following idea to configure access to other device files via SCP:

1. Generate a local key pair on the SSH server side.

2. Create SSH users on the SSH server side.

3. Enable the SCP function on the SSH server side.

4. Download files locally from the SSH server.

Steps

1. Generate a local key pair on the server side.

<HUAWEI> system-view

[HUAWEI] sysname SSH Server

[SSH Server] rsa local-key-pair create

The key name will be:Host

The range of public key size is (2048, 4096).

NOTE: Key pair generation will take a short while.

Please input the modulus [default = 3072]:

2. Create an SSH user on the server side.

#Configure the VTY user interface.

[SSH Server] user-interface vty 0 4

[SSH Server-ui-vty0-4] authentication-mode aaa

[SSH Server-ui-vty0-4] protocol inbound ssh

[SSH Server-ui-vty0-4] quit

#Create a new SSH user with the username Client and the authentication method is password and the service method is all.

[SSH Server] ssh user Client

[SSH Server] ssh user Client authentication-type password

[SSH Server] ssh user Client service-type all

#Configure a password for the SSH user Client.

[SSH Server] aaa

[SSH Server-aaa] local-user Client password

Please configure the login password (8-128)

It is recommended that the password consist of at least 2 types of characters, including lowercase letters, uppercase letters, numerals and special characters.

Please enter password:                                      

Please confirm password:                               

Info: Add a new user.

[SSH Server-aaa] local-user Client service-type terminal ssh

[SSH Server-aaa] local-user Client privilege level 3 

[SSH Server-aaa] quit

3. Enable SCP services on the server side.

[SSH Server] scp server enable 

[SSH Server] ssh server-source all-interface

4. Configure the public key algorithm, encryption algorithm, key exchange algorithm list, HMAC authentication algorithm, and minimum key length on the SSH server side.

[SSH Server] ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm

[SSH Server] ssh server hmac sha2_256 sha2_512

[SSH Server] ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512

[SSH Server] ssh server publickey rsa_sha2_256 rsa_sha2_512

[SSH Server] ssh server dh-exchange min-len 3072

5. Configure the encryption algorithm, HMAC authentication algorithm, key exchange algorithm list, and public key algorithm on the client.

<HUAWEI> system-view

[HUAWEI] sysname SCP Client

[SCP Client] ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm

[SCP Client] ssh client hmac sha2_256 sha2_512

[SCP Client] ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512

[SCP Client] ssh client publickey rsa_sha2_256 rsa_sha2_512

Checking configuration results

Downloading files on the server from the SCP client.

#First login to enable the SSH client first login function.

<HUAWEI> system-view

[HUAWEI] sysname SCP Client

[SCP Client] ssh client first-time enable

#Use the aes256_ctr encryption algorithm to download the file backup.cfg from a remote SSH server with IP address 10.1.1.1 to the local user directory.

[SCP Client] scp -cipher aes256_ctr [email protected]:backup.cfg backup.cfg

Trying 10.1.1.1 ...

Press CTRL+K to abort

Connected to 10.1.1.1 ...

 Continue to access it? [Y/N]:y

 [Y/N]:y

The server's public key will be saved with the name 10.1.1.1. Please wait...

Enter password:

backup.cfg                     100%        19174Bytes            7Kb/s

Configuration Scripts

Configuration scripts on the SSH server

#

sysname SSH Server

#

aaa

 local-user Client password irreversible-cipher$#z$!9S<a#>H7{7dI>%0S{AcKGC=t:zjv14LlQqHO\P.*=<x1]u;y*P`'GR3[m}$

 local-user Client service-type terminal ssh

 local-user Client privilege level 3 

#

scp server enable

ssh server-source all-interface

ssh user Client

ssh user Client authentication-type password

ssh user Client service-type all  

#

user-interface vty 0 4

 authentication-mode aaa

 protocol inbound ssh

#

ssh server cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm

ssh server hmac sha2_256 sha2_512

ssh server key-exchange dh_group_exchange_sha256 dh_group16_sha512

ssh server publickey rsa_sha2_256 rsa_sha2_512

ssh server dh-exchange min-len 3072

#

return

Configuration scripts on the SCP client

#

sysname SCP Client

#

ssh client first-time enable

#

ssh client cipher aes128_ctr aes256_ctr aes192_ctr aes128_gcm aes256_gcm

ssh client hmac sha2_256 sha2_512

ssh client key-exchange dh_group_exchange_sha256 dh_group16_sha512

ssh client publickey rsa_sha2_256 rsa_sha2_512

#

return

Huawei S6700 Series Switches product list and quote

If you need more information about Huawei Switches, please contact us at www.hi-network.com  (Email: [email protected])