336
ï‚¡ If the authentication method is password, the user role is authorized by the remote AAA
server or the local device.
ï‚¡ If the authentication method is publickey or password-publickey, the user role is specified
by the authorization-attribute command in the associated local user view.
• If you change the authentication method or public key for a logged-in SSH user, the changes
take effect at the next login.
• For all authentication methods except password authentication, you must specify a client's host
public key or digital certificate.
ï‚¡ For a client that directly sends the user's public key information to the server, you must
specify the client's host public key on the server. The specified public key must already
exist. For more information about public keys, see "Configuring a client's host public key."
ï‚¡ For a client that sends the user's public key information to the server through a digital
certificate, you must specify the PKI domain on the server. This PKI domain verifies the
client certificate. To make sure the authorized SSH users can pass the authentication, the
specified PKI domain must have the correct CA certificate. To specify the PKI domain, use
the ssh user or ssh server pki-domain command. For more information about configuring
a PKI domain, see "Configuring PKI."
• When the device operates in FIPS mode as an SSH server, the device does not support the
authentication method of any or publickey.
For information about configuring local users and remote authentication, see "Configuring AAA."
Configuration procedure
To configure an SSH user, and specify the service type and authentication method:
1. Enter system view.
system-view
2. Create
specify the service type and
authentication method.
• In Release 1111:
ï‚¡ In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet } authentication-type { password | { any |
password-publickey | publickey } assign { pki-domain
domain-name | publickey keyname } }
ï‚¡ In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet } authentication-type { password |
password-publickey assign { pki-domain domain-name |
publickey keyname } }
• In Release 1121 and later:
ï‚¡ In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet } authentication-type { password | { any |
password-publickey | publickey } [ assign { pki-domain
domain-name | publickey keyname } ] }
ï‚¡ In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet } authentication-type { password |
password-publickey [ assign { pki-domain domain-name |
keyname } ] }
Configuring the SSH management parameters
1. Enter system view.
system-view
N/A
To Next Page
Loading...
Need help?
General