SSH on Huawei Switch - shawfdong/hyades GitHub Wiki
When one generates a RSA key on a Huawei switch, the default modulus size is 512. And that was the case for all S3700 and S6700 switches in Huawei Universal Distributed Storage. We can use the OpenSSH client to access the S3700 switches without any issue; however, when I tried to ssh to an S6700 switch, using the default SSH-2 protocol, I got the following error:
# ssh [email protected] ssh_rsa_verify: RSA modulus too small: 512 < minimum 768 bits key_verify failed for server_host_key
SSH-1 works:
# ssh -1 [email protected]but SSH-1 has inherent design flaws which make it vulnerable.
Let's fix it™!
Log in to the switch using SSH-1.
Enter the system view:
system-view
Generate a new local key pair with a modulus size of 1024:
rsa local-key-pair create The key name will be: Cabinet01_LSW6700_Host % RSA keys defined for Cabinet01_LSW6700_Host already exist. Confirm to replace them? [y/n]:y The range of public key size is (512 ~ 2048). NOTES: If the key modulus is greater than 512, it will take a few minutes. Input the bits in the modulus[default = 512]:1024 Generating keys...
Voila! We don't even need to restart the SSH server or reboot the switch. From now on, we can log in to the switch using SSH-2. But don't forget to delete the old RSA host key from ~/.ssh/known_hosts.
aaa authentication-scheme default authorization-scheme default accounting-scheme default domain default domain default_admin local-user client001 password cipher xxxxxxxx local-user client001 service-type ssh # sftp server enable stelnet server enable ssh user client001 ssh user client001 authentication-type password ssh user client001 service-type all ssh client first-time enable # user-interface vty 0 4 authentication-mode aaa user privilege level 3 protocol inbound ssh