Table of Contents
Advertisement
•
md5: Specifies the HMAC algorithm hmac-md5.
•
md5-96: Specifies the HMAC algorithm hmac-md5-96.
•
sha1: Specifies the HMAC algorithm hmac-sha1.
•
sha1-96: Specifies the HMAC algorithm hmac-sha1-96.
•
sha2-256: Specifies the HMAC algorithm hmac-sha2-256.
•
sha2-512: Specifies the HMAC algorithm hmac-sha2-512.
prefer-kex: Specifies the preferred key exchange algorithm. The default is ecdh-sha2-nistp256.
Supported algorithms are dh-group-exchange-sha1, dh-group1-sha1, dh-group14-sha1,
ecdh-sha2-nistp256, and ecdh-sha2-nistp384, in ascending order of security strength and
computation time.
•
dh-group-exchange-sha1: Specifies the key exchange algorithm
diffie-hellman-group-exchange-sha1.
•
dh-group1-sha1: Specifies the key exchange algorithm diffie-hellman-group1-sha1.
•
dh-group14-sha1: Specifies the key exchange algorithm diffie-hellman-group14-sha1.
•
ecdh-sha2-nistp256: Specifies the key exchange algorithm ecdh-sha2-nistp256.
•
ecdh-sha2-nistp384: Specifies the key exchange algorithm ecdh-sha2-nistp384.
prefer-stoc-cipher: Specifies the preferred server-to-client encryption algorithm. The default is
aes128-ctr. Supported algorithms are the same as the client-to-server encryption algorithms (see
the prefer-ctos-cipher keyword).
prefer-stoc-hmac: Specifies the preferred server-to-client HMAC algorithm. The default is
sha2-256. Supported algorithms are the same as the client-to-server HMAC algorithms (see the
prefer-ctos-hmac keyword).
dscp dscp-value: Specifies the DSCP value in the IPv6 SFTP packets. The value range for the
dscp-value argument is 0 to 63, and the default value is 48. The DSCP value determines the
transmission priority of the packet.
public-key keyname: Specifies the host public key of the server that the client uses to authenticate
the server. The keyname argument is a case-insensitive string of 1 to 64 characters.
server-pki-domain domain-name: Specifies the PKI domain for verifying the server's certificate.
The domain-name argument represents the PKI domain name, a case-insensitive string of 1 to 31
characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:),
dots (.), angle brackets (< >), quotation marks ("), and apostrophes (').
source: Specifies a source IPv6 address or source interface for IPv6 SFTP packets. By default, the
device automatically selects a source address for IPv6 SFTP packets in compliance with RFC 3484.
As a best practice to ensure successful SFTP connections, specify a loopback interface as the
source interface or specify that interface's IPv6 address as the source IPv6 address.
•
interface interface-type interface-number: Specifies a source interface by its type and number.
The IPv6 address of this interface is the source IPv6 address of the IPv6 SFTP packets.
•
ipv6 ipv6-address: Specifies a source IPv6 address.
Usage guidelines
If the client and the server have negotiated to use certificate authentication, the client must verify the
server's certificate. For the client to correctly get the server's certificate, you must specify the server's
PKI domain on the client by using the server-pki-domain domain-name option. The client uses the
CA certificate stored in the specified PKI domain to verify the server's certificate and does not need
to save the server's public key before authentication. If you do not specify the server's PKI domain,
the client uses the PKI domain of its own certificate to verify the server's certificate.
Examples
# Connect an SFTP client to SFTP server 2000::1 and specify the public key of the server as svkey.
The SFTP client uses publickey authentication. Use the following algorithms:
484
Advertisement
Table of Contents
