SSH Configuration Examples in Huawei Router
Here are the configuration examples:
whereas:
192.168.100.100 = Jumphost IP (Allowed IP to SSH into the device)
- Enable the SSH service
stelnet server enable
2. Configure key exchange algorithm
ssh server key-exchange { dh_group_exchange_sha256 dh_group_exchange_sha1 ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521 sm2_kep}
3. Configure encryption algorithm
ssh server cipher { aes256_ctr aes128_ctr aes256_cbc aes128_cbc 3des_cbc }
4. Configure HMAC algorithm
ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 }
5. Configure additional SSH (Optional)
ssh server port <port-number>
ssh server rekey-interval <hours>
ssh server timeout <seconds>
ssh server authentication-retries <value>
ssh server-source -i <interface name>
6. Configure the virtual port VTY for SSH access with the appropriate ACL
user-interface vty 0 4
acl ipv6 <ACLv6> inbound
acl <ACLv4> inbound
authentication-mode aaa
user privilege level 3
protocol inbound sshacl number <ACLv4>
rule 10 permit source <Jumphost IP>acl ipv6 number <ACLv6>
rule 10 deny
Additional config for security:
ssh authentication-type default password
ssh server acl <ACLv4>
ssh ipv6 server acl <ACLv6>
ssh authorization-type default aaa
7. Configure authentication e.g. username = freenetwork
aaa
local-user freenetwork service-type terminal ssh
8 Generate SSH encryption preferably 2048 bytes
rsa local-key-pair create
Sample Output:
stelnet server enable
ssh authentication-type default password
ssh server acl 1234
ssh ipv6 server acl 888
ssh authorization-type default aaa
ssh server cipher aes256_ctr aes128_ctr aes256_cbc aes128_cbc 3des_cbc
ssh server hmac sha2_256_96 sha2_256 sha1_96
ssh server key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1 ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521 sm2_kep
user-interface vty 0 4
acl ipv6 888 inbound
acl 1234 inbound
authentication-mode aaa
user privilege level 3
protocol inbound ssh
acl number 1234
rule 10 permit source 192.168.100.100 0
acl ipv6 number 888
rule 10 deny
aaa
local-user freenetwork service-type terminal ssh
[…] More detailed configuration –> SSH Configuration on Huawei Router […]