394
• scp: Specifies the service type as SCP.
• sftp: Specifies the service type as SFTP.
• stelnet: Specifies the service type as Stelnet.
authentication-type: Specifies an authentication method for an SSH user:
• password: Specifies password authentication. This authentication method features easy and fast
encryption, but it is vulnerable. It can work with AAA to implement user authentication,
authorization, and accounting.
• any: Specifies either password authentication or publickey authentication.
• password-publickey: Specifies both password authentication and publickey authentication for
SSH2 clients. In SSH2, password-publickey authentication provides higher security. If the client runs
SSH1, this keyword specifies either password authentication or publickey authentication.
• publickey: Specifies publickey authentication. This authentication method has complicated and
slow encryption, but it provides strong authentication that can defend against brute-force attacks.
This authentication method is easy to use. If this method is configured, the authentication process
completes automatically without the need of entering any password.
assign: Specifies parameters used for client verification.
• pki-domain domain-name: Specifies the PKI domain that verifies the client certificate. The
domain-name argument is a case-insensitive string of 1 to 31 characters. The server uses the CA
certificate that is saved in the PKI domain to verify the client certificate. In this scenario, the server
does not need to save clients' public keys in advance.
• publickey keyname: Specifies the public key of the SSH client. The keyname argument represents
the SSH client's public key configured on the server. It is a case-insensitive string of 1 to 64
characters. The server uses the client's public key to check the validity of the client. If the public key
file of the client is changed, you must update the client's public key on the server promptly.
Usage guidelines
If the authentication method is publickey, you must create an SSH user and a local user. The two users
must have the same username, so that the SSH user can be assigned the correct working directory and
user role.
If the authentication method is password-publickey or any, you must create an SSH user and perform one
of the following tasks:
• For local authentication, configure a local user by using the local-user command.
• For remote authentication, configure an SSH user on a remote authentication server, for example, a
RADIUS server.
In either case, the local user or the SSH user configured on the remote authentication server must have the
same username as the SSH user.
If the authentication method is password, you do not need to create an SSH user or local user. However,
if you want to display all SSH users (including the password-only SSH users) for centralized management,
you can use this command to create them.
If you use this command to specify a host public key or a PKI domain for a user multiple times, the most
recent configuration takes effect.
You can change the authentication method, service type, and host public key (or PKI domain) for a
logged-in SSH user, but your changes take effect for the user at the next login.
For an SFTP or SCP user, the working directory depends on the authentication method:
• If the authentication method is password, the working directory is authorized by AAA.
To Next Page
Loading...
Need help?
General
