Skip to main content
简体中文版经机器翻译而成,仅供参考。如与英语版出现任何冲突,应以英语版为准。

在 BES-53248 集群交换机上启用 SSH

贡献者 netapp-yvonneo netapp-jolieg
PDF

如果您正在使用以太网交换机健康监视器 (CSHM) 和日志收集功能,则必须生成 SSH 密钥,然后在集群交换机上启用 SSH。

步骤

  1. 确认 SSH 已禁用:

    show ip ssh

    显示示例 
    (switch)# show ip ssh

SSH Configuration

Administrative Mode: .......................... Disabled
SSH Port: ..................................... 22
Protocol Level: ............................... Version 2
SSH Sessions Currently Active: ................ 0
Max SSH Sessions Allowed: ..................... 5
SSH Timeout (mins): ........................... 5
Keys Present: ................................. DSA(1024) RSA(1024) ECDSA(521)
Key Generation In Progress: ................... None
SSH Public Key Authentication Mode: ........... Disabled
SCP server Administrative Mode: ............... Disabled

    • 如果 SSH 未禁用,请按以下步骤禁用:

      no ip ssh server enable

      no ip scp server enable

    备注

    • 对于 EFOS 3.12 及更高版本,需要控制台访问,因为禁用 SSH 时活动的 SSH 会话会丢失。

    • 对于 EFOS 3.11 及更早版本,禁用 SSH 服务器后当前 SSH 会话仍保持打开。

    +

    警告 修改密钥前请务必禁用 SSH,否则交换机上会发出警告。

  2. 在配置模式下,生成 SSH 密钥:

    crypto key generate

    显示示例 
    (switch)# config

(switch) (Config)# crypto key generate rsa

Do you want to overwrite the existing RSA keys? (y/n): y


(switch) (Config)# crypto key generate dsa

Do you want to overwrite the existing DSA keys? (y/n): y


(switch) (Config)# crypto key generate ecdsa 521

Do you want to overwrite the existing ECDSA keys? (y/n): y

  3. 在配置模式下,设置ONTAP日志收集的 AAA 授权:

    aaa authorization commands "noCmdAuthList" none

    显示示例 
    (switch) (Config)# aaa authorization commands "noCmdAuthList" none
(switch) (Config)# exit

  4. 重新启用 SSH/SCP。

    显示示例 
    (switch)# ip ssh server enable
(switch)# ip scp server enable
(switch)# ip ssh pubkey-auth

  5. 将这些更改保存到启动配置:

    write memory

    显示示例 
    (switch)# write memory

This operation may take a few minutes.
Management interfaces will not be available during this time.
Are you sure you want to save? (y/n) y

Config file 'startup-config' created successfully.

Configuration Saved!

  6. 对 SSH 密钥进行加密(仅限 FIPS 模式):

    注意 在 FIPS 模式下,为了安全起见,密钥需要使用密码短语进行加密。如果没有加密密钥,应用程序将无法启动。使用以下命令创建和加密密钥:
    显示示例 
    (switch) configure
(switch) (Config)# crypto key encrypt write rsa passphrase <passphase>

The key will be encrypted and saved on NVRAM.
This will result in saving all existing configuration also.
Do you want to continue? (y/n): y

Config file 'startup-config' created successfully.

(switch) (Config)# crypto key encrypt write dsa passphrase <passphase>

The key will be encrypted and saved on NVRAM.
This will result in saving all existing configuration also.
Do you want to continue? (y/n): y

Config file 'startup-config' created successfully.

(switch)(Config)# crypto key encrypt write ecdsa passphrase <passphase>

The key will be encrypted and saved on NVRAM.
This will result in saving all existing configuration also.
Do you want to continue? (y/n): y

Config file 'startup-config' created successfully.

(switch) (Config)# end
(switch)# write memory

This operation may take a few minutes.
Management interfaces will not be available during this time.
Are you sure you want to save? (y/n) y

Config file 'startup-config' created successfully.

Configuration Saved!

  7. 重启交换机:

    reload

  8. 确认 SSH 已启用:

    show ip ssh

    显示示例 
    (switch)# show ip ssh

SSH Configuration

Administrative Mode: .......................... Enabled
SSH Port: ..................................... 22
Protocol Level: ............................... Version 2
SSH Sessions Currently Active: ................ 0
Max SSH Sessions Allowed: ..................... 5
SSH Timeout (mins): ........................... 5
Keys Present: ................................. DSA(1024) RSA(1024) ECDSA(521)
Key Generation In Progress: ................... None
SSH Public Key Authentication Mode: ........... Enabled
SCP server Administrative Mode: ............... Enabled
下一步是什么?

启用 SSH 后,您可以 "配置交换机健康监控"