In common network O&M scenarios, accounts and passwords are used to log in to devices for O&M due to the black-box characteristics of network devices. In fact, network devices can also be configured with certificates for encryption-free login, just as the Linux system does.

The following is the configuration method, using the official HCL simulator of HCL, for reference only

Device Configuration

  1. Device Configuration User

    #
    local-user admin class manage
     password simple admin
     service-type ftp
     service-type ssh
     authorization-attribute user-role network-admin
    #
    Copy the code
  2. Configure the login vTY login permission

    #
    line vty 0 63
     authentication-mode scheme
    #
    Copy the code
  3. Enabling the SSH Service

    ssh erver enable
    Copy the code
  4. Enable the FTP service to transfer keys to network devices. Of course, other methods can also be used to achieve the purpose.

    ftp server enable
    Copy the code

Key transmission and configuration

  1. Generate an SSH key on Windows

    PS C:\Users\xdai> ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (C:\Users\xdai/.ssh/id_rsa):
    C:\Users\xdai/.ssh/id_rsa already exists.
    Overwrite (y/n)? y
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in C:\Users\xdai/.ssh/id_rsa.
    Your public key has been saved in C:\Users\xdai/.ssh/id_rsa.pub.
    The key fingerprint is:
    SHA256:Dfia7aLwhuSowN7iSsXlqkB0/ZJw2mMoMVi9Y4ez06E xdai@xdai
    The key's randomart image is:
    +---[RSA 2048]----+
    |  ..             |
    |..  o  .         |
    |.+ o *. .        |
    |. = # =. o       |
    | o * # oS .      |
    |o + E ++         |
    |o*.o .o .        |
    |*.=o. ..         |
    |*+.oo. ..        |
    +----[SHA256]-----+
    PS C:\Users\xdai>
    Copy the code
  2. Upload the public key to the device through FTP on Windows

    C:\Users\xdai\. SSH > FTP 192.168.56.20 Connect to 192.168.56.20. 220 FTP service ready. 502 Command not implemented. User (192.168.56.20:(None)): admin 331 Password required for admin. Password: 230 User logged in. ftp> put id_rsa.pub 200 PORT command successful 150 Connecting to port 11865 226 File successfully Transferred FTP: 3992 bytes, time 0.00 SEC 392.00 kbytes/SEC. ftp> quit 221-Goodbye. You uploaded 1 and downloaded 0 kbytes. 221 Logout.Copy the code

You can see on R1 that the public key has been received

<R1>%Dec 26 15:05:41:190 2020 R1 FTP/6/AUTH: User N/[email protected] for Connection. %Dec 26 15:05:44:437 2020 R1 FTP/6/AUTH: User [email protected] login. %Dec 26 15:05:53:983 2020 R1 FTP/5/OPER: User [email protected] matches flash:/id_rsa.pub. %Dec 26 15:06:17:204 2020 R1 FTP/6/LOGOUT: User [email protected] logout. <R1>dir Directory of flash: 0 drw- - Dec 26 2020 14:56:17 diagfile 1 -rw- 735 Dec 26 2020 14:57:27 hostkey 2 -rw- 391 Dec 26 2020 15:05:53 id_rsa.pubCopy the code

Import the public key of the remote host to R1

public-key peer netdevops import sshkey flash:/id_rsa.pub
Copy the code

View the imported public key

[R1] display public-key peer

=============================================
Key name: netdevops
Key type: RSA
Key modulus: 2048
Key code:
......
Copy the code

You can configure the public key of a remote host in either of the following ways:

  • Import from the public key file: The user saves the public key file of the remote host to the local device (for example, through FTP or TFTP, the public key file of the remote host is saved to the local device in binary mode), and the local device imports the public key of the remote host from the public key file. When a Public Key is imported, the system automatically converts the Public Key file of the remote host to the PKCS (Public Key Cryptography Standards) encoding.

  • Manual configuration: Users view the public key information on the remote host and record the public key content of the remote host. Manually configure the public key of the remote host on the local device. When you manually enter the public key of a remote host, you can enter the public key one by one or copy and paste multiple characters at a time.

The current version of the device does not support directly entering the RSA public key. Therefore, you can import the RSA public key file.

R1 configures the public key authentication mode for SSH users and specifies the public key

ssh user admin service-type all authentication-type any assign publickey netdevops
Copy the code

The options of authentication-type are any, password, password-publickey, and publickey

The device configuration is complete.

Code implementation

This section describes how to compile code in Windows. The command can be successfully executed without the login password of the network device.

import paramiko


ssh = paramiko.SSHClient()
ssh.load_system_host_keys()
ssh.set_missing_host_key_policy(paramiko.client.AutoAddPolicy())
ssh.connect(
    hostname='192.168.56.20',
    username='admin',
)
stdin, stdout,  stderr = ssh.exec_command('dis ip int brief')
interface = stdout.read().decode(encoding='utf-8')
print(interface)
ssh.close()
Copy the code

You can see the output:

PS C:\python\netdevops> & "C:/Program Files (x86)/Python38-32/python.exe" c:/python/netdevops/1.py ****************************************************************************** * Copyright (c) 2004-2017 New H3C Technologies Co., Ltd. All rights reserved.* * Without the owner's prior written consent, * * no decompiling or reverse-engineering shall be allowed. * ****************************************************************************** <R1>dis ip int brief *down: administratively down (s): spoofing (l): Loopback Interface Physical Protocol IP Address Description GE0/0/0 up up 192.168.56.20 -- GE0/0/1 down down -- -- ge0/0/2 down down -- -- GE5/0 down down -- -- GE5/1 down down -- -- GE6/0 down down -- -- GE6/1 down down -- -- Ser1/0 down down  -- -- Ser2/0 down down -- -- Ser3/0 down down -- -- Ser4/0 down down -- -- PS C:\python\netdevops>Copy the code

View the console log on the device

<R1>
<R1>%Dec 26 16:50:50:033 2020 R1 SHELL/5/SHELL_LOGIN: Console logged in from con0.
%Dec 26 16:50:54:285 2020 R1 SSHS/6/SSHS_LOG: Accepted publickey for admin from 192.168.56.102 port 1313.

%Dec 26 16:50:56:061 2020 R1 SSHS/6/SSHS_LOG: User admin logged out from 192.168.56.102 port 1313.
%Dec 26 16:50:56:061 2020 R1 SSHS/6/SSHS_DISCONNECT: SSH user admin (IP: 192.168.56.102) disconnected from the server.

<R1>

Copy the code