导语:
STelnet是Secure Telnet的简称,由于Telnet传输过程中采用TCP进行明文传输,存在很大的安全问题,而STelnet采用SSH网络安全协议完成对数据的加密,使之更加安全。
拓扑图
步骤
1.基本配置:
如拓扑图所示,完成R1和R2以及相关端口的配置,并测试连通性
2.配置SSH Server
在R2服务器端生成RSA密钥对
查看密钥对中的公钥部分
在R2上配置VTY用户界面,设置验证方式为AAA授权验证方式
[R2]user-interface vty 0 4
[R2-ui-vty0-4]authentication-mode aaa
[R2-ui-vty0-4]protocol inbound ssh
使用local user命令创建本地用户和口令
[R2]aaa
[R2-aaa]local-user huawei password cipher huawei
Info: Add a new user.
配置本地用户的接入类型为SSH,并新建SSH用户:
[R2-aaa]local-user huawei service-type ssh
[R2]ssh user huawwei authentication-type password
Info: Succeeded in adding a new SSH user.
开启SSH功能:
[R2]stelnet server enable
Info: Succeeded in starting the Stelnet server.
查看SSH Server用户配置信息和全局配置信息:
[R2]display ssh user-information huawei
-------------------------------------------------------------------------------
Username Auth-type User-public-key-name
-------------------------------------------------------------------------------
huawei password null
-------------------------------------------------------------------------------
[R2]display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH Authentication retries :3 times
SFTP Server :Disable
Stelnet server :Enable
2.配置SSH Client:
开启SSH用户端首次认证功能并连接服务器:
[R1]stelnet 10.1.1.2
Please input the username:huawei
Trying 10.1.1.2 ...
Press CTRL+K to abort
Connected to 10.1.1.2 ...
The server is not authenticated. Continue to access it? (y/n)[n]:y
Jun 8 2020 16:54:11-08:00 R1 %%01SSH/4/CONTINUE_KEYEXCHANGE(l)[0]:The server ha
d not been authenticated in the process of exchanging keys. When deciding whethe
r to continue, the user chose Y.
[R1]
Save the server's public key? (y/n)[n]:y
The server's public key will be saved with the name 10.1.1.2. Please wait...
Jun 8 2020 16:54:12-08:00 R1 %%01SSH/4/SAVE_PUBLICKEY(l)[1]:When deciding wheth
er to save the server's public key 10.1.1.2, the user chose Y.
[R1]
Enter password:
<R2>
查看SSH Sever:
[R2]display ssh server session
--------------------------------------------------------------------
Conn Ver Encry State Auth-type Username
--------------------------------------------------------------------
VTY 0 2.0 AES run password huawei
--------------------------------------------------------------------
此时SSH Client已连接到SSH Server上,可对服务器端进行配置。
最后,我们思考一个问题:
SSH用户端首次认证功能有什么缺陷?
开启SSH客户端首次认证功能时,不对SSH服务器的RSA公钥进行有效性检查。当客户端主机需要与服务器建立连接时,第三方攻击者冒充真正的服务器,与客户端进行数据交互,窃取客户端主机的安全信息,并利用这些信息去登录真正的服务器,获取服务器资源,或对服务器进行攻击。
解决方法是:
如果不开启,可用拷贝粘贴方式将服务器上RSA公钥配置到客户端保存。
rsa peer-public-key 13.1.1.1
public-key-code begin
3047
0240
C31DBF37 400783C1 E2BB3075 8927DFB6 AAB9B2CE F0039875 F6450CDE A42AA5A8
E51AED28 122CF103 69AF53E1 3701183F 0F704B14 8EF19C0F 7A2272D0 01AB9CD7
0203
010001
public-key-code end
peer-public-key end
ssh client 13.1.1.1 assign rsa-key 13.1.1.1