Today I was asked how to configure SSH access to a Huawei device from a Linux server. I was sure that I covered this before and I’ve even got a YouTube video about it – but this client said that they didn’t have time to keep watching my videos and wanted somewhere that they could bookmark it and reference the steps so that they could access it whenever necessary rather than keep having to find and watch the video…. I didn’t even know that was a thing!! Then they said the kicker – if you start doing a few more videos, we will register for your Huawei bootcamp.
‘Weh yuh ah seh?’ (translation: What are you saying?)
“Don’ seh anudder word!!” (translation: You don’t have to tell me twice!!)
“Da blog deh pon di net.” (translation: The blogpost has already been created.)
The topology that we’re going to be using is a simple one – also, for this particular lab we will be using EVE-ng rather than ensp because we want to use an external Linux server (this can be done through ensp, but EVE-ng is my platform of choice) – a linux UBUNTU server, connected to a switch (just L2 functionality), which is connected to our AR1000v Huawei device.
When we first logon to our huawei device it asks for a default username and password which would be “super” annoying if we didn’t know what it was (see what I did there?), but luckily for us we know what it is – both the username and password are super, super (in that order). Then we are asked to change the password to a new one:
Once we have access to the device then we can proceed with our ssh configuration. I categorise these into 4 sections:
1. Add the hostname + ip address
2. do the aaa username and password section
3. enable the ssh/secure telnet section
4. Configure the virtual terminal or vty lines for ssh access
We run the “system-view” command to go from privileged mode to config mode and then a “display ip int brief” to see which interface we are going to configure (and make sure that there’s no configuration already on that interface. Looks all clear from here so time to move onto the hostname and the interface configuration.
NOTE: If you ever want to go back on the cli with a virtualised huawei device, instead of just pressing the <— (backspace) you have to press the back arrow first to the part you want to delete and the press the back arrow.
Another good thing to note on huawei is that you can add the subnet mask (255.255.255.0) or just the slash notation without the / (24 in our case here). That’s step 1 complete.
We move onto the aaa configuration so that we can add a username and password for ssh access. I’ve just typed aaa from the interface configuration section, but you should really type “quit” first and then type “aaa”. Let’s add our username/password combo and I’ve used an irreversible cipher. I’m not really sure about this one, but I think that if we use an irreversible-cipher its more secure because being reversible makes it easier for an attacker to break the encryption and obtain the passwords.
Then I add a privilege level of 15 so that we don’t need an enable password and both “terminal” and “ssh” as the service-type as without terminal I think that we won’t be able to see the terminal session from our Linux jumpbox (I could be wrong on that one though). That’s part 2
This is simple – but it won’t work without this command:
OK, final step – configure the virtual vty lines. When we enter the vty lines we are informed that telnet is insecure and its much better to use SSH – so we oblige. We then use the aaa authentication and a privilege mode of 15 so that we don’t need an enable password…. then we are pretty much done. Oh yeah, let’s not forget to save the configuration.