SSH Configuration on Huawei Router

SSH Configuration Examples in  Huawei Router
Here are the configuration examples:
whereas:
192.168.100.100 = Jumphost IP (Allowed IP to SSH into the device)

  1. Enable the SSH service

stelnet server enable

2. Configure key exchange algorithm

ssh server key-exchange { dh_group_exchange_sha256 dh_group_exchange_sha1 ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521 sm2_kep}

3. Configure encryption algorithm

ssh server cipher { aes256_ctr aes128_ctr aes256_cbc aes128_cbc 3des_cbc }

4. Configure HMAC algorithm

ssh server hmac { md5 | md5_96 | sha1 | sha1_96 | sha2_256 | sha2_256_96 }

5. Configure additional SSH (Optional)

ssh server port <port-number>
ssh server rekey-interval <hours>
ssh server timeout <seconds>
ssh server authentication-retries <value>
ssh server-source -i <interface name>

6. Configure the virtual port VTY for SSH access with the appropriate ACL

user-interface vty 0 4
acl ipv6 <ACLv6> inbound
acl <ACLv4> inbound
authentication-mode aaa
user privilege level 3
protocol inbound ssh

acl number <ACLv4>
rule 10 permit source <Jumphost IP>

acl ipv6 number <ACLv6>
rule 10 deny

Additional config for security:

ssh authentication-type default password
ssh server acl <ACLv4>
ssh ipv6 server acl <ACLv6>
ssh authorization-type default aaa

7. Configure authentication e.g. username = freenetwork

aaa
local-user freenetwork service-type terminal ssh

8 Generate SSH encryption preferably 2048 bytes

rsa local-key-pair create

Sample Output:

stelnet server enable
ssh authentication-type default password
ssh server acl 1234
ssh ipv6 server acl 888
ssh authorization-type default aaa

ssh server cipher aes256_ctr aes128_ctr aes256_cbc aes128_cbc 3des_cbc
ssh server hmac sha2_256_96 sha2_256 sha1_96
ssh server key-exchange dh_group_exchange_sha256 dh_group_exchange_sha1 ecdh_sha2_nistp256 ecdh_sha2_nistp384 ecdh_sha2_nistp521 sm2_kep

user-interface vty 0 4
   acl ipv6 888 inbound
   acl 1234 inbound
   authentication-mode aaa
   user privilege level 3
   protocol inbound ssh

acl number 1234
   rule 10 permit source 192.168.100.100 0

acl ipv6 number 888
   rule 10 deny

aaa
  local-user freenetwork service-type terminal ssh

Huawei

AAA ACL huawei SSH vty

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *