HPE Community
Comware Based
1752785 Members
6131 Online
108789 Solutions
New Discussion

Re: configuring 5130 and 5900 for SSH access

 
boulon007
Occasional Contributor

‎07-28-2016 07:29 AM - edited ‎07-28-2016 08:24 AM

‎07-28-2016 07:29 AM - edited ‎07-28-2016 08:24 AM

configuring 5130 and 5900 for SSH access

hello,

a local user is configured and telnet works well but i got a lot of troubles to get SSH working.

SSH to the switch works to the point it asks for a login.

if i put a wrong password, i can't access but if i put the good password, SSH close.

putty error message is : server refused to start a shell/command.

last line is : server refused to allocate pty.

when i start a SSH connexion from the switch (to the switch), there is no error message but the connexion close immediatly.

there are a lot of guide to configure SSH, what could i have done wrong ?

 

edit : i did an upgrade and i still have the problem

this is my config :

#
 version 7.1.045, Release 3111P02
#
 sysname HPE
#
 telnet server enable
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 1
#
 lldp global enable
#
 password-recovery enable
#
vlan 1
#
vlan 50
#
vlan 71
#
 stp global enable
#
interface NULL0
#
interface Vlan-interface50
 ip address 172.22.46.240 255.255.255.0
#
interface GigabitEthernet1/0/1        -> 1/0/24
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 50 untagged
 port hybrid pvid vlan 50
[...]
#
interface Ten-GigabitEthernet1/0/25    -> 1/0/28
 port link-type trunk
 port trunk permit vlan all
 undo lldp enable
[...]
#
 scheduler logfile size 16
#
line class aux
 user-role network-admin
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-admin
#
line vty 0 15
 authentication-mode scheme
 user-role network-admin
 protocol inbound ssh
 idle-timeout 0 0
#
line vty 16 63
 authentication-mode scheme
 user-role network-operator
 protocol inbound ssh
#
 ip route-static 0.0.0.0 0 172.22.46.1
#
 sftp server enable
 ssh server acl 2000
#
acl number 2000
 description SNMP-SSH
 rule 0 permit source 172.22.0.196 0
 rule 1 permit source 172.22.0.197 0
 rule 2 permit source 172.22.0.253 0
 rule 3 permit source 172.22.46.2 0
 rule 4 permit source 172.22.46.240 0
#
radius scheme system
 user-name-format without-domain
#
domain system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user manager class manage
 password hash [...]
 service-type ssh telnet terminal https
 authorization-attribute user-role network-admin
#
return

 

0 Kudos
3 REPLIES 3
Shmulik_Miata
Occasional Visitor

‎07-31-2016 01:13 AM

‎07-31-2016 01:13 AM

Re: configuring 5130 and 5900 for SSH access

You didn't enable the SSH 

run this command

ssh server enable

0 Kudos
marcelkoedijk
Frequent Advisor

‎09-16-2016 05:48 AM

‎09-16-2016 05:48 AM

Re: configuring 5130 and 5900 for SSH access

Did you also create de RSA key for use of SSH?

[Switch] public-key local create rsa

sdide
Respected Contributor

‎09-19-2016 02:24 AM

‎09-19-2016 02:24 AM

Re: configuring 5130 and 5900 for SSH access

Hey,

With the configuration you posted, I'm not sure how telnet would work on your vty.

You have

 

line vty 0 15
 authentication-mode scheme
 user-role network-admin
 protocol inbound ssh
 idle-timeout 0 0

protocol inbound can be: ssh, telnet or both. Since you have ssh - telnet should not work.

Anyways.

You have authentication-mode scheme

so you need to set up your scheeme.

domain default enable system

above you choose the "system" domain as default.

but,

domain system
#

your system domain is not configured.

You need to have:

domain system
  authentication login radius-scheme system
  authorization login radius-scheme system

if your radius scheme is called "system" which it is in your configuration.

If you want a local user - on the switch, you need to have:

domain system
  authentication login local
  authorization login local

Also, you need to generate the keys and enable the ssh server as mentioned in the above posts.

Regards
 

 

 

 

Søren Dideriksen, Network Administrator
Region Midtjylland
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.