Login Through SSH (Outband Management)
Login Through SSH (Outband Management)
This topic describes how to log in to the MA5600T/MA5603T/MA5608T using the local maintenance Ethernet port (outband management port) in the secure shell (SSH) mode to maintain and manage the MA5600T/MA5603T/MA5608T. The SSH provides authentication, encryption, and authorization to ensure the network communication security. When a user logs in to the MA5600T/MA5603T/MA5608T remotely over an insecure network, SSH provides security guarantee and powerful authentication to protect the MA5600T/MA5603T/MA5608T against attacks such as IP address spoofing and interception of plain text password.
Prerequisites
Engineers are logged in to the MA5600T/MA5603T/MA5608T by using the local serial port or the ETH port.
NOTE: The default IP address of the maintenance Ethernet port (ETH port on the control board) is 10.11.104.2, and the subnet mask is 255.255.255.0.
– For details about how to log in to the MA5600T/MA5603T/MA5608T by using the local serial port, see 1.3.5.1 Login Through the Local Serial Port.
– For details about how to log in to the MA5600T/MA5603T/MA5608T by using the ETH port, see the following:
– Configure the IP address of the PC that is used for logging in to the MA5600T/MA5603T/MA5608T. This IP address is on the same subnet as the IP address of the maintenance Ethernet port but is not the IP address of the maintenance Ethernet port.
For example, configure the IP address to 10.11.104.6.
– After logging in to the MA5600T/MA5603T/MA5608T, run the ip address command to change the IP address of the device to 10.50.1.10/24.
– Change the IP address of the PC to be on the same subnet as the IP address of the maintenance Ethernet port but is not the IP address of the maintenance Ethernet port. For example, change the IP address of the device to 10.50.1.11/24
Step 1 Set up the network environment.
– If you log in to the MA5600T/MA5603T/MA5608T in the LAN outband management mode through SSH, set up a network environment.
– If you log in to the MA5600T/MA5603T/MA5608T in the WAN outband management mode through SSH, set up a network environment.
Step 2 Configure the IP address of the maintenance Ethernet port.
In the MEth mode, run the ip address command to configure the IP address of the maintenance Ethernet port.
huawei(config)#interface meth 0
huawei(config-if-meth0)#ip address 10.50.1.10 24
huawei(config-if-meth0)#quit
Step 3 Add a route for the outband management.
– If the network environment is set up as shown in Figure 1-23, you need not add a route.
– If the network environment is set up as shown in Figure 1-24, run the ip route-static command to add a route from the maintenance Ethernet port of the MA5600T/MA5603T/MA5608T to the maintenance terminal.
huawei(config)#ip route-static 10.10.1.0 24 10.50.1.1
Step 4 Create a user.
Run the terminal user name command to create a user.
huawei(config)#terminal user name
User Name(length<6,15>):huawei
User Password(length<6,15>):test01 //The password is not displayed on the
maintenance terminal.
Confirm Password(length<6,15>):test01 //The password is not displayed on the
maintenance terminal.
User profile name(<=15 chars)[root]:
User’s Level:
1. Common User 2. Operator:2
Permitted Reenter Number(0–4):4
User’s Appended Info(<=30 chars):
Adding user succeeds
Repeat this operation? (y/n)[n]:n
Step 5 Create the local RSA key pair.
Run the rsa local-key-pair create command to create the local RSA key pair
NOTICE
The prerequisite for the login through SSH is that the local RSA key pair must be configured and generated. Therefore, before performing other SSH configurations, make sure that the local RSA key pair is generated.
huawei(config)#rsa local-key-pair create
The key name will be: Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
It will take a few minutes.
Input the bits in the modulus[default = 512]:
Generating keys….++++++++++++
………………..++++++++++++
………………………….++++++++
………..+++++++
Step 6 Set the SSH user authentication mode.
Run the ssh user huawei authentication-type rsa command to choose the authentication mode of the SSH user.
There are four authentication modes for SSH users, as shown in the following. In this topic, authentication mode rsa is considered as an example.
– password: authentication based on a password.
– rsa: authentication based on an RSA public key.
– all: authentication based on a password or an RSA public key. The user can log in to the device either by the password or the RSA public key.
– password-publickey: authentication based on a password and a public key. The user can log in to the device only after both the password and the RSA public key authentication.
huawei(config)#ssh user huawei authentication-type
{ all|password-publickey|password|rsa }:rsa
Command: ssh user huawei authentication-type rsa
%Authentication type setted, and will be in effect next time.
Step 7 Generate the RSA public key.
1. Run the key generator.
Run the client software key generator Puttygen.exe.
2. Generate the client key
3. Generate the RSA public key.
Step 8 Generate the public key for the SSH user.
Create RSA public key. Copy the RSA public key to the server in the config-rsa-key-code command line mode.
huawei(config)#rsa peer-public-key key
Enter “RSA public key” view, return system view with “peer-public-key end”.
NOTE: The number of the bits of public key must be between 769 and 2048.
huawei(config-rsa-public-key)#public-key-code begin
Enter “RSA key code” view, return last view with “public-key-code end”.
huawei(config-rsa-key-code)#public-key-code end
huawei(config-rsa-public-key)#peer-public-key end
Step 9 Assign the public key to the SSH user.
Run the ssh user assign rsa-key command to assign the RSA public key to the SSH user.
huawei(config)#ssh user huawei assign rsa-key key
Step 10 Log in to the system.
1. Run the client software.
Run the SSH client software putty.exe, choose SSH > Auth from the navigation tree, and assign a file for the RSA private key. Click Browse to display the window for selecting the file. In the window, select the file for the private key, and click OK.