组网需求
路由器Router
A作为客户端,路由器Router
B作为服务器端,设备之间通过千兆以太网相连。
图1 password认证方式组网图
l 在服务器端生成密钥对
l
配置允许SSH登录方式
l
配置本地用户
配置步骤
1、配置步骤
#
生成RSA及DSA密钥对,并启动SSH服务器。
<Router>
system-view
[Router]
public-key local create rsa
[Router]
public-key local create dsa
[Router]
ssh server enable
#
配置接口GigabitEthernet3/1/1的IP地址,客户端将通过该地址连接SSH服务器。
[Router]
interface GigabitEthernet 3/1/1
[Router-GigabitEthernet3/1/1]
ip address 10.165.87.136 255.255.255.0
[Router-GigabitEthernet3/1/1]
quit
#
设置SSH客户端登录用户界面的认证方式为AAA认证。
[Router]
user-interface vty 0 4
[Router-ui-vty0-4]
authentication-mode scheme
#
设置Router上远程用户登录协议为SSH。(vty0-4将无法使用telnet登录)
[Router-ui-vty0-4]
protocol inbound ssh
[Router-ui-vty0-4]
quit
#
创建本地用户client001,并设置用户访问的命令级别为3。
[Router]
local-user client001
[Router-luser-client001]
password simple aabbcc
[Router-luser-client001]
service-type ssh level 3
[Router-luser-client001]
quit
#
配置SSH用户client001的服务器类型为Stelnet,认证方式为password认证。
[Router]
ssh user client001 service-type stelnet authentication-type
password
2、配置文件
#
local-user
client001
service-type ssh
level 3
#
interface
GigabitEthernet3/1/1
port link-mode
route
ip address 10.165.87.136
255.255.255.0
#
ssh server enable
ssh user client001 service-type stelnet
authentication-type password
#
user-interface
vty 0 4
authentication-mode
scheme
protocol inbound
ssh
#
1、配置步骤
#
配置接口GE3/1/1的IP地址。
<RouterA>
system-view
[RouterA]
interface GE3/1/1
[RouterA-GE3/1/1]
ip adress 10.165.87.137 255.255.255.0
[RouterA-GE3/1/1]
quit
#
建立到服务器10.165.87.136的SSH连接。
<RouterA>
ssh2 10.165.87.136
Username:
client002
Trying
10.165.87.136 ...
Press
CTRL+K to abort
Connected
to 10.165.87.136 ...
The
Server is not authenticated. Continue? [Y/N]:y
Do
you want to save the server public key? [Y/N]:n
******************************************************************************
*
All rights reserved (2004-2006)
*
*
Without the owner's prior written consent,
*
*
no decompiling or reverse-engineering shall be allowed.
*
******************************************************************************
<RouterB>
2、配置文件
#
interface
GigabitEthernet3/1/1
port link-mode
route
ip address 10.165.87.137
255.255.255.0
#
可通过以下方式验证上述配置:
通过display users查看用户登录成功
The
user application information of the user interface(s):
Idx UI Delay Type
Userlevel
+
0 CON 0 00:00:00
3
2 VTY 0 00:00:13 SSH 3
Following
are more details.
VTY
0 :
User
name: client001
Location: 10.165.87.137
+ : Current operation
user.
F : Current operation user
work in async mode.