Which command enables you to configure the parameters for the console access?

You can log in to a device through its console port or mini USB port, or using Telnet or STelnet. After successful login, you can run commands on the command line interface (CLI) to manage and configure the device. You can also log in to another device from the local device using Telnet, STelnet, redirection, or reverse Telnet.

Inhaltsverzeichnis Show

Overview of CLI Login Methods
Overview of User Interfaces
Relationship Between a User and a User Interface
User Interface Numbering
Authentication Modes for User Interfaces
User Levels for User Interfaces
Licensing Requirements and Limitations for CLI Login
Involved Network Elements
Licensing Requirements
Hardware Requirements
Feature Limitations
Configuring Login Through a Console Port
(Optional) Configuring Attributes for the Console User Interface
Configuring an Authentication Mode for the Console User Interface
Configuring a User Level for the Console User Interface
Logging In to a Device Through the Console Port
Configuring Login Through the Mini USB Port
(Optional) Configuring Attributes for the Device Login Through the MiniUSB Port
Configuring an Authentication Mode for the Mini USB Interface
Configuring a User Level for the Mini USB Interface
Logging In to a Device Through the Mini USB Port
Configuring Telnet Login
(Optional) Configuring Attributes for a VTY User Interface
Configuring an Authentication Mode for a VTY User Interface
Configuring a User Level for a VTY User Interface
Enabling the Telnet Server Function
Logging In to a Device Through Telnet
(Optional) Using Telnet to Log In to Another Device From the Local Device
Configuring STelnet Login
(Optional) Configuring Attributes for a VTY User Interface
Configuring an Authentication Mode for a VTY User Interface
Configuring a User Level for a VTY User Interface
Configuring an SSH User
Enabling the SSH Server Function
Logging In to a Device Through STelnet
(Optional) Using STelnet to Log In to Another Device from the Local Device
Configuring the Redirection Function for Device Login
Pre-configuration Tasks
(Optional) Configuring an Authentication Mode for the TTY User Interface
Logging In to a Device Through Redirection
Configuring Reverse Telnet Login
Pre-configuration Tasks
Configuring an Authentication Mode for the Console or TTY User Interface
Logging In to a Device Through Reverse Telnet (Direct Connection Through an Asynchronous Cable)
Configuring Reverse Telnet Login (Direct Connection Through a Console Cable)
Typical Operations After Login
Displaying Online Users
Setting an Authentication Password for Switching User Levels
Switching User Levels
Sending Messages to Other User Interfaces
Automatically Searching for the undo Command in the Upper-level View
Locking a User Interface
Configuring the Minimum Password Length
Configuration Examples for CLI Login
Example for Logging In to the Device Through a Console Port
Example for Configuring a Security Policy to Limit Telnet Login
Example for Configuring STelnet Login
Example for Configuring the Device as a Telnet Client to Log In to Another Device
Example for Configuring the Device as an STelnet Client to Log In to Another Device
Example for Logging In to Another Device Through Redirection
Example for Configuring an NMS to Communicate with a Device by SSH over a VPN
Troubleshooting CLI Login
Failing to Log In Through the Console Port
Failing to Log In Through Telnet
Failing to Log In Through STelnet
FAQ About CLI Login
What If I Forget the Password for Console Port Login?
What If I Forget the Password for Telnet Login?
How Do I Configure Screen Display?

You can log in to a device using one of the CLI methods described in Table 10-1 to configure and manage the device.

Table 10-1 CLI login methods

Login Method	Advantages	Disadvantages	Applicable Scenario	Description
Logging In Through the Console Port	A dedicated console cable is used for effective device control.	You cannot remotely log in to a device to maintain it.	When you need to configure a device that is powered on for the first time, log in to the device through the console port. If you cannot remotely log in to a device, you can log in through the console port. If a device fails to start, you can enter the BootROM menu through the console port to diagnose the fault or upgrade the device. If a device fails to start, you can enter the BootROM/BootLoader menu through the console port to diagnose the fault or upgrade the device.	Console port login is the basis for other login methods. By default, you can log in to a device through a console port and has the user level of 15 after login.
Logging In Through the Mini USB Port	If no console port is available on a PC, you can use a mini USB cable to connect the USB port on the PC to the mini USB port of a device and then log in to the device for effective control.	You cannot remotely log in to a device to maintain it.	When you need to configure a device that is powered on for the first time but no console port is available on your PC, log in to the device through the mini USB port.	The device connection for mini USB port login is different from that for console port login but the configurations are the same after login.
Logging In Through Telnet	You can log in to one device using Telnet to remotely manage and maintain several devices without the need to connect each device to a terminal, which facilitates operations.	Data is transmitted using TCP in plain text, which is a potential security risk.	If you need to configure a device remotely, log in to the device using Telnet. Telnet login is typically used with networks that do not require high security.	By default, you cannot log in to a device directly using Telnet. Before using Telnet to log in, you must locally log in to the device through a console port or mini USB port, and perform the following configurations: Configure a reachable route between the user terminal and device. (By default, no management IP address is configured on the device.) Enable the Telnet server function and set parameters. Configure a user interface for Telnet login.
Logging In Through STelnet	The Secure Shell (SSH) protocol provides secure remote logins on insecure networks to ensure data integrity and reliability, and secure data transmission.	The configuration is complex.	You can log in to a device using STelnet on networks with high security requirements. STelnet, based on the SSH protocol, provides powerful authentication functions to ensure information security and protect devices against attacks, such as IP spoofing attacks.	By default, you cannot log in to a device directly using STelnet. Before using STelnet to log in, you must locally log in to the device through a console port or mini USB port or remotely log in using Telnet and perform the following configurations: Configure a reachable route between the user terminal and device. (By default, no management IP address is configured on the device.) Enable the SSH server function and set parameters. Configure a user interface for SSH login. Configure an SSH user.
Logging In Through Redirection	Only remote serial port devices can be managed.	This login method applies only when two devices are connected through serial ports.	To manage a remote device that can transmit data only through a serial port, configure the redirection function on the router. The remote device can be a router, switch, or intelligent electricity meter that supports serial ports.	By default, the redirection function is disabled on a router. To use this function, configure the asynchronous serial port of the router to work in flow mode and enable the redirection function.
Logging In Through Reverse Telnet	Dumb terminals can only be directly connected to a router using asynchronous cables. The reverse Telnet function enables the dumb terminals to establish connections with a remote server through the router.	This login method applies only when two devices are connected through serial ports.	To connect dumb terminals that only have serial ports to a remote server, enable the reverse Telnet service on the router connected to the dumb terminals.	By default, the reverse Telnet function is disabled on a router. To use this function, configure the asynchronous port of the router to work in flow mode and configure parameters for connection between the dumb terminals remote server.

Overview of User Interfaces

The system supports console, TTY, VTY or Web user interfaces.

When a user logs in to a device through CLI, the system assigns a user interface to manage and monitor the session between the device and user. Each user interface has a user interface view, where you can set parameters, such as the authentication mode and user level. Users logging in through the user interface are restricted by these parameters. Through the parameter configuration, uniform management of various user sessions can be implemented.

The device supports the following types of user interfaces:

Console user interface: manages and monitors users who log in through the console port. A device provides the EIA/TIA-232 DCE console port. The serial port of a user terminal can be directly connected to the console port of the device for local access. The console user interface is also used to manage and monitor users who log in through a mini USB port.
True type terminal (TTY) user interface: manages and monitors users who log in using TTY. The TTY mode is an asynchronous port login method, which can be implemented using the redirection or reverse Telnet function.
Virtual type terminal (VTY) user interface: manages and monitors users who log in using VTY. A VTY connection is set up when a user uses Telnet or STelnet to log in to a device. Currently, a device supports concurrent access of a maximum of 15 VTY users.
Web user interface: manages and monitors users who log in through the web system.

Relationship Between a User and a User Interface

A user interface is not exclusive to a specific user. User interfaces are used to manage and monitor users that have logged in to the device using a specific method. Although a user interface can only be used by one user at a time, the user interface is not specific to the user.

When a user logs in, the system allocates the idle user interface with the smallest number to the user based on the user's login mode. The login process is restricted by the configuration in the user interface view. For example, when user A logs in through the console port, the login process depends on the configuration in the console user interface view; however, when it logs in through VTY 1, the login process depends on the configuration in the VTY 1 user interface view. If a user logs in to a device using different methods, the user will be allocated different user interfaces. If a user logs in to a device at different time, the user may be allocated different user interfaces.

User Interface Numbering

User interfaces are numbered in either of the following modes:

Relative numbering
The numbering format is user interface type + number.
This mode uniquely specifies a user interface or a group of user interfaces of the same type. Relative numbering adheres to the following rules:
- Console user interface numbering: CON 0.
- TTY user interface numbering: The first TTY user interface is TTY 1, the second TTY user interface is TTY 2, and so on.
- VTY user interface numbering: The first VTY user interface is VTY 0, the second VTY user interface is VTY 1, and so on.
- Web user interface numbering: The first web user interface is Web 0, the second web user interface is Web 1, and so on.
Absolute numbering
This mode uniquely specifies a user interface or a group of user interfaces. You can run the display user-interface command to view user interfaces and their absolute numbers supported by the device.
Each MPU supports only one console user interface and 15 VTY user interfaces. You can run the user-interface maximum-vty command in the system view to set the maximum number of VTY user interfaces. The default value is 5. By default, numbers VTY 16 to VTY 20 are reserved by the system and are unaffected by the user-interface maximum-vty command.
Table 10-2 lists the default absolute numbers of the console, TTY, VTY and Web user interfaces.

Table 10-2 Default absolute numbers of the user interfaces

User Interface	Description	Absolute Number	Relative Number
Console user interface	Manages and controls users who log in through the console port or mini USB port.	0	0
TTY user interface	Manages and controls users that log in to the device using an asynchronous serial interface.	1 to 128	The first TTY user interface is TTY 1, the second TTY user interface is TTY 2, and so on. Absolute numbers 1 to 128 map relative numbers TTY 1 to TTY 128.
VTY user interface	Manages and controls users who log in using Telnet or STelnet.	129 to 143	The first VTY user interface is VTY 0, the second VTY user interface is VTY 1, and so on. By default, VTY 0 to VTY 4 are available. Absolute numbers 129 to 143 map relative numbers VTY 0 to VTY 14.
Web user interface	Manages and monitors users who log in through the web system.	149 to 153	The first web user interface is Web 0, the second web user interface is Web 1, and so on. By default, Web 0 to Web 4 are available. Absolute numbers 149 to 153 map relative numbers Web 0 to Web 4.

Authentication Modes for User Interfaces

After you configure an authentication mode for a user interface, the system authenticates users before they access the user interface.

Two authentication modes are available: Authentication, Authorization, and Accounting (AAA) authentication and password authentication.

AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.
Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

User Levels for User Interfaces

You can manage login users based on their levels. The levels of commands accessible to a user depend on the user level.

If password authentication is configured, the levels of commands accessible to a user depend on the level of the user interface through which the user logs in.
If AAA authentication is configured, the levels of commands accessible to a user depend on the level of the local user specified in AAA configuration.

This section provides licensing requirements and limitations for CLI login.

Involved Network Elements

None

Licensing Requirements

CLI login configuration is a basic feature of a router and is not under license control.

Hardware Requirements

This section is applicable to all models. For details about differences for specific models, see the description in the corresponding section.

Feature Limitations

For the interface type supported by the device, see "Interface Description" in the Hardware Description.
The default username and password are available in AR Router Default Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained the access permission of the document, see Help on the website to find out how to obtain it.
When a user fails to log in to a device using SFTP, STelnet, Telnet, or FTP, the device adds the IP address of the user to the blacklist and records a log. The user's IP address is locked for 2 seconds upon the first login failure, 4 seconds upon the second login failure, and 8 seconds upon the third login failure. The user's IP address is locked for 300 seconds upon the sixth login failure after five consecutive login failures. When an IP address is locked for the sixth time, the IP address cannot be used to set up a connection in a new window because it is in the blacklist. After the lock period expires and the user successfully logs in to the device, the user's IP address is removed from the blacklist and a recovery log is recorded. If the user fails to log in to the device again, the account will be locked for another 300 seconds. A maximum of 32 IP addresses can be locked at the same time. If more than 32 IP addresses are added to the blacklist, the new IP address will overwrite the earliest one.
For security purposes, after a user successfully logs in to a device in AAA mode, if the login password is the default password or the password changed using the change default-password command, the system displays the message Warning: The default password is not secure, and it is strongly recommended to change it. to prompt the user to change the default password. For service security purposes, do not run the undo password alert original command to disable the initial password change prompt function when configuring a local AAA user.

You can connect a PC to the console port of a device and then log in to the device to perform basic configurations and management.

(Optional) Configuring Attributes for the Console User Interface

This section describes how to configure attributes about data transmission and screen display for the console user interface.

Context

The data transmission and screen display attributes of the console user interface are as follows:

Data transmission attributes: transmission rate, parity bit, stop bit, and data bit. These attributes determine the data transmission mode used in the console port login process.
Screen display attributes: timeout period of a connection, number of rows and columns displayed on a terminal screen, and buffer size for historical commands. These attributes determine terminal screen display for console port login.

Procedure

Run system-view
The system view is displayed.
Run user-interface console 0
The console user interface view is displayed.
Configure data transmission attributes.
The data transmission attributes configured on the terminal software must be the same as those on the device.
1. Run speed speed-value
  The transmission rate is set.
  The default transmission rate is 9600 bit/s.
2. Run databits { 7 | 8 }
  The data bit is set.
  The default data bit is 8. Data bit configuration depends on the code type used for information interchange. If standard ASCII codes are used, set the data bit to 7. If extended ASCII codes are used, set the data bit to 8.
3. Run parity { even | none | odd }
  The parity bit is set.
  The default parity bit is set to none, indicating that the parity check is not performed on the console port. Setting a parity bit improves data security. If packets on the console port fail to pass the parity check, the device discards the packets.
4. Run stopbits { 1 | 1.5 | 2 }
  The stop bit is set.
  The default stop bit is 1. The stop bit indicates the end of a packet. More stop bits indicate lower transmission efficiency.
Configure screen display attributes.
1. Run idle-timeout minutes [ seconds ]
  A timeout period is set for a user connection.
  If a connection remains idle for the specified timeout period, the system automatically ends the connection after the timeout period expires.
  The default timeout period is 5 minutes.
  If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.
2. Run screen-length screen-length
  The number of rows displayed on a terminal screen is set.
  The default number of rows displayed on a terminal screen is 24.
  The system automatically adjusts the number of terminal screen lines.
3. Run screen-width screen-width
  The number of columns displayed on a terminal screen is set.
  The default number of columns displayed on a terminal screen is 80. Each character is a column.
4. Run history-command max-size size-value
  A buffer size is set for historical commands.
  The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

Configuring an Authentication Mode for the Console User Interface

You can configure an authentication mode for the console user interface to control user access through the console port, which enhances login security.

Context

The system provides two authentication modes for the console user interface: AAA authentication and password authentication.

AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.
Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

Procedure

Configure AAA authentication.
1. Run system-view
  The system view is displayed.
2. Run user-interface console 0
  The console user interface view is displayed.
3. Run authentication-mode aaa
  The authentication mode is set to AAA authentication.
4. (Optional) run authentication-domain domain-name
  An authentication domain is configured.
  By default, the authentication domain is default. If you want to change the currently used authentication domain for users on the console user interface, you can run this command.
5. Run quit
  Exit the console user interface view.
6. Run aaa
  The AAA view is displayed.
7. Run local-user user-name password irreversible-cipher password
  A local user account is created and a password is configured.
  A simple local user password may bring security risks. The user password must consist of two types of characters, including uppercase letters, lowercase letters, numerals, and special characters. In addition, the password cannot be the same as the user name or user name in an inverse order.
8. Run local-user user-name service-type terminal
  The access type of the local user is set to Console.
9. Run quit
  Exit the AAA view.
Configure password authentication.
1. Run system-view
  The system view is displayed.
2. Run user-interface console 0
  The console user interface view is displayed.
3. Run authentication-mode password
  The authentication mode is set to password authentication.
4. Run set authentication password cipher
  An authentication password is set.

Configuring a User Level for the Console User Interface

This section describes how to configure a user level for the console user interface.

Context

You can configure different user levels to control access rights of different users and improve device security.
There are 16 user levels numbered from 0 to 15, in ascending order of priority.

User levels map command levels. A user can use only the commands of the corresponding level or lower. Table 10-3 describes mappings between user levels and command levels.

Table 10-3 Mappings between user levels and command levels

User Level	Command Level	Name	Description
0	0	Visit level	Commands of this level include commands used for network diagnosis such as ping and tracert commands, and remote access commands such as Telnet.
1	0 and 1	Monitoring level	Commands of this level are used for system maintenance, including display commands. NOTE: Some display commands are not available at this level. For example, the display current-configuration and display saved-configuration commands are level-3 management commands. For details about command levels, see the NetEngine AR Command Reference.
2	0, 1, and 2	Configuration level	Commands of this level are used to configure network services provided directly to users, such as routing and commands of all network layers.
3 to 15	0, 1, 2, and 3	Management level	Commands of this level are used to control basic system operations and provide support for services, including file system, FTP, TFTP download, user management, command level setting, and debugging commands for fault diagnosis.

Procedure

Run system-view
The system view is displayed.
Run user-interface console 0
The console user interface view is displayed.
Run user privilege level level
A user level is set.
By default, the users on the console user interface are at level 15.
- If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.
- If password authentication is configured, the levels of commands accessible to a user depend on the level of the console user interface through which the user logs in.
- If AAA authentication is configured, the levels of commands accessible to a user depend on the level of the local user specified in AAA configuration. By default, the level of a local user is 0 in AAA configuration. You can run the local-user user-name privilege level level command in the AAA view to change the level of the local user in AAA configuration.

Logging In to a Device Through the Console Port

You can connect a PC to the console port of a device and then log in to the device.

Context

After completing console user interface configurations on a device, you can log in to the device through the console port. If the console user interface uses the default attribute settings and password authentication, perform the following steps to log in to the device.

Procedure

Connect the DB9 female connector of the console cable to the COM port on the PC, and connect the RJ45 connector to the console port on the device, as shown in Figure 10-1.
Figure 10-1 Connecting to the device through the console port
Start the terminal emulation software on the PC. Create a connection, select the connected port, and set communication parameters. (This section uses the third-party software PuTTY as an example.)
1. Click Session to establish a connection, as shown in Figure 10-2.
  Figure 10-2 Establishing a connection
2. Click Serial to set the connected port and communication parameters, as shown in Figure 10-3.
  Select the connected port based on actual situations. For example, you can view port information in Device Manager in the Windows operating system, and select the connected port.
  Communication parameters of the terminal emulation software must be consistent with the default attribute settings of the console user interface on the device, which are 9600 bit/s baud rate, 8 data bits, 1 stop bit, no parity check, and no flow control.
  By default, no flow control mode is configured on the device. Because RTS/CTS is selected in the software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.
  If you modify the serial port communication parameters on the device, you must make the same modifications on the PC and then create a connection again.
  Figure 10-3 Setting the connected port and communication parameters
Click Connect. The following information is displayed, prompting you to enter a password. (In AAA authentication, the system prompts you to enter the user name and password. The following information is only for reference.)
```
Login authentication


Password:       
<Huawei>         
```
You can run commands to configure the device. Enter a question mark (?) whenever you need help.

Verifying the Configuration

Run the display users [ all ] command to check user login information on the user interface.
Run the display user-interface console 0 command to check user interface information.
Run the display local-user command to check the local user attributes.
Run the display access-user command to check information about online users.

You can connect a PC to the mini USB port of a device and then log in to the device to perform basic configurations and management.

V300R019C13 and later versions do not support login through the Mini USB port.

This section describes how to configure attributes about data transmission and screen display for the console user interface.

Context

The data transmission and screen display attributes of the console user interface are as follows:

Data transmission attributes: transmission rate, flow control mode, parity bit, stop bit, and data bit. These attributes determine the data transmission mode used in the MiniUSB port login process.
Screen display attributes: timeout period of a connection, number of rows and columns displayed on a terminal screen, and buffer size for historical commands. These attributes determine terminal screen display for MiniUSB port login.

Procedure

Run system-view
The system view is displayed.
Run user-interface console 0
The console user interface view is displayed.
Configure data transmission attributes.
The data transmission attributes configured on the terminal software must be the same as those on the device.
1. Run speed speed-value
  The transmission rate is set.
  The default transmission rate is 9600 bit/s.
2. Run databits { 7 | 8 }
  The data bit is set.
  The default data bit is 8. Data bit configuration depends on the code type used for information interchange. If standard ASCII codes are used, set the data bit to 7. If extended ASCII codes are used, set the data bit to 8.
3. Run parity { even | none | odd }
  The parity bit is set.
  The default parity bit is set to none, indicating that the parity check is not performed on the console port. Setting a parity bit improves data security. If packets on the console port fail to pass the parity check, the device discards the packets.
4. Run stopbits { 1 | 1.5 | 2 }
  The stop bit is set.
  The default stop bit is 1. The stop bit indicates the end of a packet. More stop bits indicate lower transmission efficiency.
Configure screen display attributes.
1. Run idle-timeout minutes [ seconds ]
  A timeout period is set for a user connection.
  If a connection remains idle for the specified timeout period, the system automatically ends the connection after the timeout period expires.
  The default timeout period is 5 minutes.
  If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.
2. Run screen-length screen-length
  The number of rows displayed on a terminal screen is set.
  The default number of rows displayed on a terminal screen is 24.
  The system automatically adjusts the number of terminal screen lines.
3. Run screen-width screen-width
  The number of columns displayed on a terminal screen is set.
  
  The default number of columns displayed on a terminal screen is 80. Each character is a column.
4. Run history-command max-size size-value
  A buffer size is set for historical commands.
  The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

Configuring an Authentication Mode for the Mini USB Interface

You can configure an authentication mode for the Mini USB interface to control user access through the mini USB port, which enhances login security.

Context

The system provides two authentication modes for the console user interface: AAA authentication and password authentication.

AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.
Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

Procedure

Configure AAA authentication.
1. Run system-view
  The system view is displayed.
2. Run user-interface console 0
  The console user interface view is displayed.
3. Run authentication-mode aaa
  The authentication mode is set to AAA authentication.
4. (Optional) run authentication-domain domain-name
  An authentication domain is configured.
  By default, the authentication domain is default. If you want to change the currently used authentication domain for users on the console user interface, you can run this command.
5. Run quit
  Exit the console user interface view.
6. Run aaa
  The AAA view is displayed.
7. Run local-user user-name password irreversible-cipher password
  A local user account is created and a password is configured.
  A simple local user password may bring security risks. The user password must consist of two types of characters, including uppercase letters, lowercase letters, numerals, and special characters. In addition, the password cannot be the same as the user name or user name in an inverse order.
8. Run local-user user-name service-type terminal
  The access type of the local user is set to Console.
9. Run quit
  Exit the AAA view.
Configure password authentication.
1. Run system-view
  The system view is displayed.
2. Run user-interface console 0
  The console user interface view is displayed.
3. Run authentication-mode password
  The authentication mode is set to password authentication.
4. Run set authentication password cipher
  An authentication password is set.

Configuring a User Level for the Mini USB Interface

This section describes how to configure a user level for the console user interface.

Context

You can configure different user levels to control access rights of different users and improve device security.
There are 16 user levels numbered from 0 to 15, in ascending order of priority.

User levels map command levels. A user can use only the commands of the corresponding level or lower. Table 10-4 describes mappings between user levels and command levels.

Table 10-4 Mappings between user levels and command levels

User Level	Command Level	Name	Description
0	0	Visit level	Commands of this level include commands used for network diagnosis such as ping and tracert commands, and remote access commands such as Telnet.
1	0 and 1	Monitoring level	Commands of this level are used for system maintenance, including display commands. NOTE: Some display commands are not available at this level. For example, the display current-configuration and display saved-configuration commands are level-3 management commands. For details about command levels, see the NetEngine AR Command Reference.
2	0, 1, and 2	Configuration level	Commands of this level are used to configure network services provided directly to users, such as routing and commands of all network layers.
3 to 15	0, 1, 2, and 3	Management level	Commands of this level are used to control basic system operations and provide support for services, including file system, FTP, TFTP download, user management, command level setting, and debugging commands for fault diagnosis.

Procedure

Run system-view
The system view is displayed.
Run user-interface console 0
The console user interface view is displayed.
Run user privilege level level
A user level is set.
By default, the users on the console user interface are at level 15.
- If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.
- If password authentication is configured, the levels of commands accessible to a user depend on the level of the console user interface through which the user logs in.
- If AAA authentication is configured, the levels of commands accessible to a user depend on the level of the local user specified in AAA configuration. By default, the level of a local user is 0 in AAA configuration. You can run the local-user user-name privilege level level command in the AAA view to change the level of the local user in AAA configuration.

Logging In to a Device Through the Mini USB Port

You can connect a PC to the mini USB port of a device and then log in to the device.

Context

After completing console user interface configurations on a device, you can log in to the device through the mini USB port. If the console user interface uses the default attribute settings and password authentication.

Procedure

Start the terminal emulation software on the PC. Create a connection, select the connected port, and set communication parameters. (This section uses the third-party software PuTTY as an example.)
1. Click Session to establish a connection, as shown in Figure 10-4.
  Figure 10-4 Establishing a connection
2. Click Serial to set the connected port and communication parameters, as shown in Figure 10-5.
  Select the connected port based on actual situations. For example, you can view port information in Device Manager in the Windows operating system, and select the connected port.
  Communication parameters of the terminal emulation software must be consistent with the default attribute settings of the console user interface on the device, which are 9600 bit/s baud rate, 8 data bits, 1 stop bit, no parity check, and no flow control.
  By default, no flow control mode is configured on the device. Because RTS/CTS is selected in the software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.
  If you modify the serial port communication parameters on the device, you must make the same modifications on the PC and then create a connection again.
  Figure 10-5 Setting the connected port and communication parameters
Click Connect. The following information is displayed, prompting you to enter a password. (In AAA authentication, the system prompts you to enter the user name and password. The following information is only for reference.)
```
Login authentication


Password:       
<Huawei>         
```
You can run commands to configure the device. Enter a question mark (?) whenever you need help.

Verifying the Configuration

Run the display users [ all ] command to check user login information on the user interface.
Run the display user-interface console 0 command to check user interface information.
Run the display local-user command to check the local user attributes.
Run the display access-user command to check information about online users.

You can log in to a device using Telnet to manage and configure the device.

The Telnet protocol has security vulnerabilities. It is recommended that you log in to the device using STelnet V2.

(Optional) Configuring Attributes for a VTY User Interface

This section describes how to configure attributes for a VTY user interface.

Context

You can configure attributes for a VTY user interface to control Telnet login and screen display. The attributes of a VTY user interface include the maximum number of VTY user interfaces, timeout period of a user connection, number of rows and columns displayed on a terminal screen, and buffer size for historical commands.

Procedure

Run system-view
The system view is displayed.
Run user-interface maximum-vty number
The maximum number of VTY user interfaces is set. The value determines the number of users that can concurrently log in to the device using Telnet or STelnet.
By default, the maximum number of VTY user interfaces is 5.
- When the maximum number of VTY user interfaces is set to 0, no user (including Telnet and SSH users) can log in to the device through the VTY user interface, and web users cannot log in to the device through the web system either.
- If the configured maximum number is less than the current maximum number of online users, the system displays a configuration failure message.
- If the configured maximum number is greater than the current maximum number of online users, you need to configure an authentication mode for additional user interfaces.
Run user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
Run shell
The VTY terminal service is enabled.
By default, all VTY terminal services are enabled. If you disable the terminal service of a VTY user interface, users cannot log in through the VTY user interface.
Run idle-timeout minutes [ seconds ]
A timeout period is set for a user connection.
If a connection remains idle for the specified timeout period, the system automatically terminates the connection after the timeout period expires, which conserves system resources.
By default, the timeout period is 5 minutes.
If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.
Run screen-length screen-length [ temporary ]
The number of rows displayed on a terminal screen is set.
If you specify temporary in the command, the configured value takes effect only on the current VTY user interface but does not take effect on the next login on the same user interface or login on other VTY user interfaces.
The default number of rows is 24.
Run screen-width screen-width
The number of columns displayed on a terminal screen is set.
The default number of columns is 80. Each character is a column.
Run history-command max-size size-value
A buffer size is set for historical commands.
The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

Configuring an Authentication Mode for a VTY User Interface

You can configure an authentication mode for a VTY user interface to control user access through Telnet, which enhances login security.

Context

The system provides two authentication modes for a VTY user interface: AAA authentication and password authentication.

AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.
Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

Procedure

Configure AAA authentication.
1. Run system-view
  The system view is displayed.
2. Run user-interface vty first-ui-number [ last-ui-number ]
  The VTY user interface view is displayed.
3. Run protocol inbound { all | telnet }
  The VTY user interface is configured to support the Telnet protocol.
  By default, a VTY user interface supports the SSH and Telnet protocol.
4. Run authentication-mode aaa
  The authentication mode is set to AAA authentication.
5. (Optional) run authentication-domain domain-name
  An authentication domain is configured.
  By default, the authentication domain is default. If you want to change the currently used authentication domain for users on the VTY user interface, you can run this command.
6. Run quit
  Exit the VTY user interface view.
7. Run aaa
  The AAA view is displayed.
8. Run local-user user-name password { cipher | irreversible-cipher } password
  A local user account is created and a password is configured.
  A simple local user password may bring security risks. The user password must consist of two types of characters, including uppercase letters, lowercase letters, numerals, and special characters. In addition, the password cannot be the same as the user name or user name in an inverse order.
9. Run local-user user-name service-type telnet
  The access type of the local user is set to Telnet.
10. Run quit
  Exit the AAA view.
Configure password authentication.
1. Run system-view
  The system view is displayed.
2. Run user-interface vty first-ui-number [ last-ui-number ]
  The VTY user interface view is displayed.
3. Run protocol inbound { all | telnet }
  The VTY user interface is configured to support the Telnet protocol.
  By default, a VTY user interface supports the SSH and Telnet protocol.
4. Run authentication-mode password
  The authentication mode is set to password authentication.
5. Run set authentication password cipher
  An authentication password is set.

Configuring a User Level for a VTY User Interface

This section describes how to configure a user level for a VTY user interface.

Context

You can configure different user levels to control access rights of different users and improve device security.
There are 16 user levels numbered from 0 to 15, in ascending order of priority.

User levels map command levels. A user can use only the commands of the corresponding level or lower. Table 10-5 describes mappings between user levels and command levels.

Table 10-5 Mappings between user levels and command levels

User Level	Command Level	Name	Description
0	0	Visit level	Commands of this level include commands used for network diagnosis such as ping and tracert commands, and remote access commands such as Telnet.
1	0 and 1	Monitoring level	Commands of this level are used for system maintenance, including display commands. NOTE: Some display commands are not available at this level. For example, the display current-configuration and display saved-configuration commands are level-3 management commands. For details about command levels, see the NetEngine AR Command Reference.
2	0, 1, and 2	Configuration level	Commands of this level are used to configure network services provided directly to users, such as routing and commands of all network layers.
3 to 15	0, 1, 2, and 3	Management level	Commands of this level are used to control basic system operations and provide support for services, including file system, FTP, TFTP download, user management, command level setting, and debugging commands for fault diagnosis.

Procedure

Run system-view
The system view is displayed.
Run user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
Run user privilege level level
A user level is set.
By default, the users on the VTY user interface are at level 0.
- If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.
- If password authentication is configured, the levels of commands accessible to a user depend on the level of the VTY user interface through which the user logs in.
- If AAA authentication is configured, the levels of commands accessible to a user depend on the level of the local user specified in AAA configuration. By default, the level of a local user is 0 in AAA configuration. You can run the local-user user-name privilege level level command in the AAA view to change the level of the local user in AAA configuration.

Enabling the Telnet Server Function

In addition to the authentication mode and user level, you need to configure the Telnet server function on a device.

Context

When a device functions as a Telnet server, you can specify the protocol port and source interface of the Telnet server to enhance Telnet connection security.

Procedure

Run system-view
The system view is displayed.
(Optional) Run telnet server permit interface { { interface-type interface-number } &<1-5> | all }
The physical interfaces on the Telnet server to which clients can connect is specified.
By default, clients can connect to all the physical interfaces on the Telnet server.
The all parameter is supported in V300R019C11SPC100 and later versions.
In V300R019C11SPC100 and later versions, this step is mandatory. If you do not perform this step, the Telnet service cannot be enabled.
Run telnet [ ipv6 ] server enable
The Telnet server function is enabled.
By default, the Telnet server function is disabled on a device.
(Optional) Run telnet server port port-number
The protocol port number is specified for the Telnet server.
By default, the protocol port number of the Telnet server is 23.
You can configure a new protocol port number for a Telnet server to prevent attackers from accessing the server using the default port.
(Optional) Run telnet server-source { -a [ ipv6 ] source-ip-address | -i [ ipv6 ] interface-type interface-number }
The source interface is specified for the Telnet server.
By default, the source interface of a Telnet server is not specified.
If the source IP address is not specified for the Telnet server, the device selects a source IP address according to routing entries to send packets. Specify an interface in stable state, such as a loopback interface, as the source interface. Before specifying a source interface, make sure that the Telnet client has a reachable route to the source interface. Otherwise, the configuration will fail.
(Optional) Configure ACL-based Telnet access control.
- Control access to the local device.
  1. Run acl acl-number
    An ACL is created, and the ACL view is displayed.
    acl-number refers to a basic ACL numbered from 2000 to 2999.
  2. Run rule permit source source-address 0
    ACL rules are configured to prohibit devices except the device specified by source-address from accessing the local device.
  3. Run quit
    Exit the ACL view.
  4. Run user-interface vty first-ui-number [ last-ui-number ]
    The VTY user interface view is displayed.
  5. Run acl [ ipv6 ] acl-number inbound
    The ACL-based Telnet access control is configured for the VTY user interface.
- Control access of the local device to other devices.
  1. Run acl acl-number
    An ACL is created, and the ACL view is displayed.
    acl-number refers to an advanced ACL numbered from 3000 to 3999.
  2. Run rule deny tcp destination-port eq telnet
    ACL rules are configured to prohibit the local device from accessing other devices.
  3. Run quit
    Exit the ACL view.
  4. Run user-interface vty first-ui-number [ last-ui-number ]
    The VTY user interface view is displayed.
  5. Run acl [ ipv6 ] acl-number outbound
    The ACL-based Telnet access control is configured for the VTY user interface.
(Optional) Configure the function of locking IP addresses upon login authentication failure.
Run system lock type { ip | none }
The type of a locked object is configured.
By default, the system locks an IP address. That is, when a user uses SFTP, STelnet, Telnet, or FTP to log in to the device, the system locks the IP address of the user if the number of login failures reaches the specified value.
If a user enters an incorrect user name or password, the device adds the IP address of the user to the blacklist and locks the user for 2 seconds upon the first login failure, 4 seconds upon the second login failure, and 8 seconds upon the third login failure. If the user enters incorrect user names or passwords for five consecutive times, the device locks the user for 300 seconds upon the sixth login failures. When a user account is locked, the user's IP address cannot be used to set up a connection in a new window because it is in the blacklist. If the user enters the correct user name and password and logs in to the device successfully after the locking duration expires, the user's IP address will be removed from the blacklist and a recovery log is generated. If the login fails again, the user account will be locked for 300 seconds. A maximum of 32 IP addresses can be locked at the same time. If more than 32 IP addresses are added to the blacklist, a new IP address will overwrite the earliest one.

Logging In to a Device Through Telnet

This section describes how to log in to a device using Telnet.

Context

After completing Telnet server configurations on a device, you can use either Telnet software or Windows Command Prompt on a PC to log in to the device. Assume that AAA authentication is configured and the management IP address of the device is 10.137.217.177. The Windows Command Prompt is used as an example to illustrate the Telnet login process.

Procedure

Enter the Windows Command Prompt window.
Run the telnet ip-address command to log in to the device using Telnet.
```
C:\Documents and Settings\Administrator> telnet 10.137.217.177
```
Press Enter and enter the password and user name configured for AAA authentication. The system does not provide a default user name and password. If authentication succeeds, the CLI is displayed, indicating that you have successfully logged in to the device. (The following information is for reference only.)
```
Login authentication

Username:admin1234
Password:
<Telnet Server>
```

Verifying the Configuration

Run the display users [ all ] command to check the user interface connections.
Run the display tcp status command to check all TCP connections.
Run the display telnet server status command to check current Telnet server connections.

(Optional) Using Telnet to Log In to Another Device From the Local Device

This section describes how to use Telnet to log in to another device from the local device.

Context

A device can function as a Telnet server to allow other devices to log in or as a Telnet client to log in to other devices. When a terminal lacks the necessary software or no reachable route exists between the terminal and target device, you can log in to an intermediate device and then use Telnet to log in to the target device from the intermediate device. The intermediate device functions as a Telnet client.

The device can function as a Telnet IPv6 client. You can specify the source address or interface of the Telnet client to ensure security of the management IP address.

As shown in Figure 10-6, a PC connects to a device through network 1 and the device connects to a Telnet server through network 2. The PC cannot directly communicate with the Telnet server. In this situation, you can configure the device as a Telnet client and log in to the Telnet server from the device.

Figure 10-6 Configuring a device as a Telnet client to log in to another device

Pre-configuration Tasks

Before configuring a device as a Telnet client to log in to another device, complete the following tasks:

Log in to the device from a terminal.
Configure a reachable route between the device and Telnet server.
Enable the Telnet server function on the Telnet server.
Obtain the Telnet user name, password, and port number configured on the Telnet server.

Procedure

Run system-view
The system view is displayed.
(Optional) Run telnet client-source { -a source-ip-address | -i interface-type interface-number }
The source IP address of the Telnet client is set.
The source address of the Telnet client displayed on the server is the same as that configured in this step.
Run quit
Exit the system view.
Run either of the following commands to log in to another device based on the network address type.
- In IPv4 mode, run the telnet [ -a source-ip-address ] host-ip [ port-number ] command to log in to another device as a Telnet client.
- In IPv6 mode, run the telnet ipv6 [ -a source-ip-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] command to log in to another device as a Telnet IPv6 client.

You can log in to a device using STelnet to manage and configure the device.

The STelnet V1 protocol has security vulnerabilities. It is recommended that you log in to the device using STelnet V2.

(Optional) Configuring Attributes for a VTY User Interface

This section describes how to configure attributes for a VTY user interface.

Context

You can configure attributes for a VTY user interface to control STelnet login and screen display. The attributes of a VTY user interface include the maximum number of VTY user interfaces, timeout period of a user connection, number of rows and columns displayed on a terminal screen, and buffer size for historical commands.

Procedure

Run system-view
The system view is displayed.
Run user-interface maximum-vty number
The maximum number of VTY user interfaces is set. The value determines the number of users that can concurrently log in to the device using Telnet or STelnet.
By default, the maximum number of VTY user interfaces is 5.
- When the maximum number of VTY user interfaces is set to 0, no user (including Telnet and SSH users) can log in to the device through the VTY user interface, and web users cannot log in to the device through the web system either.
- If the configured maximum number is less than the current maximum number of online users, the system displays a configuration failure message.
- If the configured maximum number is greater than the current maximum number of online users, you need to configure an authentication mode for additional user interfaces.
Run user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
Run shell
The VTY terminal service is enabled.
By default, all VTY terminal services are enabled. If you disable the terminal service of a VTY user interface, users cannot log in through the VTY user interface.
Run idle-timeout minutes [ seconds ]
A timeout period is set for a user connection.
If a connection remains idle for the specified timeout period, the system automatically terminates the connection after the timeout period expires, which conserves system resources.
By default, the timeout period is 5 minutes.
If you set the timeout period of a terminal connection to 0 or too long, the terminal remains logged in to a device, which is a potential security risk. It is recommended that you run the lock command to lock the connection.
Run screen-length screen-length [ temporary ]
The number of rows displayed on a terminal screen is set.
If you specify temporary in the command, the configured value takes effect only on the current VTY user interface but does not take effect on the next login on the same user interface or login on other VTY user interfaces.
The default number of rows is 24.
Run screen-width screen-width
The number of columns displayed on a terminal screen is set.
The default number of columns is 80. Each character is a column.
Run history-command max-size size-value
A buffer size is set for historical commands.
The default buffer size is 10, that is, a maximum of 10 historical commands can be buffered.

Configuring an Authentication Mode for a VTY User Interface

You can configure an authentication mode for a VTY user interface to control user access through STelnet, which enhances login security.

Context

To configure a VTY user interface to support SSH, you must set the authentication mode of the VTY user interface to AAA; otherwise, the protocol inbound ssh command does not take effect.

Procedure

Run system-view
The system view is displayed.
Run user-interface vty first-ui-number [ last-ui-number ]
The VTY user interface view is displayed.
Run authentication-mode aaa
The authentication mode is set to AAA authentication.
(Optional) Run authentication-domain domain-name
An authentication domain is configured.
By default, the authentication domain is default. If you want to change the currently used authentication domain for users on the VTY user interface, you can run this command.
Run protocol inbound { all | ssh }
The VTY user interface is configured to support the SSH protocol.
By default, a VTY user interface supports the SSH and Telnet protocol.
Run quit
Return to the system view.
Run ssh user user-name authentication-type { password | rsa | password-rsa | ecc | password-ecc | all
An authentication mode is set for the SSH user.

Configuring a User Level for a VTY User Interface

This section describes how to configure a user level for a VTY user interface.

Context

You can configure different user levels to control access rights of different users and improve device security.
There are 16 user levels numbered from 0 to 15, in ascending order of priority.

User levels map command levels. A user can use only the commands of the corresponding level or lower. Table 10-6 describes mappings between user levels and command levels.

Table 10-6 Mappings between user levels and command levels

User Level	Command Level	Name	Description
0	0	Visit level	Commands of this level include commands used for network diagnosis such as ping and tracert commands, and remote access commands such as Telnet.
1	0 and 1	Monitoring level	Commands of this level are used for system maintenance, including display commands. NOTE: Some display commands are not available at this level. For example, the display current-configuration and display saved-configuration commands are level-3 management commands. For details about command levels, see the NetEngine AR Command Reference.
2	0, 1, and 2	Configuration level	Commands of this level are used to configure network services provided directly to users, such as routing and commands of all network layers.
3 to 15	0, 1, 2, and 3	Management level	Commands of this level are used to control basic system operations and provide support for services, including file system, FTP, TFTP download, user management, command level setting, and debugging commands for fault diagnosis.

Procedure

If a user uses password authentication mode, the user level is configured in the AAA view.
1. Run system-view
  The system view is displayed.
2. Run aaa
  The AAA view is displayed.
3. Run local-user user-name privilege level level
  The local user level is configured.
4. Run quit
  Return to the system view.
If a user uses RSA or ECC authentication mode, the user level is determined by the user level of the VTY interface to which the user logs in.
1. Run system-view
  The system view is displayed.
2. Run user-interface vty first-ui-number [ last-ui-number ]
  The VTY user interface view is displayed.
3. Run user privilege level level
  The user level is configured for the VTY user interface.
  By default, the user level of a VTY user interface is 0.
- If an SSH user uses all authentication mode and an AAA user with the same name as the SSH user exists, user levels may be different in password, RSA and ECC authentication modes. Configure the user level based on actual requirements.
- If the user level configured for a user interface conflicts with that configured for a user, the user level configured for the user takes precedence.

Configuring an SSH User

To use STelnet to log in to a device, you need to configure an SSH user. In addition to setting AAA authentication for the VTY user interface, you also need to specify an authentication mode for the SSH user.

Context

SSH users can be authenticated in the following modes: password, Revest-Shamir-Adleman (RSA), Elliptic Curves Cryptography (ECC), password-RSA, Password-ECC, and all.

Password authentication: is based on the user name and password. You need to configure a password for each SSH user in the AAA view. A user must enter the correct user name and password to log in using SSH.
Rivest-Shamir-Adleman Algorithm (RSA) authentication: is based on the private key of the client. RSA is a public-key cryptographic system that uses an asymmetric encryption algorithm. An RSA key pair consists of a public key and a private key. You need to copy the public key generated by the client to the SSH server. The SSH server then uses the public key to encrypt data. A maximum of 20 keys can be stored on a device functioning as an SSH client.
Elliptic Curves Cryptography (ECC) authentication: is an elliptic curve algorithm. Compared with RSA, ECC features shorter key length, lower computational cost, faster processing speed, smaller storage space, and lower bandwidth requirement under the same security performance.
Password-RSA authentication: The SSH server implements both password and RSA authentication on login users. The users must pass both authentication modes to log in.
Password-ECC authentication: The SSH server implements both password and ECC authentication on login users. The users must pass both authentication modes to log in.
All authentication: The SSH server implements RSA, ECC or password authentication on login users. Users only need to pass either of them to log in.

Procedure

Run system-view
The system view is displayed.
Configure AAA user information.
1. Run aaa
  The AAA view is displayed.
2. Run local-user user-name password { cipher | irreversible-cipher } password
  A local user is created and a password is configured.
3. Run local-user user-name privilege level level
  A user level is set for the local user.
4. Run local-user user-name service-type ssh
  A service type is set for the local user.
5. Run quit
  Return to the system view.
(Optional) Run ssh user default-authentication-type { password | rsa }
The default authentication mode is configured for the SSH user.
By default, the default authentication mode of SSH users is password authentication.
V300R019C00:
Only the AR651C and AR651F-Lite support this function.
V300R019C10 and later versions:
Only the AR651K, AR651, AR651-X8, AR651C, AR651F-Lite, AR651U-A4, AR651W-X4, AR651W-8P, AR651W, AR657W, AR6120, AR6121K, AR6121E, AR6121, AR6120-VW, AR6140K-9G-2AC, AR6140E-9G-2AC, and AR6140-9G-2AC support this function.
Only the AR6120-S, AR6140-S, AR6121-S, and AR6121C-S support this function.
Run ssh user user-name authentication-type { password | rsa | password-rsa | ecc | password-ecc |all }
- If password authentication is used, the SSH user is the user with the same name as the local user configured in the AAA view.
- If RSA or ECC authentication is used, you need to configure the public key generated by the SSH client on the SSH server. When the SSH client logs in to the SSH server, the SSH client passes the authentication if the private key of the client matches the configured public key.
  In RSA or ECC authentication mode, the user level configured in the VTY user interface view takes effect.
  1. Run rsa peer-public-key key-name or ecc peer-public-key key-name
    The RSA or ECC public key view is displayed.
  2. Run public-key-code begin
    The public key editing view is displayed.
  3. Enter the public key of the SSH client.
    The entered public key must be a hexadecimal string complying with the public key format. The string is generated by SSH client software. For detailed operations, see the help document of the SSH client software.
  4. Run public-key-code end
  5. Run peer-public-key end
    Return to the system view from the public key view.
  6. Run ssh user user-name assign { rsa-key | ecc-key } key-name
    An RSA or ECC public key is allocated to the SSH user. When logging in to the server, the client enters the SSH user name corresponding to its public key as prompted.
- If Password-RSA or Password-ECC authentication is used, configure AAA user information and enter the public key generated on the client.
- If all authentication is used, configure AAA user information or enter the public key generated on the client or perform the two operations together.

Enabling the SSH Server Function

To allow user terminals to establish an SSH connection with a device, log in to the device in another mode and enable the SSH server function on the device.

Context

A device serving as an SSH server must generate a key pair of the same type as the client's key for data encryption and server authentication on the client. The device also supports configuration of rich SSH server attributes for flexible control on SSH login.

Procedure

Run system-view
The system view is displayed.
(Optional) Run ssh server permit interface { { interface-type interface-number } &<1-5> | all }
The physical interfaces on the SSH server to which clients can connect is specified.
By default, clients can connect to all the physical interfaces on the SSH server.
To prevent a client from connecting to the SSH server through an unauthorized physical interface, you can run the command to specify physical interfaces on the SSH server to which the client can connect.
The all parameter is supported in V300R019C11SPC100 and later versions.
In V300R019C11SPC100 and later versions, this step is mandatory. If you do not perform this step, the SSH service cannot be enabled.
Run stelnet server enable
The SSH server function is enabled on the device.
By default, the SSH server function is disabled.
(Optional) Run ssh server cipher { 3des_cbc | aes128_cbc | aes128_ctr | aes192_ctr | aes256_ctr | blowfish_cbc | des_cbc }*
An encryption algorithm list is configured for the SSH server.
By default, an SSH server supports the following encryption algorithms: aes128_ctr, aes192_ctr, and aes256_ctr.
The server and client negotiate the algorithm for encrypting packets transmitted between them. You can run the ssh server cipher command to configure the encryption algorithm list of the SSH server. The server compares the encryption algorithm list sent from the client with its own encryption algorithm list, and selects the first matched encryption algorithm for encrypting transmitted packets. If the encryption algorithm lists of the server and client have no common encryption algorithm, the encryption algorithm negotiation fails.
You are advised not to add the following encryption algorithms to the encryption algorithm list of the SSH server because they provide low security: 3des_cbc, aes128_cbc, blowfish_cbc, and des_cbc.
Only V300R019C11 version does not support the 3des_cbc and des_cbc parameters.
(Optional) Run ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 }*
A check algorithm list is configured for the SSH server.
By default, an SSH server supports the sha2_256 algorithms only.
The server and client negotiate the algorithm for checking packets transmitted between them. You can run the ssh server hmac command to configure the check algorithm list of the SSH server. The server compares the check algorithm list sent from the client with its own check algorithm list, and selects the first matched check algorithm for checking transmitted packets. If the check algorithm lists of the server and client have no common check algorithm, the check algorithm negotiation fails.
You are advised not to add the following HMAC check algorithms to the HMAC check algorithm list of the SSH server because they provide low security: sha2_256_96, sha1, sha1_96, md5, and md5_96.
Only V300R019C11 version does not support the md5, md5_96, sha1_96, and sha2_256_96 parameters.
(Optional) Run ssh server key-exchange { dh_group_exchange_sha1 | dh_group1_sha1 | dh_group14_sha1 | dh_group14_sha256 | dh_group15_sha512 } *
A key exchange algorithm list is configured for the SSH server.
V300R019C00:
By default, an SSH server supports dh_group_exchange_sha1 and dh_group1_sha1 key exchange algorithms.
V300R019C10 and later versions:
By default, an SSH server supports dh_group_exchange_sha1, dh_group14_sha1, and dh_group14_sha256 key exchange algorithms.
V300R019C11SPC100 and later versions:
By default, an SSH server supports dh_group_exchange_sha1, dh_group14_sha1, dh_group14_sha256, and dh_group15_sha512 key exchange algorithms.
During the negotiation process, the client and server negotiate the key exchange algorithm for packet transmission. You can perform this step to configure a key exchange algorithm list for the SSH server. The server compares the key exchange algorithm list sent by the client with its own key exchange algorithm list, and selects the first key exchange algorithm on the client's list that matches a key exchange algorithm on its own list as the key exchange algorithm for packet transmission. If no algorithm on the client's list matches an algorithm on the server's list, the negotiation fails.
You are advised not to add the dh_group1_sha1 algorithm to the key exchange algorithm list of the SSH server because it provides low security.
V300R019C10 and later versions support the dh_group14_sha1 and dh_group14_sha256 parameters.
Only V300R019C11 version does not support the dh_group1_sha1 parameters.
V300R019C11SPC100 and later versions support the dh_group15_sha512 parameters.
Run rsa local-key-pair create or ecc local-key-pair create
A local RSA or ECC key pair is generated.
A longer key pair indicates higher security. It is recommended that you use the maximum key pair length.
(Optional) Run ssh server port port-number
The port number of the SSH server is specified.
By default, the port number of the SSH server is 22.
Configuring a port number for an SSH server can prevent attackers from accessing the SSH server using the default port, improving SSH server security.
(Optional) Run ssh server rekey-interval hours
The interval for updating key pairs is set.
The default interval is 0, indicating that the key pairs are never updated.
An SSH server automatically updates key pairs at the configured intervals, which ensures security.
(Optional) Run ssh server timeout seconds
The timeout period is set for SSH authentication.
The default timeout period is 60 seconds.
If a user fails to log in within the timeout period for SSH authentication, the device disconnects the current connection to ensure system security.
(Optional) Run ssh server authentication-retries times
The maximum number of SSH authentication retries is set.
The default maximum number of SSH authentication retries is 3.
You can set the maximum number of SSH authentication retries to prevent unauthorized access.
(Optional) Run ssh server compatible-ssh2x enable
Compatibility with earlier SSH versions is enabled.
By default, compatibility with earlier SSH versions is disabled on an unconfigured device. When a device is upgraded to a later version, the configuration of the compatibility function is the same as that specified in the configuration file.
If the SSH server is enabled to be compatible with earlier SSH versions, the system prompts a security risk.
(Optional) Run ssh server-source { -a [ ipv6 ] source-ip-address | -i [ ipv6 ] interface-type interface-number }
The source interface is specified for the SSH server.
By default, the source interface of an SSH server is not specified.
If the source IP address is not specified for the SSH server, the device selects a source IP address according to routing entries to send packets. Specify an interface in stable state, such as a loopback interface, as the source interface. Before specifying a source interface, make sure that the SSH client has a reachable route to the source interface. Otherwise, the configuration will fail.
(Optional) Configure the function of locking IP addresses upon login authentication failure.
Run system lock type { ip | none }
The type of a locked object is configured.
By default, the system locks an IP address. That is, when a user uses SFTP, STelnet, Telnet, or FTP to log in to the device, the system locks the IP address of the user if the number of login failures reaches the specified value.
If a user enters an incorrect user name or password, the device adds the IP address of the user to the blacklist and locks the user for 2 seconds upon the first login failure, 4 seconds upon the second login failure, and 8 seconds upon the third login failure. If the user enters incorrect user names or passwords for five consecutive times, the device locks the user for 300 seconds upon the sixth login failures. When a user account is locked, the user's IP address cannot be used to set up a connection in a new window because it is in the blacklist. If the user enters the correct user name and password and logs in to the device successfully after the locking duration expires, the user's IP address will be removed from the blacklist and a recovery log is generated. If the login fails again, the user account will be locked for 300 seconds. A maximum of 32 IP addresses can be locked at the same time. If more than 32 IP addresses are added to the blacklist, a new IP address will overwrite the earliest one.

Logging In to a Device Through STelnet

This section describes how to log in to a device using STelnet.

Context

After completing SSH user and STelnet server configurations on a device, you can use STelnet software on a PC to log in to the device. Assume that password authentication is configured for SSH users and the management IP address of the device is 10.137.217.203. The third-party software, PuTTY, is used as an example to illustrate the STelnet login process.

Procedure

Start the PuTTY software, enter the device's IP address and port and select the SSH protocol.
Figure 10-7 Logging in to an SSH server through PuTTY in password authentication mode

Click Open. In the displayed page, enter the user name and password and press Enter to log in to the device through STelnet.

login as: client001      //Enter the SSH user name.
Sent username "client001"

's password:           //Enter the password configured through AAA.

<SSH Server>

Verifying the Configuration

Run the display ssh user-information [ username ] command to check information about SSH users on the SSH server. If no SSH user is specified, information about all SSH users logging in to the SSH server is displayed.
Run the display ssh server status command to check global configurations of the SSH server.
Run the display ssh server session command to check information about sessions between the SSH server and client.

(Optional) Using STelnet to Log In to Another Device from the Local Device

This section describes how to use STelnet to log in to another device from the local device.

Context

A device can function as both an STelnet server and an STelnet client. As an STelnet client, the device can log in to other devices. When a terminal lacks the necessary software or no reachable route exists between the terminal and target device, you can log in to an intermediate device and then use STelnet to log in to the target device from the intermediate device. The intermediate device functions as an STelnet client.

As shown in Figure 10-8, a PC connects to a device through network 1 and the device connects to an STelnet server through network 2. The PC cannot directly communicate with the STelnet server. In this situation, you can configure the device as an STelnet client and log in to the STelnet server from the device.

Figure 10-8 Configuring a device as an STelnet client to log in to another device

Pre-configuration Tasks

Before configuring a device as an STelnet client to log in to another device, complete the following tasks:

Log in to the device from a terminal.
Configure a reachable route between the device and STelnet server.
Enable the STelnet server function on the STelnet server.
Obtain the SSH user name and password, server keys, and port number configured on the STelnet server.

Procedure

Generate a local key pair for the SSH client.
1. Run system-view
  The system view is displayed.
2. Run rsa local-key-pair create, or ecc local-key-pair create
  A local RSA or ECC key pair is generated. The generated key pair must be of the same type as that of the server.
  You can run the display rsa local-key-pair public or display ecc local-key-pair public command to view information about the public key in the generated RSA or ECC key pair. Configure the public key on the SSH server. For details, see Configuring an SSH User.
3. Run quit
  Return to the user view.
Configure the mode in which the device connects to the SSH server for the first time.
When working as an SSH client to connect to an SSH server for the first time, the device cannot validate the SSH server because the public key of the SSH server has not been saved on the client. As a result, the connection fails. You can perform either of the following operations to rectify the connection failure:
- Enable first-time authentication on the SSH client. This function allows the device to successfully connect to an SSH server for the first time without validating the SSH server's public key. If saving the SSH server's public key is selected during server authentication, the device automatically saves the SSH server's public key after connecting to the server successfully for subsequent server authentication. If saving the SSH server's public key is not selected, the system asks you whether to save the SSH server's public key the next time server authentication is performed.
  1. Run system-view
    The system view is displayed.
  2. Run ssh client first-time enable
    First-time authentication is enabled on the SSH client.
    By default, first-time authentication is disabled on an SSH client.
- Configure the SSH client to assign a public key to the SSH server. In this mode, the public key generated on the server is directly saved on the client to ensure that the SSH server passes the validity check on the client's first login.
  1. Run system-view
    The system view is displayed.
  2. Run rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ] or ecc peer-public-key key-name encoding-type { der | openssh | pem }
    The RSA or ECC public key view is displayed.
  3. Run public-key-code begin
    The public key editing view is displayed.
  4. Enter the public key of the SSH server.
    The entered public key must be a hexadecimal string complying with the public key format. The string is randomly generated on the SSH server.
    After entering the public key editing view, you can enter the RSA or ECC public key generated by the server on the client.
  5. Run public-key-code end
    Exit the public key editing view.
  6. Run peer-public-key end
    Exit the public key view.
  7. Run ssh client servername assign { rsa-key| ecc-key } key-name
    The RSA or ECC public key is bound to the SSH server.
    If the SSH server's public key saved on the SSH client does not take effect, run the undo ssh client servername assign { rsa-key | ecc-key } command to unbind the RSA or ECC public key from the SSH server and then run the command to assign a new RSA or ECC public key to the SSH server.
Log in to another device.
Run either of the preceding commands based on the network address type.
- IPv4 mode:
  run the stelnet [ -a source-address ] host-ip [ port-number ] [ [ -vpn-instance vpn-instance-name ] | [ identity-key { rsa | ecc } ] | [ user-identity-key { rsa | ecc } ] | [ prefer_kex { dh_group15_sha512 | dh_group14_sha256 | dh_group14_sha1 | dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_stoc_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96} ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96} ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command to log in to another device.
- IPv6 mode:
  run the stelnet ipv6 [ -a source-address ] host-ipv6 [ -oi interface-type interface-number ] [ port-number ] [ [ -vpn6-instance vpn-instance-name ] | [ identity-key { rsa | ecc } ] | [ user-identity-key { rsa | ecc } ] | [ prefer_kex { dh_group15_sha512 | dh_group14_sha256 | dh_group14_sha1 | dh_group1 | dh_exchange_group } ] | [ prefer_ctos_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_stoc_cipher { 3des | aes128 | aes128-ctr | aes192-ctr | aes256-ctr } ] | [ prefer_ctos_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96} ] | [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 | sha2_256 | sha2_256_96} ] ] * [ -ki aliveinterval [ -kc alivecountmax ] ] command to log in to another device.
When port 22 is specified as the protocol port number for the STelnet server, the STelnet client can log in with no port number specified. If another port number is specified as the protocol port number for the STelnet server, you must specify the port number used by the client to log in.
When configuring an STelnet client to log in to an SSH server, you can specify the source IP address, select a key exchange algorithm, an encryption algorithm, and an HMAC algorithm, and enable the keepalive function on the client.
DES, 3DES, MD5, MD5_96, SHA1, and SHA1_96 encryption algorithm cannot ensure security. AES128, AES128-CTR, AES192-CTR or AES256-CTR encryption algorithm is recommended.
- Only V300R019C11 version does not support the 3des, sha1_96, md5, md5_96, and sha2_256_96 parameters.
- V300R019C11 and later versions: The device support the dh_group14_sha256 and dh_group14_sha1 parameters.
- V300R019C11SPC100 and later versions: The device support the dh_group15_sha512 parameters.

Verifying the Configuration

Run the display ssh server command to check the mapping between all SSH servers and RSA or ECC public keys on the SSH client

After completing redirection configuration, you can log in to a remote serial port device from the local device to configure and manage the remote device.

Pre-configuration Tasks

Before logging in to a device through redirection, complete the following tasks:

Start a remote device.
Use a TTY user interface: ensuring that the remote device is directly connected to the 8AS card on the router using an asynchronous serial cable, and the physical and protocol status of the asynchronous serial interface on the router is Up.
Use the console user interface: ensuring that the remote device is directly connected to the console port on the router.
For details about the asynchronous serial cable, see "8AS Cable" in the NetEngine AR Get to Know the Product - Hardware Description - Cables.

(Optional) Configuring an Authentication Mode for the TTY User Interface

You can configure an authentication mode for the TTY user interface to ensure secure login through the redirection function.

Context

The TTY user interface supports AAA authentication and password authentication.

AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.
Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

Procedure

Configure AAA authentication.
1. Run system-view
  The system view is displayed.
2. Run user-interface tty tty-number
  The TTY user interface view is displayed.
3. Run authentication-mode aaa
  The authentication mode is set to AAA authentication.
4. Run quit
  Exit the TTY user interface view.
5. Run aaa
  The AAA view is displayed.
6. Run local-user user-name password { cipher | irreversible-cipher } password
  A local user account is created and a password is configured.
7. Run local-user user-name service-type telnet
  The access type of the local user is set to Telnet.
8. Run quit
  Exit the AAA view.
Configure password authentication.
1. Run system-view
  The system view is displayed.
2. Run user-interface tty tty-number
  The TTY user interface view is displayed.
3. Run authentication-mode password
  The authentication mode is set to password authentication.
4. Run set authentication password cipher
  An authentication password is set.

Logging In to a Device Through Redirection

This section describes how to configure the redirection function and use this function to log in to a remote device.

Context

To manage a remote device that can transmit data only through a serial port, configure the redirection function on the current device.

A remote device can be a router, a switch, an electricity terminal, a finance terminal, or other terminals that use serial ports to transmit data.

Managing remote routers and switches
As shown in Figure 10-9, there are two routers and two switches connected to the device. The redirection function on the device can be used to manage remote devices that can only be managed through serial ports. The asynchronous serial port on the device is connected to the serial ports on the remote devices for users to manage and maintain the remote devices.
Figure 10-9 Diagram for login through redirection (1)
Managing terminals such as intelligent electricity meters, intelligent water meters, and automatic teller machines
As shown in Figure 10-10, the redirection function is enabled on the device. The device listens to the specified TCP port and receives data packets from the terminals through serial ports. After receiving data packets, the device encapsulates the packets into Ethernet frames so that they can be transmitted over an Ethernet network. This implements the remote data transmission and management on the terminals.
Figure 10-10 Diagram for login through redirection (2)

Procedure

Enable the redirection function on the router.
1. Run system-view
  The system view is displayed.
2. Run interface async interface-number
  The asynchronous interface view is displayed.
3. Run async mode flow
  The asynchronous serial interface is configured to work in flow mode.
  By default, an asynchronous serial interface works in protocol mode.
4. Run quit
  Exit from the asynchronous serial interface view.
5. Run:user-interface console 0
  The console user interface view is displayed.
  Or run:
  user-interface tty tty-number
  The TTY user interface view is displayed.
  When configuring the TTY user interface, pay attention to the following points:
  - After an 8AS interface card registers successfully, the device generates random numbers for TTY user interfaces. To view the TTY user interface number mapped to an asynchronous serial port, run the display user-interface command.
  - If the modem function is enabled on a TTY user interface, the redirection function does not take effect on the TTY user interface.
6. (Optional) Run authentication-mode { password | aaa }
  A user authentication mode is specified.
  For details on configuration of the authentication mode, see Configuring an Authentication Mode for the Console or TTY User Interface.
7. Run redirect [ ssh ] enable
  The redirection function is enabled.
  By default, the redirection function is disabled.
8. (Optional) Run transparent-mode enable
  The transparent transmission mode for redirection on the serial port is enabled.
  By default, the transparent transmission mode for redirection on a serial port is disabled.
  The device checks data redirected by a serial port and discards unidentifiable data, damaging the original data. You can run this command to ensure the original data integrity. The device will transparently transmit data without checking it.
9. Run undo shell
  The terminal service is disabled on the user interface.
  By default, the terminal service is disabled on a TTY user interface.
10. (Optional) Run redirect binding vpn-instance vpn-instance-name
  The redirection function is associated with a VPN instance.
  By default, the redirection function is not associated with any VPN instance, and all users on public and private networks can use the redirection function to log in to remote devices.
11. (Optional) Run redirect [ ssh ] listen-port port-number
  A port number is specified for setting up connections through the redirection function.
  By default, the port number that the local device uses to set up a connection with a remote device is 2000 plus tty-number. When the default port number is used by another service, perform this step to set a new port number.
  Port 2000 is used on the console user interface view.
Log in to a device from a terminal through redirection.
- Telnet mode
  Log in to a device from a terminal through redirection in Telnet mode. The Windows command line is used as an example.
  1. Open the command line window.
  2. Run the telnet host-name port-number command to log in to the device through redirection.
    In the command, host-name is the IP address or host name of the router with the redirection function enabled, and port-number is the default listening port number (2000 plus tty-number) or the port number configured using the redirect listen-port command. (The following information is only for reference.)
```
C:\Documents and Settings\Administrator> telnet 10.1.1.1 2042
Press CTRL_] to quit telnet mode
  Trying 10.1.1.1...
  Connected to 10.1.1.1...
Login authentication


Password:
 <Router>
```
- STelnet mode
  Log in to a device from a terminal through redirection in STelnet mode. The third-party software PuTTY is used as an example.
  # Log in to the device using PuTTY. Set the protocol type to SSH, Host Name to the IP address or host name of the redirection-enabled router, and Port to the default port number (2000 plus TTY number) or the port number specified using the redirect ssh listen-port command. (The following information is only for reference.)
  Figure 10-11 Using Putty to redirect to a device in STelnet mode
  # Click Open. Enter the user name and password at the prompt, and press Enter. You have logged in to the device. (The following information is only for reference.)
```
login as: client001
's password:

<Router>
```

Verifying the Configuration

Run the display tcp status command to check the current TCP connection status.

The reverse Telnet function enables dumb terminals that are directly connected to a router using asynchronous serial cables or console cables to log in to a remote server.

Pre-configuration Tasks

Before logging in to a device through reverse Telnet, complete the following tasks:

Start a remote device.
Use a TTY user interface: ensuring that a dumb terminal is directly connected to the 1SA or 2SA card of the router with an asynchronous cable and the physical status and protocol status of the connected asynchronous interface are Up.
Use the console user interface: ensuring that the remote device is directly connected to the console interface on the router.
Ensure that there are reachable routes between the router and the remote server.

For details about the asynchronous serial cable, see "SA Cable" in the NetEngine AR Get to Know the Product - Hardware Description - Cables.

Configuring an Authentication Mode for the Console or TTY User Interface

You can configure an authentication mode for the console user interface or a TTY user interface to ensure secure login through the reverse Telnet function.

Context

The console or TTY user interface supports AAA authentication and password authentication.

AAA authentication: Users must enter both user names and passwords for login. If either a user name or a password is incorrect, the login fails.
Password authentication: Users must enter passwords for login. Only after a user enters the correct password does the device allow the users to log in.

Procedure

Configure AAA authentication.
1. Run system-view
  The system view is displayed.
2. Run user-interface tty tty-number
  The TTY user interface view is displayed.
3. Run authentication-mode aaa
  The authentication mode is set to AAA authentication.
4. Run quit
  Exit the TTY user interface view.
5. Run aaa
  The AAA view is displayed.
6. Run local-user user-name password { cipher | irreversible-cipher } password
  A local user account is created and a password is configured.
7. Run local-user user-name service-type telnet
  The access type of the local user is set to Telnet.
8. Run quit
  Exit the AAA view.
Configure password authentication.
1. Run system-view
  The system view is displayed.
2. Run user-interface tty tty-number
  The TTY user interface view is displayed.
3. Run authentication-mode password
  The authentication mode is set to password authentication.
4. Run set authentication password cipher
  An authentication password is set.

Logging In to a Device Through Reverse Telnet (Direct Connection Through an Asynchronous Cable)

This section describes how to configure reverse Telnet and use this function to log in to a device through an asynchronous cable.

Context

As shown in Figure 10-12, a multimedia software terminal (dumb terminal) is connected to the router with an asynchronous cable, and the router is connected to a server. The terminal cannot communicate with the server directly. To enable the dumb terminal to communicate with the server, you can configure reverse Telnet on the router. The router then acts as a client to transmit data from the terminal to the server.

Figure 10-12 Diagram for login through reverse Telnet

Procedure

Run system-view
The system view is displayed.
Run interface async interface-number
The asynchronous serial interface view is displayed.
Run async mode flow
The asynchronous serial interface is configured to work in flow mode.
By default, an asynchronous serial interface works in protocol mode.
Run quit
Exit from the asynchronous serial interface view.
Run user-interface tty tty-number
The TTY user interface view is displayed.
After a 1SA or 2SA interface card is registered successfully, the device generates random numbers for TTY user interfaces. To view the TTY user interface number mapped to an asynchronous serial port, run the display user-interface command.
If the modem function is enabled on a TTY user interface, the reverse Telnet function does not take effect on the TTY user interface.
Run undo shell
The terminal service is disabled on the user interface.
By default, the terminal service is disabled on a TTY user interface.
Run connect host [ port-number ] [ -a source-ip-address | -i interface-type interface-number ] [ -t interval ]
Configure connection parameters on the router to enable the dumb terminal to set up a connection with the remote server through the router.
By default, a dumb terminal cannot set up a connection with a remote server.
(Optional) Run exline-breaker enable
The router is enabled to add line breakers in output information.
By default, the function of adding a line break is disabled.
To configure the calling end to add line break \n when sending carriage return line break \r\n so that the calling and called ends have the same data, perform this step to enable the function of adding a line break.
Connect the dumb terminal to the router using an asynchronous cable and log in to the remote server from the terminal.

Verifying the Configuration

Run the display tcp status command to check the current TCP connection status.

This section describes how to configure reverse Telnet and use this function to log in to a device through a console cable.

Context

As shown in Figure 10-13, a multimedia software terminal (dumb terminal) is connected to the console interface of the router through a console cable, and the router is connected to a server. The terminal cannot communicate with the server directly. To enable the dumb terminal to communicate with the server, you can configure reverse Telnet on the router. The router then acts as a client to transmit data from the terminal to the server.

Figure 10-13 Networking for login through reverse Telnet

Procedure

Run system-view
The system view is displayed.
Run user-interface console 0
The console user interface view is displayed.
Run connect host [ port-number ] [ -a source-ip-address | -i interface-type interface-number ] [ -t interval ]
The dumb terminal is configured to set up a connection with the remote server through the router.
By default, a dumb terminal cannot set up a connection with a remote server.
(Optional) Run exline-breaker enable
The function of adding a line break is enabled.
By default, the function of adding a line break is disabled.
To configure the calling end to add line break \n when sending carriage return line break \r\n so that the calling and called ends have the same data, perform this step to enable the function of adding a line break.
Run undo shell
The terminal service is disabled on the console user interface.
By default, the terminal service is enabled on the console user interface.
For the device with the Config button, you can also press and hold down the config button for less than 5s, the terminal service on the console user interface will be switched between shell and undo shell once.
Connect the dumb terminal to the console interface of the router using a console cable and log in to the remote server from the terminal.

Verifying the Configuration

Run the display tcp status command to check the current TCP connection status.

After logging in to a device through a console port or mini USB port, or using Telnet or STelnet, you can perform service configurations and the following common operations on the device.

Displaying Online Users

After logging in to a device, you can view user login information of each user interface.

Run the display users [ all ] command to view the user login information of user interfaces.

Setting an Authentication Password for Switching User Levels

AR6300 and AR6300K router do not support this function in active/standby switchover scenarios.

AR6300-S router do not support this function in active/standby switchover scenarios.

V300R019C11SPC100 and V300R019C11SPC200 versions do not support this function.

Users at a higher level can set an authentication password used to switch a user from a lower level to a higher level. If a user wants to use a command whose level is higher than the user level, the user can use the authentication password to switch to the higher level.

Run the system-view command to enter the system view.
Run the super password [ level user-level ] cipher command to set an authentication password used to switch a user from a lower level to a higher level.

Switching User Levels

AR6300 and AR6300K router do not support this function in active/standby switchover scenarios.

AR6300-S router do not support this function in active/standby switchover scenarios.

V300R019C11SPC100 and V300R019C11SPC200 versions do not support this function.

You need to enter a password when switching from a low user level to a higher one.

Run the super [ level ] command in the user view to switch the user level.
If the entered target user level is lower than or equal to the current user level, the system directly sets the entered user level as the target user level, and displays a message. If the target level is higher than the current user level, the system asks the user to enter the authentication password.
Enter the password as prompted.
If the password is correct, you will switch to a higher user level. If you enter an incorrect password three times consecutively, the system returns to the user view and the user level remains unchanged.

Sending Messages to Other User Interfaces

You can send messages from the current user interface to other user interfaces.

Run the send { all | ui-number | ui-type ui-number1 } command to enable message exchange between user interfaces.
Enter the message to send as prompted. Press Ctrl+Z or Enter to end message input and press Ctrl+C to end the current operation.
At the system prompt, choose Y to send the message and N to cancel message sending.

Automatically Searching for the undo Command in the Upper-level View

When you run the undo command not registered with the current view, the system returns to the upper-level view to search for this undo command. If the undo command can be found, it takes effect. If the undo command cannot be found, the system continues to search for it in the next upper-level view until the system view.

Run the system-view command to display the system view.
Run the matched upper-view command to enable the undo command to run in the upper-level view.
By default, the undo command does not automatically match the upper-level view.
The matched upper-view command is only valid for current login users who run this command.
You are not advised to configure the undo command to automatically match the upper-level view, unless necessary.

Locking a User Interface

When you need to temporarily leave the operation terminal, lock the user interface to prevent unauthorized users from operating the terminal.

Run the lock command to lock the user interface.
Enter the lock password and confirm password as prompted.
```
<Huawei> lock
Enter Password(<8-128>):
Confirm Password:
Info: The terminal is locked.
```
After you run the lock command, the system prompts you to enter the lock password and confirm password. If the two passwords are the same, the current interface is locked successfully.
To unlock the user interface, you must press Enter and enter the correct login password as prompted.

Configuring the Minimum Password Length

This function is supported in V300R019C11SPC100 and later versions.

You can set the minimum password length so that the length of the password configured on the device must meet the requirement. That is, the entered password cannot be less than the configured minimum length.

Run the system-view command to enter the system view.
Run the set password min-length min-length command to configure the minimum password length.

This section describes examples of logging in to a device through a console port, Telnet, or STelnet.

Example for Logging In to the Device Through a Console Port

Networking Requirements

If a user cannot remotely log in to a device, the user will attempt to log in through the console port. By default, a user only needs to pass password authentication to log in to the device from the console user interface. To prevent unauthorized users from accessing the device, change the authentication mode of the console user interface to AAA authentication.

Figure 10-14 Networking diagram of user login through a console port

Configuration Roadmap

The configuration roadmap is as follows:

Use the terminal simulation software to log in to the device through a console port.
Configure the authentication mode of the console user interface.

You can use the built-in terminal emulation software (such as the HyperTerminal of Windows 2000) on the PC. If no built-in terminal emulation software is available, use the third-party terminal emulation software. For details, see the software user guide or online help.

Procedure

Connect the DB9 female connector of the console cable to the COM port on the PC, and connect the RJ45 connector to the console port on the device, as shown in Figure 10-15.
Figure 10-15 Connecting to the device through the console port
Start the terminal emulation software on the PC. Create a connection, select the connected port, and set communication parameters. (This section uses the third-party software PuTTY as an example.)
1. Click Session to establish a connection, as shown in Figure 10-16.
  Figure 10-16 Establishing a connection
2. Click Serial to set the connected port and communication parameters, as shown in Figure 10-17.
  Select the connected port based on actual situations. For example, you can view port information in Device Manager in the Windows operating system, and select the connected port.
  Communication parameters of the terminal emulation software must be consistent with the default attribute settings of the console user interface on the device, which are 9600 bit/s baud rate, 8 data bits, 1 stop bit, no parity check, and no flow control.
  By default, no flow control mode is configured on the device. Because RTS/CTS is selected in the software by default, you need to deselect RTS/CTS; otherwise, you cannot enter commands.
  If you modify the serial port communication parameters on the device, you must make the same modifications on the PC and then create a connection again.
  Figure 10-17 Setting the connected port and communication parameters
Click Connect. The following information is displayed, prompting you to enter a password. (In AAA authentication, the system prompts you to enter the user name and password. The following information is only for reference.)
```
Login authentication


Password:       
<Huawei>         
```
You can run commands to configure the device. Enter a question mark (?) whenever you need help.

Configure the authentication mode of the console user interface.

<Huawei> system-view
<Huawei> sysname Router
[Router] user-interface console 0
[Router-ui-console0] authentication-mode aaa
[Router-ui-console0] user privilege level 15
[Router-ui-console0] quit
[Router] aaa
[Router-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
[Router-aaa] local-user admin1234 privilege level 3
[Router-aaa] local-user admin1234 service-type terminal

After the preceding operations, you can re-log in to the device on the console user interface only by entering the user name admin1234 and password Helloworld@6789.

Configuration Files

#
sysname Router
#
aaa
 local-user admin1234 password irreversible-cipher %@%@HW=5%Mr;:2)/RX$FnU1HLO%-TBMp4wn%;~\#%iAut}_~O%0L%@%@
 local-user admin1234 privilege level 3
 local-user admin1234 service-type terminal
#
user-interface con 0
 authentication-mode aaa
#
return

Networking Requirements

As shown in Figure 10-18, the PC and device (Telnet server) are reachable to each other. The customer requires that the device be remotely and easily configured and managed. To meet this requirement, you can configure AAA authentication for Telnet users on the Telnet server and configure an ACL-based security policy to allow only users meeting the security policy to log in to the device.

Figure 10-18 Networking diagram for configuring a security policy to limit Telnet login

STelnet V2 is more secure than Telnet, and is therefore recommended.

Configuration Roadmap

The configuration roadmap is as follows:

Configure the Telnet login mode to implement remote network device maintenance.
Configure an ACL-based security policy to ensure that only users that meet the security policy can log in to the device.
Configure the administrator's user name and password and the AAA authentication mode to ensure that only users passing the authentication can log in to the device.

Procedure

Set the server listening port number and enable the server function.

<Huawei> system-view
[Huawei] sysname Telnet Server
[Telnet Server] telnet server permit interface all // Specify the physical interfaces on the Telnet server to which clients can connect in V300R019C11SPC100 or a later version. If no physical interface is specified, the Telnet service cannot be enabled.
[Telnet Server] telnet server enable
[Telnet Server] telnet server port 1025

Set the VTY user interface parameters.

# Set the maximum number of VTY user interfaces.

[Telnet Server] user-interface maximum-vty 8

# Set the IP address of the device to which the user is allowed to log in.

[Telnet Server] acl 2001
[Telnet Server-acl-basic-2001] rule permit source 10.1.1.1 0
[Telnet Server-acl-basic-2001] quit
[Telnet Server] user-interface vty 0 7
[Telnet Server-ui-vty0-7] acl 2001 inbound

# Configure the terminal attributes of the VTY user interface.

[Telnet Server-ui-vty0-7] shell
[Telnet Server-ui-vty0-7] idle-timeout 20
[Telnet Server-ui-vty0-7] screen-length 30
[Telnet Server-ui-vty0-7] history-command max-size 20

# Configure the user authentication mode of the VTY user interface.

[Telnet Server-ui-vty0-7] authentication-mode aaa
[Telnet Server-ui-vty0-7] quit

Configure the login user information.

# Configure the login authentication mode.

[Telnet Server] aaa
[Telnet Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
[Telnet Server-aaa] local-user admin1234 service-type telnet
[Telnet Server-aaa] local-user admin1234 privilege level 3
[Telnet Server-aaa] quit

Configure the client login.
Enter commands at the command line prompt to log in to the device through Telnet.
```
C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025
```
Press Enter, and enter the user name and password in the login window. If the authentication is successful, the command line prompt of the user view is displayed. The user view configuration environment is displayed.
```
Login authentication

Username:admin1234
Password:
<Telnet Server>
```

Configuration Files

Telnet server configuration file

#
 sysname Telnet Server
#
acl number 2001
 rule 5 permit source 10.1.1.1 0
#
aaa
 local-user admin1234 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%#
 local-user admin1234 privilege level 3
 local-user admin1234 service-type telnet
#
 telnet server permit interface all
 telnet server enable
 telnet server port 1025
#
user-interface maximum-vty 8
user-interface vty 0 7
 acl 2001 inbound
 authentication-mode aaa
 history-command max-size 20
 idle-timeout 20 0
 screen-length 30
#
return

Networking Requirements

As shown in Figure 10-19, users require secure remote login, but Telnet cannot provide a secure authentication method. In this scenario, STelnet can be configured to ensure security of remote login. PC1 and PC2 have reachable routes to the SSH server, and 10.137.217.203 is the IP address of the management interface on the SSH server. Two login users client001 and client002 need to be configured on the SSH server. The user client001 uses PC1 to log in to the SSH server through password authentication; the user client002 uses PC2 to log in to the SSH server through RSA authentication. Configure a security policy to ensure that only PC1 and PC2 can be used to log in to the device.

Figure 10-19 Networking diagram of configuring STelnet login

STelnet V2 is more secure than STelnet V1, and is therefore recommended.

Configuration Roadmap

The configuration roadmap is as follows:

Install the SSH server software on PC1. Install the key pair generation software, public key conversion software, and SSH server login software on PC2.
Generate a local key pair on the SSH server to implement secure data exchange between the server and client.
Configure different authentication modes for the SSH users client001 and client002 on the SSH server.
Enable the STelnet service on the SSH server.
Configure a security policy to ensure that only PC1 and PC2 can be used to log in to the device.
Configure the STelnet server type for the SSH users client001 and client002 on the SSH server.
Log in to the SSH server as the client001 and client002 users through STelnet.

Procedure

Generate a local key pair on the server.

<Huawei> system-view
[Huawei] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: Host
RSA keys defined for Host already exist.
Confirm to replace them? (y/n):y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is less than 2048,
       It will introduce potential security risks.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
......................................................................................+++
....+++
.......................................++++++++
..............++++++++

Create an SSH user on the server.

# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit

Create an SSH user named client001.

# Create an SSH user named client001 and configure the password authentication mode for the user.

[SSH Server] aaa
[SSH Server-aaa] local-user client001 password irreversible-cipher Huawei@123
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit
[SSH Server] ssh user client001 authentication-type password

Create an SSH user named client002.

# Create an SSH user named client002 and configure the RSA authentication mode for the user.

[SSH Server] aaa
[SSH Server-aaa] local-user client002 password irreversible-cipher Helloworld@6789
[SSH Server-aaa] local-user client002 privilege level 3
[SSH Server-aaa] local-user client002 service-type ssh
[SSH Server-aaa] quit
[SSH Server] ssh user client002 authentication-type rsa

# Generate a local key pair of the client on PC2.

Run puttygen.exe on the client. It is used to generate the public and private key files.
Select SSH2 RSA and click Generate. By moving the cursor in the blank area to generate the key.
Figure 10-20 PuTTY Key Generate page (1)
After the key is generated, click Save public key to save the key in the key.pub file.
Figure 10-21 PuTTY Key Generate page (2)
Click Save private key. The PuTTYgen Warning dialog box is displayed. Click Yes. The private key is saved in the private.ppk file.
Figure 10-22 PuTTY Key Generate page (3)
Run sshkey.exe on the client. Convert the generated public key to the character string required for the device.
Open the key.pub file required by SSH that is generated in the previous step.
Figure 10-23 ssh key converter page (1)
Click Convert(C). You can see the public keys before and after conversion.
Figure 10-24 ssh key converter page (2)

# Enter the RSA public key generated on PC2 to the SSH server.

[SSH Server] rsa peer-public-key rsakey001
[SSH Server-rsa-public-key] public-key-code begin
[SSH Server-rsa-key-code] 30820108 02820101 00DD8904 1A5E30AA 976F384B 5DB366A7
[SSH Server-rsa-key-code] 048C0E79 06EC6B08 8BB9567D 75914B5B 4EA7B2E5 1938D118
[SSH Server-rsa-key-code] 4B863A38 BA7E0F0D BE5C5AE4 CA55B192 B531AC48 B07D21E3
[SSH Server-rsa-key-code] 62E3F2A5 8C04C443 CF51CF51 136B5B9E 812AB1B7 1250EB24
[SSH Server-rsa-key-code] A4AE5083 A1DB18EC E2395C9B B806E8F0 0BE24FB5 16958784
[SSH Server-rsa-key-code] 403B617F 8AAAB1F8 C6DE8C3C F09E4D23 7D1C17BF 4AAF09C4
[SSH Server-rsa-key-code] 74C083AF 17CD3075 3396B322 32C57FF0 B1991971 02F1033B
[SSH Server-rsa-key-code] 81AA6D47 44520F23 685FAF72 04BA4B6E 615EF224 14E64E2A
[SSH Server-rsa-key-code] 331EEB7F 188D9805 96DBFD30 0C947A5A BA879DC4 F848B769
[SSH Server-rsa-key-code] 513C35CD B52B2917 02B77693 F79910EE 5287F252 977F985E
[SSH Server-rsa-key-code] 5F186C94 93F26780 4E7F5F9D 5287350A 0A4F4988 1BF6AB7C
[SSH Server-rsa-key-code] 1B020125
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end

# Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.

[SSH Server] ssh user client002 assign rsa-key rsakey001

Enable the STelnet service on the SSH server.

# Enable the STelnet service.

[SSH Server] ssh server permit interface all // Specify the physical interfaces on the SSH server to which clients can connect in V300R019C11SPC100 or a later version. If no physical interface is specified, the STelnet service cannot be enabled.
[SSH Server] stelnet server enable

Configure a security policy to ensure that only PC1 and PC2 can be used to log in to the device.

[SSH Server] acl 2001
[SSH Server-acl-basic-2001] rule permit source 10.137.217.10 0
[SSH Server-acl-basic-2001] rule permit source 10.137.217.20 0
[SSH Server-acl-basic-2001] rule deny source 10.137.217.30 0
[SSH Server-acl-basic-2001] quit
[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] acl 2001 inbound
[SSH Server-ui-vty0-4] quit

Verify the configuration.
- Log in to the SSH server as the client001 user from PC1 using the password authentication mode.
  # Use the PuTTY software to log in to the device, enter the device IP address, and select the SSH protocol type.
  Figure 10-25 PuTTY Configuration page - password authentication mode
  
  # Click Open. Enter the user name and password at the prompt, and press Enter. You have logged in to the SSH server.
```
login as: client001
Sent username "client001"

's password:

<SSH Server>
```
- Log in to the SSH server as the client002 user from PC2 using the RSA authentication mode.
  # Use the PuTTY software to log in to the device, enter the device IP address, and select the SSH protocol type.
  Figure 10-26 PuTTY Configuration page - RSA authentication mode (1)
  # Choose Connection > SSH in the navigation tree on the left. The page shown in Figure 10-27 is displayed. Select 2 for Preferred SSH protocol version.
  Figure 10-27 PuTTY Configuration page - RSA authentication mode (2)
  # Choose Connection > SSH > Auth in the navigation tree on the left. The page shown in Figure 10-28 is displayed. Select the private.ppk file corresponding to the public key configured on the server.
  Figure 10-28 PuTTY Configuration page - RSA authentication mode (3)
  # Click Open. Enter the user name at the prompt, and press Enter. You have logged in to the SSH server. The following information is for reference only.
```
login as: client002
Authenticating with public key "rsa-key"

<SSH Server>
```

Configuration Files

SSH server configuration file

#
 sysname SSH Server
#
acl number 2001
 rule 5 permit source 10.137.217.10 0 
 rule 10 permit source 10.137.217.20 0 
 rule 15 deny source 10.137.217.30 0
#
rsa peer-public-key rsakey001
 public-key-code begin
  30820107
    02820100
      DD89041A 5E30AA97 6F384B5D B366A704 8C0E7906 EC6B088B B9567D75 914B5B4E
      A7B2E519 38D1184B 863A38BA 7E0F0DBE 5C5AE4CA 55B192B5 31AC48B0 7D21E362
      E3F2A58C 04C443CF 51CF5113 6B5B9E81 2AB1B712 50EB24A4 AE5083A1 DB18ECE2
      395C9BB8 06E8F00B E24FB516 95878440 3B617F8A AAB1F8C6 DE8C3CF0 9E4D237D
      1C17BF4A AF09C474 C083AF17 CD307533 96B32232 C57FF0B1 99197102 F1033B81
      AA6D4744 520F2368 5FAF7204 BA4B6E61 5EF22414 E64E2A33 1EEB7F18 8D980596
      DBFD300C 947A5ABA 879DC4F8 48B76951 3C35CDB5 2B291702 B77693F7 9910EE52
      87F25297 7F985E5F 186C9493 F267804E 7F5F9D52 87350A0A 4F49881B F6AB7C1B
    0201
      25
 public-key-code end
peer-public-key end
#
aaa
 local-user client001 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%#
 local-user client001 privilege level 3
 local-user client001 service-type ssh
 local-user client002 password irreversible-cipher %^%#HW=5%Mr;:2)/RX$FnU1HLO%-TBMp4wn%;~\#%iAut}_~O%0L%^%#
 local-user client002 privilege level 3
 local-user client002 service-type ssh
#
 ssh user client002 assign rsa-key rsakey001
 ssh user client002 authentication-type rsa
 ssh server permit interface all
 stelnet server enable
#
user-interface vty 0 4
 acl 2001 inbound
 authentication-mode aaa
 protocol inbound ssh
#
return

Example for Configuring the Device as a Telnet Client to Log In to Another Device

Networking Requirements

As shown in Figure 10-29, there are reachable routes between the PC and Router1 and between Router1 and Router2. The user needs to manage and maintain Router2 remotely. However, the PC cannot directly log in to Router2 through Telnet because it has no reachable route to Router2. The user can log in to Router1 through Telnet, and then log in to Router2 from Router1. To prevent unauthorized devices from logging in to Router2 through Telnet, an ACL needs to be configured to allow only the Telnet connection from Router1 to Router2.

Figure 10-29 Networking diagram of configuring the device as a Telnet client to log in to another device

STelnet V2 is more secure than Telnet, and is therefore recommended.

Configuration Roadmap

The configuration roadmap is as follows:

Configure the Telnet authentication mode and password on Router2.
Configure the Router2 to allow Router1 access with ACL.
Log in to Router2 from Router1 through Telnet.

Procedure

Specify the interfaces on Router2 that allow Telnet login, and configure the authentication mode and password used for login.

<Huawei> system-view

[Huawei] sysname Router2

[Router2] telnet server permit interface all  // Specify the physical interfaces on the SSH server to which clients can connect in V300R019C11SPC100 or a later version. If no physical interface is specified, the Telnet service cannot be enabled.

[Router2] telnet server enable

[Router2] user-interface vty 0 4

[Router2-ui-vty0-4] user privilege level 3

[Router2-ui-vty0-4] authentication-mode aaa

[Router2-ui-vty0-4] quit

Configure the login user information.

[Router2] aaa

[Router2-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789

[Router2-aaa] local-user admin1234 service-type telnet

[Router2-aaa] local-user admin1234 privilege level 3

[Router2-aaa] quit

Configure the Router2 to allow Router1 access with ACL.

[Router2] acl 2000

[Router2-acl-basic-2000] rule permit source 10.1.1.1 0

[Router2-acl-basic-2000] quit

[Router2] user-interface vty 0 4

[Router2-ui-vty0-4] acl 2000 inbound

[Router2-ui-vty0-4] quit

The ACL configuration is optional for the Telnet service.

Verify the configuration.
# After the preceding configuration, you can log in to Router2 from Router1 through Telnet. The following information is for reference only.
```
<Huawei> system-view
```
```
[Huawei] sysname Router1
```
```
[Router1] quit
```
```
<Router1> telnet 10.2.1.1
```
```
Login authentication

Username:admin1234
Password:
```
```
<Router2>
```

Configuration Files

Router2 configuration file

#
 sysname Router2
#
acl number 2000
 rule 5 permit source 10.1.1.1 0
#
aaa
 local-user admin1234 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%#
 local-user admin1234 privilege level 3
 local-user admin1234 service-type telnet
#
 telnet server permit interface all
 telnet server enable
#
user-interface vty 0 4
 acl 2000 inbound
 authentication-mode aaa
 user privilege level 3
#
return

Example for Configuring the Device as an STelnet Client to Log In to Another Device

Networking Requirements

The customer requires secure data exchange between the SSH server and clients. As shown in Figure 10-30, two login users client001 and client002 are configured and they use the password and RSA authentication modes respectively to log in to the SSH server. A new port number is configured, and the default port number is not used.

Figure 10-30 Networking diagram of logging in to another device through STelnet

STelnet V2 is more secure than STelnet V1, and is therefore recommended.

Configuration Roadmap

The configuration roadmap is as follows:

Generate a local key pair on the SSH server to implement secure data exchange between the server and client.
Configure different authentication modes for the SSH users client001 and client002 on the SSH server.
Enable the STelnet service on the SSH server.
Configure the STelnet server type for the SSH users client001 and client002 on the SSH server.
Set the SSH server listening port number on the SSH server to prevent attackers from accessing the SSH service standard port and ensure security.
Log in to the SSH server as the client001 and client002 users through STelnet.

Procedure

Generate a local key pair on the server.

<Huawei> system-view

[Huawei] sysname SSH Server

[SSH Server] rsa local-key-pair create

The key name will be: Host
RSA keys defined for Host already exist.
Confirm to replace them? (y/n):y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is less than 2048,
       It will introduce potential security risks.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
......................................................................................+++
....+++
.......................................++++++++
..............++++++++

Create an SSH user on the server.

# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4

[SSH Server-ui-vty0-4] authentication-mode aaa

[SSH Server-ui-vty0-4] protocol inbound ssh

[SSH Server-ui-vty0-4] quit

Create an SSH user named client001.

# Create an SSH user named client001 and configure the password authentication mode for the user.

[SSH Server] aaa

[SSH Server-aaa] local-user client001 password irreversible-cipher Huawei@123

[SSH Server-aaa] local-user client001 privilege level 3

[SSH Server-aaa] local-user client001 service-type ssh

[SSH Server-aaa] quit

[SSH Server] ssh user client001 authentication-type password

Create an SSH user named client002.

# Create an SSH user named client002 and configure the RSA authentication mode for the user.

[SSH Server] aaa

[SSH Server-aaa] local-user client002 password irreversible-cipher Helloworld@6789

[SSH Server-aaa] local-user client002 privilege level 3

[SSH Server-aaa] local-user client002 service-type ssh

[SSH Server-aaa] quit

[SSH Server] ssh user client002 authentication-type rsa

# Generate a local key pair for Client002.

<Huawei> system-view

[Huawei] sysname client002

[client002] rsa local-key-pair create

The key name will be: Host
RSA keys defined for Host already exist.
Confirm to replace them? (y/n):y
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is less than 2048,
       It will introduce potential security risks.
Input the bits in the modulus[default = 2048]:2048
Generating keys...
......................................................................................+++
....+++
.......................................++++++++
..............++++++++

# Check the public key in the RSA key pair generated on the client.

[client002] display rsa local-key-pair public

=====================================================
Time of Key pair created: 2012-08-06 17:17:37+00:00
Key name: Host
Key type: RSA encryption Key
=====================================================
Key code:
30820109
  02820100
    CB0E88EC A1C2CFEA F97126F9 36919C08 0455127B
    A3A48594 69517096 35626F55 E4FAF0EB FDA2B9E9
    5E417B2B E09F38B0 D26FCA73 FE2E3FC4 DFBEC8CF
    4ED0C909 E8D975E6 FFC73C81 D13FE71E 759DC805
    B0F0E877 4FC9288E BE1E197C 2A7186B0 B56F5573
    3A5EA588 29C63E3B 20D56233 8E63278D F941734F
    6B359C69 BBAE5A52 EB842179 04B4204D 5DB31D72
    97F0C085 DA771F66 0AAADC28 D264CEB9 5BADA92C
    CDE9F116 D6D99C48 CEBA3A1D 868B053A 32941D85
    CCAA9796 A4B55760 0A8108ED DB45DA12 F61634C9
    59431600 341FEDEF 5379D565 A8D1953D DEA018A2
    72F99FFC 63DE04BF 2A6219BD DF13D705 27D63DEF
    83D556BC 5B44D983 8D5EA126 C1EB71CB 
  0203
    010001

=====================================================
Time of Key pair created: 2012-08-06 17:17:44+00:00
Key name: Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
  0260
    DF8AFF3C 28213B94 2292852E E98657EE 11DE5AF4
    8A176878 CDD4BD31 55E05735 3080F367 A83A9034
    47D534CA 81250C1D 35401DC3 464E9E5F A50202CF
    A7AD09CD AC3F531C A763F0A0 4C8E51B9 18755400
    76AF4A78 225C92C3 01FE0DFF 06908363
  0203
    010001

# Copy the RSA public key (the information in bold in the display command output) generated on the client to the server.

[SSH Server] rsa peer-public-key rsakey001
[SSH Server-rsa-public-key] public-key-code begin
[SSH Server-rsa-key-code] 30820109
[SSH Server-rsa-key-code] 02820100
[SSH Server-rsa-key-code] CB0E88EC A1C2CFEA F97126F9 36919C08 0455127B
[SSH Server-rsa-key-code] A3A48594 69517096 35626F55 E4FAF0EB FDA2B9E9
[SSH Server-rsa-key-code] 5E417B2B E09F38B0 D26FCA73 FE2E3FC4 DFBEC8CF
[SSH Server-rsa-key-code] 4ED0C909 E8D975E6 FFC73C81 D13FE71E 759DC805
[SSH Server-rsa-key-code] B0F0E877 4FC9288E BE1E197C 2A7186B0 B56F5573
[SSH Server-rsa-key-code] 3A5EA588 29C63E3B 20D56233 8E63278D F941734F
[SSH Server-rsa-key-code] 6B359C69 BBAE5A52 EB842179 04B4204D 5DB31D72
[SSH Server-rsa-key-code] 97F0C085 DA771F66 0AAADC28 D264CEB9 5BADA92C
[SSH Server-rsa-key-code] CDE9F116 D6D99C48 CEBA3A1D 868B053A 32941D85
[SSH Server-rsa-key-code] CCAA9796 A4B55760 0A8108ED DB45DA12 F61634C9
[SSH Server-rsa-key-code] 59431600 341FEDEF 5379D565 A8D1953D DEA018A2
[SSH Server-rsa-key-code] 72F99FFC 63DE04BF 2A6219BD DF13D705 27D63DEF
[SSH Server-rsa-key-code] 83D556BC 5B44D983 8D5EA126 C1EB71CB
[SSH Server-rsa-key-code] 0203
[SSH Server-rsa-key-code] 010001
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end

# Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.

[SSH Server] ssh user client002 assign rsa-key rsakey001

Enable the STelnet service on the SSH server.

# Enable the STelnet service.

[SSH Server] ssh server permit interface all // Specify the physical interfaces on the SSH server to which clients can connect in V300R019C11SPC100 or a later version. If no physical interface is specified, the STelnet service cannot be enabled.
[SSH Server] stelnet server enable

Configure a new listening port number on the SSH server.
```
[SSH Server] ssh server port 1025
```

Connect the STelnet client to the SSH server.

# Enable the first authentication function on the SSH client upon the first login.

Enable the first authentication function for client001.

<Huawei> system-view

[Huawei] sysname client001

[client001] ssh client first-time enable

Enable the first authentication function for client002.

[client002] ssh client first-time enable

# Log in to the SSH server from client001 in password authentication mode by entering the user name and password.

[client001] stelnet 10.1.1.1 1025

Please input the username:client001
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
The server is not authenticated. Continue to access it?(y/n)[n]:y
Save the server's public key?(y/n)[n]:y
The server's public key will be saved with the name 10.1.1.1. Please wait...

Enter password:

Enter the password. The following information indicates that you have logged in successfully:

<SSH Server>

# Log in to the SSH server from Client002 in RSA authentication mode.

[client002] stelnet 10.1.1.1 1025

Please input the username:client002
Trying 10.1.1.1 ...
Press CTRL+K to abort
Connected to 10.1.1.1 ...
The server is not authenticated. Continue to access it?(y/n)[n]:y
Save the server's public key?(y/n)[n]:y
The server's public key will be saved with the name 10.1.1.1. Please wait...

<SSH Server>

The user enters the user view, indicating that login succeeds.

Verify the configuration.

# Attackers fail to log in to the SSH server using the default listening port number 22.

[client002] stelnet 10.1.1.1

Please input the username:client002
Trying 10.1.1.1 ...
Press CTRL+K to abort
Error: Failed to connect to the remote host.

# Run the display ssh server status command on the SSH server. The command output shows that the STelnet service has been enabled. Run the display ssh user-information command. Information about the configured SSH users is displayed.

# Check the status of the SSH server.

[SSH Server] display ssh server status

 SSH version                         :1.99
 SSH connection timeout              :60 seconds
 SSH server key generating interval  :0 hours
 SSH Authentication retries          :3 times
 SFTP Server                         :Disable
 Stelnet server                      :Enable
 SSH server port                     :1025

# Check information about SSH users.

[SSH Server] display ssh user-information

-------------------------------------------------------------------------------
 Username         Auth-type          User-public-key-name
 -------------------------------------------------------------------------------
 client001        password           null
 client002        rsa                rsakey001
 -------------------------------------------------------------------------------

Configuration Files

SSH server configuration file

#
 sysname SSH Server
#
 rsa peer-public-key rsakey001
  public-key-code begin
   30820109
     02820100
       E4653DA4 68032D8A B419276E 5B32743C 181FC72E AEDA3173 578EBE00 68606ED6
       D1A79735 90043220 2492B6B1 CB96BD4C E74A3209 96A829E4 EFD550FA 70855E0F
       CC622FD5 D76AD6D3 FF07F87D 19D77E06 0224D05E 481B639F 5CFB5E84 AE9FF40A
       CA2ABD4F F00B6316 6EFDADA4 7945CCC9 04C65675 22AE45C3 A2822708 AA764A40
       FBAC61F6 FB42F90C F55B1FA7 B51A58BB 4ACACD2E 7764FCCE E3B296FC 1380C0C0
       5E4A6BEE 92FB7793 E6D66E64 A3E4D581 8462C601 83C22BBF BFDF9B33 78840397
       99946916 356103D8 A791AE04 95C8A11C 3490E857 6363115B EF6A162C 6B8593A5
       8ECF3A3F 6C562154 D93B010C 932C3D18 1573F8CB D626EEA7 54F0C4E2 642BA909
     0203
       010001
  public-key-code end
 peer-public-key end
#
aaa
 local-user client001 password irreversible-cipher %^%#HW=5%Mr;:2)/RX$FnU1HLO%-TBMp4wn%;~\#%iAut}_~O%0L%^%#
 local-user client001 privilege level 3
 local-user client001 service-type ssh
 local-user client002 password irreversible-cipher %^%#*~Br";[g6Pv5Zf>$~{hY+N!`{$<[Y{;l02P)B,EBz\1FN!c+%^%#
 local-user client002 privilege level 3
 local-user client002 service-type ssh
#
 ssh user client002 assign rsa-key rsakey001
 ssh user client002 authentication-type rsa
 ssh server permit interface all
 stelnet server enable
 SSH server port 1025
#
user-interface vty 0 4
 authentication-mode aaa
 protocol inbound ssh
#
return

client001 configuration file

#
 sysname client001
#
ssh client first-time enable
#
return

client002 configuration file

#
 sysname client002
#
ssh client first-time enable
#
return

Example for Logging In to Another Device Through Redirection

Networking Requirements

In telecommunication and financial fields, some terminals provide only access through the serial port or cannot access the Internet using Telnet. The serial port redirection of the router enables you to configure and manage terminals connected to the router through Telnet.

As shown in Figure 10-31, the asynchronous serial port on RouterA connects to the console port on RouterB through an asynchronous serial cable. You can log in to RouterB through RouterA from the remote PC in vpna. RouterA functions as the serial port server and there is a reachable route between the remote PC and RouterA. You can log in to RouterB connected to RouterA from the remote PC using the IP address and specified port number.

For details about the asynchronous serial cable, see "8AS Cable" in the NetEngine AR Get to Know the Product - Hardware Description - Cables.

Figure 10-31 Networking diagram for redirection configuration

Configuration Roadmap

The configuration roadmap is as follows:

Connect the console port of RouterB to an asynchronous serial port of RouterA.
Enable the redirection function on RouterA.

Procedure

Configure the asynchronous serial port to work in flow mode.

<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface async 2/0/1
[RouterA-Async2/0/1] async mode flow

Obtain the TTY user interface number corresponding to the asynchronous serial port.

[RouterA] display user-interface 
  Idx  Type     Tx/Rx      Modem Privi ActualPrivi Auth  Int                    
  0    CON 0    9600       -     15    -           N     -                      
  41   TTY 41   9600       inout 0     -           N     2/0/0                  
  42   TTY 42   9600       -     0     -           N     2/0/1                  
  43   TTY 43   9600       -     0     -           N     2/0/2                  
  44   TTY 44   9600       -     0     -           N     2/0/3                  
  45   TTY 45   9600       -     0     -           N     2/0/4                  
  46   TTY 46   9600       -     0     -           N     2/0/5                  
  47   TTY 47   9600       -     0     -           N     2/0/6                  
  48   TTY 48   9600       -     0     -           N     2/0/7                  
+ 129  VTY 0               -     15    4           N     -                      
  130  VTY 1               -     15    -           N     -                      
  131  VTY 2               -     15    -           N     -                      
  132  VTY 3               -     15    -           N     -                      
  133  VTY 4               -     15    -           N     -                      
  145  VTY 16              -     0     -           P     -                      
  146  VTY 17              -     0     -           P     -                      
  147  VTY 18              -     0     -           P     -                      
  148  VTY 19              -     0     -           P     -                      
  149  VTY 20              -     0     -           P     -

Configuring a VPN Instance vpna.

[RouterA] ip vpn-instance vpna
[RouterA-vpn-instance-vpna] route-distinguisher 1:1
[RouterA-vpn-instance-vpna-af-ipv4] vpn-target 111:1 export-extcommunity
[RouterA-vpn-instance-vpna-af-ipv4] vpn-target 111:1 import-extcommunity
[RouterA-vpn-instance-vpna-af-ipv4] quit
[RouterA-vpn-instance-vpna] quit
[RouterA] interface gigabitethernet 0/0/1
[RouterA-GigabitEthernet0/0/1] ip binding vpn-instance vpna 
[RouterA-GigabitEthernet0/0/1] ip address 10.1.1.1 255.255.255.0
[RouterA-GigabitEthernet0/0/1] quit

Enable the redirection function on RouterA and associate the redirection function with the VPN instance vpna.

[RouterA] user-interface tty 42
[RouterA-ui-tty42] undo shell
[RouterA-ui-tty42] redirect enable
[RouterA-ui-tty42] redirect listen-port 2042
[RouterA-ui-tty42] redirect binding vpn-instance vpna
[RouterA-ui-tty42] authentication-mode password
[RouterA-ui-tty42] set authentication password cipher
Enter Password(<8-128>):
Confirm password:
[RouterA-ui-tty42] quit
[RouterA] quit

If the redirection function is not associated with the VPN instance to which the private users belong, all users on public and private networks can log in to RouterB.

Check the port number allocated to the TTY user interface.

<RouterA> display tcp status
TCPCB    Tid/Soid Local Add:port        Foreign Add:port      VPNID  State      
19fde824 9  /2    0.0.0.0:22            0.0.0.0:0             23553  Listening  
19fde6c0 9  /1    0.0.0.0:23            0.0.0.0:0             23553  Listening  
19fde130 109/1    0.0.0.0:80            0.0.0.0:0             23553  Listening  
19fdef18 9  /4    0.0.0.0:2042         0.0.0.0:0             23553  Listening  
19fde55c 7  /1    0.0.0.0:7547          0.0.0.0:0             0      Listening  
19fdf07c 9  /9    10.137.217.211:23     10.138.77.61:2567     0      Established
19fdf344 9  /10   10.137.217.211:23     10.138.77.69:2824     0      Time_Wait

Verify the configuration.
# Run the telnet 10.1.1.1 2042 command on the PC client to log in to RouterA through a specified port (the default port number is 2000 plus the TTY user interface number), and then press Enter to log in to RouterB.
```
C:\Documents and Settings\Administrator> telnet 10.1.1.1 2042
Press CTRL_] to quit telnet mode      
  Trying 10.1.1.1...                     
  Connected to 10.1.1.1...        
Login authentication


Password:
 <RouterA>
 [RouterB]
```

Configuration Files

Configuration file of RouterA

#
 sysname RouterA
#                            
ip vpn-instance vpna           
 ipv4-family                                
  route-distinguisher 1:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity           
# 
interface Async2/0/1
 async mode flow
#
interface GigabitEthernet0/0/1
 ip binding vpn-instance vpna 
 ip address 10.1.1.1 255.255.255.0
#
user-interface tty 42
 authentication-mode password
 set authentication password cipher %^%##N&)XdgB87~RcnU9upv6,.d;,uXe*#IeE-ywBaSmj:\@.d>,%^%#
 redirect enable
 redirect listen-port 2042
 redirect binding vpn-instance vpna
#
return

Example for Configuring an NMS to Communicate with a Device by SSH over a VPN

This section provides an example for configuring an NMS to communicate with a device by SSH over a VPN.

Networking Requirements

On the network shown in Figure 10-32, an NMS, RouterA, and AAA server are connected over a VPN. The NMS is integrated with the SSH client and SFTP server functions. The SSH client uses SSH to log in to and communicate with the RouterA. The SFTP server uses SFTP for file transfer with the RouterA functioning as an SFTP client.

Figure 10-32 Networking diagram for configuring an NMS to communicate with a device by SSH over a VPN

The interfaces are bound to the same VPN instance.

Precautions

Ensure that the route between the device and NMS is reachable.

Configuration Roadmap

The configuration roadmap is as follows:

Configure a VPN instance.
Bind the interfaces connecting the device to the NMS and HWTACACS server to the VPN instance.
Configure a default VPN instance used by the NMS to manage the device.
Configure an HWTACACS server.
Configure a local AAA user and set its access mode to SSH and authentication mode to HWTACACS.
Configure an SSH user and set its authentication and service modes.
Configure an SNMPv3 USM user to allow the NMS to access the device.
Configure an SFTP client to use SFTP for file transfer.

Procedure

Configure a VPN instance.

<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] ip vpn-instance vrf1
[RouterA-vpn-instance-vrf1] ipv4-family
[RouterA-vpn-instance-vrf1-af-ipv4] route-distinguisher 22:1
[RouterA-vpn-instance-vrf1-af-ipv4] vpn-target 111:1 both
[RouterA-vpn-instance-vrf1-af-ipv4] quit
[RouterA-vpn-instance-vrf1] quit

Bind interfaces to the VPN instance.

[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ip binding vpn-instance vrf1
[RouterA-GigabitEthernet1/0/0] ip address 10.1.1.2 255.255.255.0
[RouterA-GigabitEthernet1/0/0] quit
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] ip binding vpn-instance vrf1
[RouterA-GigabitEthernet2/0/0] ip address 10.2.1.2 255.255.255.0
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] interface gigabitethernet 3/0/0
[RouterA-GigabitEthernet3/0/0] ip binding vpn-instance vrf1
[RouterA-GigabitEthernet3/0/0] ip address 10.3.1.1 255.255.255.0
[RouterA-GigabitEthernet3/0/0] quit

Configure a default VPN instance used by the NMS to manage the device.
```
[RouterA] set net-manager vpn-instance vrf1
```
The VPN configured using this command affects the following service modules on the device: TFTP client, FTP client, SFTP client, SCP client, Info Center, SNMP, PM, IP FPM, and TACACS. To access the public network, you must set the public-net parameter.

Configure an HWTACACS server.

# Enable the HWTACACS function and configure an HWTACACS server template named ht.

[RouterA] hwtacacs enable
[RouterA] hwtacacs-server template ht

# Configure an IP address and a VPN instance to which the HWTACACS accounting server is bound for the primary HWTACACS authentication and authorization server.

[RouterA-hwtacacs-ht] hwtacacs-server authentication 10.2.1.1 vpn-instance vrf1
[RouterA-hwtacacs-ht] hwtacacs-server authorization 10.2.1.1 vpn-instance vrf1

# Configure a key for the HWTACACS server.

[RouterA-hwtacacs-ht] hwtacacs-server shared-key cipher it-is-my-secret123
[RouterA-hwtacacs-ht] quit

# Enter the AAA view.

[RouterA] aaa

# Configure an authentication scheme named scheme1 and set the authentication mode to HWTACACS authentication.

[RouterA-aaa] authentication-scheme scheme1
[RouterA-aaa-authen-scheme1] authentication-mode hwtacacs
[RouterA-aaa-authen-scheme1] quit

# Configure an authorization scheme named scheme2 and set the authorization mode to HWTACACS authorization.

[RouterA-aaa] authorization-mode scheme2
[RouterA-aaa-authen-scheme2] authorization-mode hwtacacs
[RouterA-aaa-authen-scheme2] quit

# Configure the huawei domain. Use the scheme1 authentication scheme, scheme2 authorization scheme, and ht template in the domain.

[RouterA-aaa] domain huawei
[RouterA-aaa-domain-huawei] authentication-scheme scheme1
[RouterA-aaa-domain-huawei] authorization-mode scheme2
[RouterA-aaa-domain-huawei] hwtacacs-server ht
[RouterA-aaa-domain-huawei] quit

Create a local AAA user named sshuser001. Set the access mode to SSH and authentication mode to HWTACACS.
# Configure a local user named sshuser001 in the huawei domain. After the configuration is complete, the sshuser001 user uses the authentication and authorization modes in the huawei domain.
```
[RouterA-aaa] local-user sshuser001@huawei password
Please configure the password (8-128)
Enter Password:                                                                 
Confirm Password:
[RouterA-aaa] local-user sshuser001@huawei service-type ssh
[RouterA-aaa] quit
```

Configure authentication for the SSH user.

[RouterA] ssh user sshuser001 authentication-type password

Enable the STelnet function.

[RouterA] ssh server permit interface all           // Specify the physical interfaces on the SSH server to which clients can connect in V300R019C11SPC100 or a later version. If no physical interface is specified, the STelnet service cannot be enabled.
[RouterA] stelnet server enable

Configure an SNMPv3 USM user to allow the NMS to access the device.

# Enable the SNMP agent function.

[RouterA] snmp-agent

# Set the SNMP version to SNMPv3.

[RouterA] snmp-agent sys-info version v3

# Configure a MIB view.

[RouterA] snmp-agent mib-view iso include iso

# Configure a user group and users in the group, and authenticate and encrypt user data.

[RouterA] snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
[RouterA] snmp-agent usm-user v3 nms-admin group admin
[RouterA] snmp-agent usm-user v3 nms-admin authentication-mode sha
Please configure the authentication password (10-255)
Enter Password:
Confirm Password: 
[RouterA] snmp-agent usm-user v3 nms2-admin privacy-mode aes128
Please configure the privacy password (10-255)
Enter Password:
Confirm Password:

# Configure the alarm function.

[RouterA] snmp-agent target-host trap-hostname aaa address 10.1.1.1 trap-paramsnam abc
[RouterA] snmp-agent trap enable

Enable the device functioning as an SFTP client to transfer files with the NMS functioning as an SFTP server over the VPN.
```
[RouterA] ssh client first-time enable
[RouterA] sftp 10.1.1.1
[RouterA] put aaa.cfg
```

Verify the configuration.

After completing the configuration, perform the following operations to check whether the configuration takes effect.

# Display the SNMP version.

[RouterA] display snmp-agent sys-info version
   SNMP version running in the system:
           SNMPv3

# Display local user information.

[RouterA] display snmp-agent usm-user
   User name: nms-admin,
   Engine ID: 800007DB0300259E0370C3 active
   Group-name: admin
   Authentication mode: sha
   Privacy mode: aes128
   User state: Active

Configuration Files

RouterA configuration file

#
sysname RouterA
#
hwtacacs enable
#
ip vpn-instance vrf1
 ipv4-family
  route-distinguisher 22:1
  vpn-target 111:1 export-extcommunity
  vpn-target 111:1 import-extcommunity
#
hwtacacs-server template ht
 hwtacacs-server authentication 10.2.1.1 vpn-instance vrf1
 hwtacacs-server authorization 10.2.1.1 vpn-instance vrf1
 hwtacacs-server shared-key cipher %^%#x@ZaCImt|X79[^A&]DEYC6[>U]OD(8n&BVHvsu2R{=zVSySB'|H[;I`|ef#%^%#
#
aaa
 local-user sshuser001@huawei password irreversible-cipher $1c$\h[;D"`M79$GN]A=y;*4EFG%t>vIJI=rJvxWe/V%Xbd;(J+AzC+$
 local-user sshuser001@huawei service-type ssh
 #
 authentication-scheme scheme1
  authentication-mode hwtacacs
 #
 authorization-scheme scheme2
  authorization-mode hwtacacs
 #
 accounting-scheme default0
 #
 accounting-scheme default1
 #
 domain huawei
  authentication-scheme scheme1
  authorization-scheme scheme2
  hwtacacs-server ht
#
interface GigabitEthernet1/0/0
 undo shutdown
 ip binding vpn-instance vrf1
 ip address 10.1.1.2 255.255.255.0
interface GigabitEthernet2/0/0
 undo shutdown
 ip binding vpn-instance vrf1
 ip address 10.2.1.2 255.255.255.0
interface GigabitEthernet3/0/0
 undo shutdown
 ip binding vpn-instance vrf1
 ip address 10.3.1.1 255.255.255.0
#
snmp-agent
snmp-agent local-engineid 800007DB0300313D6A1FA0
#
snmp-agent sys-info version v3
snmp-agent group v3 admin privacy write-view iso notify-view iso read-view iso
snmp-agent target-host trap-hostname aaa address 10.1.1.1 trap-paramsnam abc
#
snmp-agent mib-view iso include iso
snmp-agent usm-user v3 nms-admin group admin
snmp-agent usm-user v3 nms-admin authentication-mode sha %#%##/L&Fd]S.!i*S7<\jCh2DkfkE4+:<%Wap|8zZWwPL+[a>h$wy>VJsp9(L{%B%#%#
snmp-agent usm-user v3 nms-admin privacy-mode aes128 %#%#CM-]HDuhH6VX)**J<186nf({M823f(0Z73++7(A#%,1jODj}D>_HS>W,'Ss=%#%#
#
ssh server permit interface all 
stelnet server enable
ssh user sshuser001 authentication-type password
#
ssh client first-time enable
#
return

This section describes common faults caused by incorrect configurations and provides the corresponding troubleshooting procedures.

Failing to Log In Through the Console Port

Fault Description

Procedure

Check whether the serial port parameters are correctly configured. (The third-party software SecureCRT is used as an example here.)
Check whether a correct serial port is connected. Some PCs provide multiple serial ports with corresponding numbers. When connecting a serial port, ensure that the correct serial port number is selected.
Check that the serial port settings on the PC are the same as the console port settings on the device, as shown in Figure 10-33. The default console port settings are as follows:
- Baud rate: 9600
- Data bits: 8
- Stop bits: 1
- Parity: None
- Flow control: None
Figure 10-33 Setting the connected port and communication parameters
Check whether the serial cable is securely connected. If necessary, replace the current cable with a properly-functioning one.

Failing to Log In Through Telnet

Fault Description

The Telnet server fails to be logged in through Telnet.

Procedure

Check whether the number of login users reaches the upper limit.
Log in to the device through the console port and run the display users command to check whether all VTY user interfaces are in use. By default, the maximum number of VTY user interfaces is 5. You can run the display user-interface maximum-vty command to check the maximum number of login users allowed by the device.
If the number of login users reaches the upper limit, run the user-interface maximum-vty 15 command to increase the maximum number of login users to 15.
Check whether an ACL is configured in the VTY user interface view (Telnet IPv4 is used as an example).
Run the user-interface vty command on the Telnet server to enter the user interface view and then run the display this command to check whether an ACL is configured in the VTY user interface view. If so, record the ACL number.
Run the display acl acl-number command on the Telnet server to check whether the IP address of the Telnet client is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule and then run the corresponding command to modify the ACL and permit the IP address of the client.
Check whether the access protocol is correctly configured in the VTY user interface view.
Run the user-interface vty command on the Telnet server to enter the user interface view and then run the display this command to check whether protocol inbound is set to telnet or all. By default, the system supports the SSH and Telnet protocol. If not, run the protocol inbound { telnet | all } command to allow Telnet users to connect to the device.
Check whether an authentication mode is set for login users in the user interface view.
- If password authentication is configured using the authentication-mode password command, you must enter the password upon login.
- If AAA authentication is configured using the authentication-mode aaa command, you must run the local-user command to create a local AAA user.

Failing to Log In Through STelnet

Fault Description

The SSH server fails to be logged in through STelnet.

Procedure

Check whether the SSH service is enabled on the SSH server.
Log in to the SSH server through the console port or using Telnet and run the display ssh server status command to check the SSH server configuration.
If the STelnet service is disabled, run the stelnet server enable command to enable the STelnet service on the SSH server.
Check whether the access protocol is correctly configured in the VTY user interface view.
Run the user-interface vty command on the SSH server to enter the user interface view and then run the display this command to check whether protocol inbound is set to ssh or all. If not, run the protocol inbound { ssh | all } command to allow STelnet users to log in to the device.
Check whether an RSA public key is configured on the SSH server.
A local key pair must be configured when the device works as the SSH server.
Run the display rsa local-key-pair public command on the SSH server to check the current key pair. If no information is displayed, no key pair is configured on the server. Run the rsa local-key-pair create command to create a key pair.
To ensure high security, it is recommended that the RSA authentication mode be not used.
Check whether an SSH user is configured on the SSH server.
Run the display ssh user-information command to view the SSH user configuration. If no configuration is available, run the ssh user authentication-type commands in the system view to create an SSH user and set an authentication mode for the SSH user.
Check whether the number of login users on the SSH server reaches the upper limit.
Log in to the device through the console port and run the display users command to check whether all VTY user interfaces are in use. By default, the maximum number of VTY user interfaces is 5. You can run the display user-interface maximum-vty command to check the maximum number of login users allowed by the device.
If the number of login users reaches the upper limit, run the user-interface maximum-vty 15 command to increase the maximum number of login users to 15.
Check whether an ACL is bound to the VTY user interface of the SSH server.
Run the user-interface vty command on the SSH server to enter the user interface view and then run the display this command to check whether an ACL is configured on the VTY user interface. If so, record the ACL number.
Run the display acl acl-number command on the SSH server to check whether the IP address of the STelnet client is denied in the ACL. If so, run the undo rule rule-id command in the ACL view to delete the deny rule and then run the corresponding command to modify the ACL and permit the IP address of the client.
Check the SSH version on the SSH client and server.
Run the display ssh server status command on the SSH server to check the SSH version.
If the SSHv1 client logs in, run the ssh server compatible-ssh2x enable command to enable the version compatibility function on the server.
Check whether first-time authentication is enabled on the SSH client.
Run the display this command in the system view on the SSH client to check whether first-time authentication is enabled on the SSH client.
If not, the initial login of the SSH client fails because validity check on the public key of the SSH server fails. Run the ssh client first-time enable command to enable first-time authentication on the SSH client.

This section describes common problems you may encounter during the configuration and provides the solutions to these problems.

Procedure

When you forget the password for logging in through the console port, use either of the following two methods to set a new password.

Logging In to the Device Through STelnet/Telnet to Set a New Password

It is recommended that you use STelnet V2 to log in to the device.

The following uses the command lines and outputs of logging in to the device using STelnet as an example. After logging in to the device through STelnet, perform the following operations.

# Take password authentication as an example. Set the password to Huawei@123.

<Huawei> system-view
[Huawei] user-interface console 0
[Huawei-ui-console0] authentication-mode password
[Huawei-ui-console0] set authentication password cipher
Warning: The "password" authentication mode is not secure, and it is strongly re
commended to use "aaa" authentication mode.
Enter Password(<8-128>):
Confirm password: 
[Huawei-ui-console0] return
<Huawei> save

# Take AAA authentication as an example. Set the user name and password to admin123 and Huawei@123, respectively.

<Huawei> system-view
[Huawei] user-interface console 0
[Huawei-ui-console0] authentication-mode aaa
[Huawei-ui-console0] quit
[Huawei] aaa
[Huawei-aaa] local-user admin123 password irreversible-cipher Huawei@123
[Huawei-aaa] local-user admin123 privilege level 15
[Huawei-aaa] local-user admin123 service-type terminal
[Huawei-aaa] return
<Huawei> save

Clearing the Lost Password Using the BootROM Menu

You can use the BootROM menu of the device to clear the lost password for console port login. After starting the device, set a new password and save your configuration. Perform the following steps.

Connect the terminal to the console port of the device and restart the device. When the following message is displayed, press Ctrl+B and enter the BootROM password to enter the BootROM menu.
```
Press Ctrl+B to break auto startup ...  1 

Enter Password:       //Enter the BootROM password.
```
In the BootROM menu, select Password Manager and then Clear the console login password.
Then select the Return and Default Startup options in turn to restart the device.
After the system starts, you can log in through the console port without password authentication. After logging in to the system, set an authentication mode and password for the console user interface as required. The configuration is similar to that of Logging In to the Device Through STelnet/Telnet to Set a New Password, and is not provided here.
Configuring the authentication mode and password for the console user interface is necessary; otherwise, after the device is restarted, users still need to be authenticated using the original password when they log in to the device through the console port.

More Information

When you log in to the device through STelnet/Telnet to set a new password: Ensure that you have an STelnet/Telnet account and administrator rights.
When you clear the lost password using the BootROM Menu, if you do not press Ctrl+B within the timeout (several seconds), you have to restart the router again.

Procedure

If you forget the Telnet login password, log in to the device through the console port and set a new password for Telnet login.

# Take password authentication for VTY0 login as an example. Set the password to Huawei@123.

<Huawei> system-view
[Huawei] user-interface vty 0
[Huawei-ui-vty0] authentication-mode password
[Huawei-ui-vty0] set authentication password cipher
Warning: The "password" authentication mode is not secure, and it is strongly re
commended to use "aaa" authentication mode.
Enter Password(<8-128>):
Confirm password: 
[Huawei-ui-vty0] user privilege level 15
[Huawei-ui-vty0] return
<Huawei> save

# Take AAA authentication for VTY0 login as an example. Set the user name and password to admin123 and Huawei@123, respectively.

<Huawei> system-view
[Huawei] user-interface vty 0
[Huawei-ui-vty0] protocol inbound telnet
[Huawei-ui-vty0] authentication-mode aaa
[Huawei-ui-vty0] quit
[Huawei] aaa
[Huawei-aaa] local-user admin123 password irreversible-cipher Huawei@123
[Huawei-aaa] local-user admin123 service-type telnet
[Huawei-aaa] local-user admin123 privilege level 15
[Huawei-aaa] return
<Huawei> save

More Information

By default, a user only needs to pass password authentication to log in to the device from the console user interface. To prevent unauthorized users from accessing the device, change the authentication mode of the console user interface to AAA authentication.

How Do I Configure Screen Display?

Setting the number of rows displayed on a screen
Run the screen-length screen-length [ temporary ] command in the user view or user interface view to set the number of rows to be displayed on a screen.
You must specify temporary when running the command in the user view. The configured value takes effect only on the current VTY user interface but does not take effect on the next login on the same user interface or login on other VTY user interfaces.
The default number of rows to be displayed on a screen is 24.
Setting the number of columns displayed on a screen
Run the screen-width screen-width command in any view to set the number of columns to be displayed on a screen.
The default number of columns to be displayed on a screen is 80. Each character is a column.

Overview of CLI Login Methods
Overview of User Interfaces
Licensing Requirements and Limitations for CLI Login
Configuring Login Through a Console Port
- (Optional) Configuring Attributes for the Console User Interface
- Configuring an Authentication Mode for the Console User Interface
- Configuring a User Level for the Console User Interface
- Logging In to a Device Through the Console Port
Configuring Login Through the Mini USB Port
- (Optional) Configuring Attributes for the Device Login Through the MiniUSB Port
- Configuring an Authentication Mode for the Mini USB Interface
- Configuring a User Level for the Mini USB Interface
- Logging In to a Device Through the Mini USB Port
Configuring Telnet Login
- (Optional) Configuring Attributes for a VTY User Interface
- Configuring an Authentication Mode for a VTY User Interface
- Configuring a User Level for a VTY User Interface
- Enabling the Telnet Server Function
- Logging In to a Device Through Telnet
- (Optional) Using Telnet to Log In to Another Device From the Local Device
Configuring STelnet Login
- (Optional) Configuring Attributes for a VTY User Interface
- Configuring an Authentication Mode for a VTY User Interface
- Configuring a User Level for a VTY User Interface
- Configuring an SSH User
- Enabling the SSH Server Function
- Logging In to a Device Through STelnet
- (Optional) Using STelnet to Log In to Another Device from the Local Device
Configuring the Redirection Function for Device Login
- (Optional) Configuring an Authentication Mode for the TTY User Interface
- Logging In to a Device Through Redirection
Configuring Reverse Telnet Login
- Configuring an Authentication Mode for the Console or TTY User Interface
- Logging In to a Device Through Reverse Telnet (Direct Connection Through an Asynchronous Cable)
- Configuring Reverse Telnet Login (Direct Connection Through a Console Cable)
Typical Operations After Login
Configuration Examples for CLI Login
- Example for Logging In to the Device Through a Console Port
- Example for Configuring a Security Policy to Limit Telnet Login
- Example for Configuring STelnet Login
- Example for Configuring the Device as a Telnet Client to Log In to Another Device
- Example for Configuring the Device as an STelnet Client to Log In to Another Device
- Example for Logging In to Another Device Through Redirection
- Example for Configuring an NMS to Communicate with a Device by SSH over a VPN
Troubleshooting CLI Login
- Failing to Log In Through the Console Port
- Failing to Log In Through Telnet
- Failing to Log In Through STelnet
FAQ About CLI Login
- What If I Forget the Password for Console Port Login?
- What If I Forget the Password for Telnet Login?
- How Do I Configure Screen Display?

Which command enables you to configure the parameters for the console access?

Overview of CLI Login Methods

Overview of User Interfaces

Relationship Between a User and a User Interface

User Interface Numbering

Authentication Modes for User Interfaces

User Levels for User Interfaces

Licensing Requirements and Limitations for CLI Login

Involved Network Elements

Licensing Requirements

Hardware Requirements

Feature Limitations

Configuring Login Through a Console Port

(Optional) Configuring Attributes for the Console User Interface

Context

Procedure

Configuring an Authentication Mode for the Console User Interface

Context

Procedure

Configuring a User Level for the Console User Interface

Context

Procedure

Logging In to a Device Through the Console Port

Context

Procedure

Verifying the Configuration

Configuring Login Through the Mini USB Port

(Optional) Configuring Attributes for the Device Login Through the MiniUSB Port

Context

Procedure

Configuring an Authentication Mode for the Mini USB Interface

Context

Procedure

Configuring a User Level for the Mini USB Interface

Context

Procedure

Logging In to a Device Through the Mini USB Port

Context

Procedure

Verifying the Configuration

Configuring Telnet Login

(Optional) Configuring Attributes for a VTY User Interface

Context

Procedure

Configuring an Authentication Mode for a VTY User Interface

Context

Procedure

Configuring a User Level for a VTY User Interface

Context

Procedure

Enabling the Telnet Server Function

Context

Procedure

Logging In to a Device Through Telnet

Context

Procedure

Verifying the Configuration

(Optional) Using Telnet to Log In to Another Device From the Local Device

Context

Pre-configuration Tasks

Procedure

Configuring STelnet Login

(Optional) Configuring Attributes for a VTY User Interface

Context

Procedure

Configuring an Authentication Mode for a VTY User Interface

Context

Procedure

Configuring a User Level for a VTY User Interface

Context

Procedure

Configuring an SSH User

Context

Procedure

Enabling the SSH Server Function

Context

Procedure

Logging In to a Device Through STelnet

Context

Procedure