277
{ If a client directly sends the user's public key information to the server, you must specify the
client's public key on the server and the specified public key must already exist. For more
information about public keys, see "Configuring a client's host public key."
{ If a client sends the user's public key information to the server through a digital certificate, you
must specify the PKI domain for verifying the client certificate on the server. To make sure the
authorized SSH users can pass the authentication, the specified PKI domain must have the
correct CA certificate. For more information about configuring a PKI domain, see "Configuring
PK
I."
• W
hen the device operates in FIPS mode as an SSH server, the device does not support the
authentication method of any or publickey.
For information about configuring local users and remote authentication, see "Configuring AAA."
Configuration procedure
To configure an SSH user, and specify the service type and authentication method:
Ste
Command Remarks
1. Enter system
view.
system-view N/A
2. Create an SSH
user, and
specify the
service type
and
authentication
method.
• In non-FIPS mode:
ssh user username service-type { all | netconf | scp
| sftp | stelnet } authentication-type { password |
{ any | password-publickey | publickey } assign
{ pki-domain domain-name | publickey keyname } }
• In FIPS mode:
ssh user username service-type { all | netconf | scp
| sftp | stelnet } authentication-type { password |
password-publickey assign { pki-domain
domain-name | publickey keyname } }
The netconf keyword is
available in Release
2311P04 and later versions.
Setting the SSH management parameters
Setting the SSH management parameters improves the security of SSH connections. The SSH
management parameters include:
To set the SSH management parameters:
Ste
Command
Remarks
1. Enter system view.
system-view
N/A
2. Enable the SSH server to
support SSH1 clients.
ssh server compatible-ssh1x
enable
By default, the SSH server supports
SSH1 clients.
This command is not available in
FIPS mode.
3. Set the RSA server key pair
update interval.
ssh server rekey-interval hours
By default, the RSA server key pair
is not updated.
This command takes effect only on
SSH1 clients.
This command is not available in
FIPS mode.