H3C Technologies H3C WX3000 Series Unified Switches User Manual

46-31

Figure 47-24

Network diagram of SSH client configuration when using publickey authentication

Switch B

SSH Server

Switch A

SSH Client

VLAN-Interface 1

10.165.87.137./24

10.165.87.136./24

VLAN-Interface 1

Configuration procedure

In public key authentication, you can use either RSA or DSA public key. Here takes the DSA public key
as an example.

z

Configure Switch B

# Create a VLAN interface on the device and assign an IP address, which the SSH client will use as the
destination for SSH connection.

system-view

[device] interface vlan-interface 1

[device-Vlan-interface1] ip address 10.165.87.136 255.255.255.0

[device-Vlan-interface1] quit

# Generate RSA and DSA key pairs.

[device] public-key local create rsa

[device] public-key local create dsa

# Set the authentication mode for the user interfaces to AAA.

[device] user-interface vty 0 4

[device-ui-vty0-4] authentication-mode scheme

# Enable the user interfaces to support SSH.

[device-ui-vty0-4] protocol inbound ssh

# Set the user command privilege level to 3.

[device-ui-vty0-4] user privilege level 3

[device-ui-vty0-4] quit

# Specify the authentication type of user client001 as publickey.

[device] ssh user client001 authentication-type publickey

Before doing the following steps, you must first generate a DSA public key pair on the client and save
the key pair in a file named Switch001, and then upload the file to the SSH server through FTP or TFTP.
For details, refer to “Configure Switch A”.

# Import the client public key pair named Switch001 from the file Switch001.

[device] public-key peer Switch001 import sshkey Switch001