Table of Contents
Advertisement
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is
sha2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the
prefer-ctos-hmac keyword).
dscp dscp-value: Specifies the DSCP value in the IPv4 SFTP packets. The value range for the
dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the
transmission priority of the packet.
public-key keyname: Specifies the server's host public key that the client uses to authenticate the
server. The keyname argument is a case-insensitive string of 1 to 64 characters.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:),
dots (.), angle brackets (< >), quotation marks ("), and apostrophes (').
source: Specifies a source IPv4 address or source interface for the SFTP packets. By default, the
device uses the primary IPv4 address of the output interface in the routing entry as the source
address of SFTP packets. As a best practice to ensure successful SFTP connections, specify a
loopback interface as the source interface or specify that interface's IPv4 address as the source IPv4
address.
•
interface interface-type interface-number: Specifies a source interface by its type and number.
The primary IPv4 address of this interface is the source IPv4 address of the SFTP packets.
•
ip ip-address: Specifies a source IPv4 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the
server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need
to save the server's public key before authentication. If you do not specify the server's PKI domain,
the client uses the PKI domain of its own certificate to verify the server's certificate.
Examples
# Connect an SFTP client to SFTP server 10.1.1.2 and specify the public key of the server as svkey.
The SFTP client uses publickey authentication. Use the following algorithms:
•
Preferred key exchange algorithm: dh-group14-sha1.
•
Preferred server-to-client encryption algorithm: aes128-cbc.
•
Preferred client-to-server HMAC algorithm: sha1.
•
Preferred server-to-client HMAC algorithm: sha1-96.
•
Preferred compression algorithm: zlib.
<Sysname> sftp 10.1.1.2 prefer-kex dh-group14-sha1 prefer-stoc-cipher aes128-cbc
prefer-ctos-hmac sha1 prefer-stoc-hmac sha1-96 prefer-compress zlib public-key svkey
sftp client ipv6 source
Use sftp client ipv6 source to configure the source IPv6 address for SFTP packets that are sent by
the SFTP client.
Use undo sftp client ipv6 source to restore the default.
Syntax
sftp client ipv6 source { interface interface-type interface-number | ipv6 ipv6-address }
undo sftp client ipv6 source
480
Advertisement
Table of Contents
