R3166-R3206-HP High-End Firewalls System Management and Maintenance Configuration Guide-6PW101
151
When the firewall acts as a client for publickey authentication
Network requirements
• As shown in Figure 71, Firewall A (the SSH client) logs into Firewall B (the SSH server) through the
SSH protocol.
• Publickey authentication is used, and the public key algorithm is DSA.
Figure 71 Firewall acts as client for publickey authentication
Configuration procedure
1. Configure the SSH server
# Generate RSA and DSA key pairs and enable SSH server.
<FirewallB> system-view
[FirewallB] public-key local create rsa
[FirewallB] public-key local create dsa
[FirewallB] ssh server enable
# Configure an IP address for interface GigabitEthernet 0/0, which the SSH client will use as the
destination for SSH connection.
[FirewallB] interface gigabitethernet 0/0
[FirewallB-GigabitEthernet0/0] ip address 10.165.87.136 255.255.255.0
[FirewallB-GigabitEthernet0/0] quit
# Set the authentication mode for the user interfaces to AAA.
[FirewallB] user-interface vty 0 4
[FirewallB-ui-vty0-4] authentication-mode scheme
# Enable the user interfaces to support SSH.
[FirewallB-ui-vty0-4] protocol inbound ssh
# Set the user command privilege level to 3.
[FirewallB-ui-vty0-4] user privilege level 3
[FirewallB-ui-vty0-4] quit
NOTE:
Before performing the following tasks, you must use the client software to generate an RSA key pair on the
client, save the public key in a file named key.pub, and then upload the file to the SSH server through FTP
or TFTP. For more information, see “Configure the SSH client.”
# Import the peer public key from the file key.pub.
[FirewallB] public-key peer Firewall001 import sshkey key.pub
# Specify the authentication type for user client002 as publickey, and assign the public key Firewall001
to the user.
[FirewallB] ssh user client002 service-type stelnet authentication-type publickey assign
publickey Firewall001