SSH on Huawei Switch - shawfdong/hyades GitHub Wiki

When one generates a RSA key on a Huawei switch, the default modulus size is 512. And that was the case for all S3700 and S6700 switches in Huawei Universal Distributed Storage. We can use the OpenSSH client to access the S3700 switches without any issue; however, when I tried to ssh to an S6700 switch, using the default SSH-2 protocol, I got the following error:

# ssh [email protected]
ssh_rsa_verify: RSA modulus too small: 512 < minimum 768 bits
key_verify failed for server_host_key

SSH-1 works:

# ssh -1 [email protected]

but SSH-1 has inherent design flaws which make it vulnerable.

Let's fix it™!

Log in to the switch using SSH-1.

Enter the system view:

system-view

Generate a new local key pair with a modulus size of 1024:

rsa local-key-pair create

The key name will be: Cabinet01_LSW6700_Host
% RSA keys defined for Cabinet01_LSW6700_Host already exist.
Confirm to replace them? [y/n]:y
The range of public key size is (512 ~ 2048). 
NOTES: If the key modulus is greater than 512, 
       it will take a few minutes.
Input the bits in the modulus[default = 512]:1024
Generating keys...

Voila! We don't even need to restart the SSH server or reboot the switch. From now on, we can log in to the switch using SSH-2. But don't forget to delete the old RSA host key from ~/.ssh/known_hosts.

aaa
 authentication-scheme default
 authorization-scheme default
 accounting-scheme default
 domain default
 domain default_admin
 local-user client001 password cipher xxxxxxxx
 local-user client001 service-type ssh
#
sftp server enable
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type all
ssh client first-time enable
#
user-interface vty 0 4
 authentication-mode aaa
 user privilege level 3
 protocol inbound ssh