Comware Based
1748195 Members
3778 Online
108759 Solutions
New Discussion юеВ

configuring 5130 and 5900 for SSH access

 
boulon007
Occasional Contributor

configuring 5130 and 5900 for SSH access

hello,

a local user is configured and telnet works well but i got a lot of troubles to get SSH working.

SSH to the switch works to the point it asks for a login.

if i put a wrong password, i can't access but if i put the good password, SSH close.

putty error message is : server refused to start a shell/command.

last line is : server refused to allocate pty.

when i start a SSH connexion from the switch (to the switch), there is no error message but the connexion close immediatly.

there are a lot of guide to configure SSH, what could i have done wrong ?

 

edit : i did an upgrade and i still have the problem

this is my config :

#
 version 7.1.045, Release 3111P02
#
 sysname HPE
#
 telnet server enable
#
 irf mac-address persistent timer
 irf auto-update enable
 undo irf link-delay
 irf member 1 priority 1
#
 lldp global enable
#
 password-recovery enable
#
vlan 1
#
vlan 50
#
vlan 71
#
 stp global enable
#
interface NULL0
#
interface Vlan-interface50
 ip address 172.22.46.240 255.255.255.0
#
interface GigabitEthernet1/0/1        -> 1/0/24
 port link-type hybrid
 undo port hybrid vlan 1
 port hybrid vlan 50 untagged
 port hybrid pvid vlan 50
[...]
#
interface Ten-GigabitEthernet1/0/25    -> 1/0/28
 port link-type trunk
 port trunk permit vlan all
 undo lldp enable
[...]
#
 scheduler logfile size 16
#
line class aux
 user-role network-admin
#
line class vty
 user-role network-operator
#
line aux 0
 user-role network-admin
#
line vty 0 15
 authentication-mode scheme
 user-role network-admin
 protocol inbound ssh
 idle-timeout 0 0
#
line vty 16 63
 authentication-mode scheme
 user-role network-operator
 protocol inbound ssh
#
 ip route-static 0.0.0.0 0 172.22.46.1
#
 sftp server enable
 ssh server acl 2000
#
acl number 2000
 description SNMP-SSH
 rule 0 permit source 172.22.0.196 0
 rule 1 permit source 172.22.0.197 0
 rule 2 permit source 172.22.0.253 0
 rule 3 permit source 172.22.46.2 0
 rule 4 permit source 172.22.46.240 0
#
radius scheme system
 user-name-format without-domain
#
domain system
#
 domain default enable system
#
role name level-0
 description Predefined level-0 role
#
role name level-1
 description Predefined level-1 role
#
role name level-2
 description Predefined level-2 role
#
role name level-3
 description Predefined level-3 role
#
role name level-4
 description Predefined level-4 role
#
role name level-5
 description Predefined level-5 role
#
role name level-6
 description Predefined level-6 role
#
role name level-7
 description Predefined level-7 role
#
role name level-8
 description Predefined level-8 role
#
role name level-9
 description Predefined level-9 role
#
role name level-10
 description Predefined level-10 role
#
role name level-11
 description Predefined level-11 role
#
role name level-12
 description Predefined level-12 role
#
role name level-13
 description Predefined level-13 role
#
role name level-14
 description Predefined level-14 role
#
user-group system
#
local-user manager class manage
 password hash [...]
 service-type ssh telnet terminal https
 authorization-attribute user-role network-admin
#
return

 

3 REPLIES 3
Shmulik_Miata
Occasional Visitor

Re: configuring 5130 and 5900 for SSH access

You didn't enable the SSH 

run this command

ssh server enable

marcelkoedijk
Frequent Advisor

Re: configuring 5130 and 5900 for SSH access

Did you also create de RSA key for use of SSH?

[Switch] public-key local create rsa

sdide
Respected Contributor

Re: configuring 5130 and 5900 for SSH access

Hey,

With the configuration you posted, I'm not sure how telnet would work on your vty.

You have

 

line vty 0 15
 authentication-mode scheme
 user-role network-admin
 protocol inbound ssh
 idle-timeout 0 0

protocol inbound can be: ssh, telnet or both. Since you have ssh - telnet should not work.

Anyways.

You have authentication-mode scheme

so you need to set up your scheeme.

domain default enable system

above you choose the "system" domain as default.

but,

domain system
#

your system domain is not configured.

You need to have:

domain system
  authentication login radius-scheme system
  authorization login radius-scheme system 

if your radius scheme is called "system" which it is in your configuration.

If you want a local user - on the switch, you need to have:

domain system
  authentication login local
  authorization login local

Also, you need to generate the keys and enable the ssh server as mentioned in the above posts.

Regards
 

 

 

 

S├╕ren Dideriksen, Network Administrator
Region Midtjylland