Overview & Thematic Scope
This FAQ provides definitive, expert-level answers for network engineers on enabling and securing SSH remote management on Huawei enterprise switches and routers. Covering both pre-sales security planning and post-sales deployment troubleshooting, this guide focuses on the standard STelnet (SSH) configuration process, from generating RSA host keys and enabling the SSH service to binding AAA authentication and configuring VTY interfaces. This ensures secure, encrypted CLI access across your campus or datacenter network.

Frequently Asked Questions
- Q1: What is the definitive step-by-step command sequence to enable SSH (STelnet) management on a Huawei switch?
- The definitive process involves four core steps: generating a local RSA key pair, enabling the STelnet server, configuring the VTY interface for SSH, and creating an AAA user. First, generate the key pair with
rsa local-key-pair createin the system view . Then, enable the SSH server usingstelnet server enable. Next, enter the VTY interface view withuser-interface vty 0 4, setauthentication-mode aaa, and bind it to SSH withprotocol inbound ssh. Finally, create a local user in the AAA view and set the SSH user’s authentication type to password . - Q2: Why is it necessary to generate an RSA key pair before enabling SSH on a Huawei device?
- Generating an RSA key pair is mandatory because it provides the host key used during the SSH handshake to establish a secure, encrypted connection. Without a valid local key pair, the device cannot authenticate itself to the SSH client, and the SSH service will fail to start or accept connections . For enhanced security in modern networks, it is recommended to generate a 2048-bit or higher key .
- Q3: What authentication methods does Huawei support for SSH users, and which is recommended?
- Huawei supports a variety of SSH user authentication methods, including password, RSA, DSA, ECC, SM2, and combined modes like password-rsa . For the highest security, using the ECC (Elliptic Curve Cryptography) authentication algorithm is strongly recommended over older RSA algorithms, especially those with key lengths under 3072 bits . The simplest and most common method is password authentication, which relies on an AAA local user account .
- Q4: After resetting a Huawei switch’s password, how do I ensure SSH remote access is still functional?
- Resetting a local user password does not automatically disable the SSH service, but it does require you to re-establish the complete SSH configuration chain to restore access. The password change only updates the local credential; you must verify that the STelnet service is still enabled, the RSA host key is valid, and the SSH user is correctly bound to the AAA user with the new password . Always test the new credentials with a client to confirm end-to-end connectivity.
- Q5: Why does my SSH session disconnect immediately after opening more than a few connections?
- This is not a limitation of the SSH protocol itself, but a restriction of the Huawei device’s CLI management plane. A single controller or switch CPU can only support a maximum of eight concurrent CLI sessions (VTY connections) at the same time. This is a hard limit set by the system to protect system resources and cannot be increased .
- Q6: How do I verify if the SSH service (STelnet) is correctly enabled and running on my Huawei device?
- To verify the SSH server status, use the
display ssh server statuscommand in the user view . In the output, confirm that theStelnet serverfield showsEnable. If it showsDisable, you must enable it from the system view with thestelnet server enablecommand . You can also check SSH user details withdisplay ssh user-information. - Q7: What are the critical steps to troubleshoot a failed SSH login attempt to a Huawei switch?
- Begin by checking the service status with
display ssh server statusto ensure STelnet is enabled . Then, verify the SSH user authentication settings withdisplay ssh user-information. Also, ensure the VTY interface is correctly configured for SSH:display current-configuration | include vty. If the default port has been changed, you must specify the new port in your SSH client . Finally, check that the client’s IP address is allowed to reach the device’s management interface. - Q8: What are the security implications of using SSH version compatibility (SSH1.x) on a Huawei device?
- Enabling compatibility with SSH version 1.x poses a significant security risk and is strongly discouraged. SSH2.0 has a more robust architecture, supports stronger encryption algorithms, and eliminates known vulnerabilities present in SSH1.x . By default, Huawei devices are configured with the
undo ssh server compatible-ssh1x enablecommand, which disables this insecure fallback mode to enforce SSH2.0 usage .
Leave a comment