For all authentication methods except password authentication, you must specify the client's host
•
public key or digital certificate.
For a client that sends the user's public key information directly to the server, you must specify
the client's host public key on the server. The specified public key must already exist. For more
information about public keys, see
For a client that sends the user's public key information to the server through a digital certificate,
you must specify the PKI domain on the server. This PKI domain verifies the client certificate. For
successful verification, the specified PKI domain must have the correct CA certificate. For more
information about configuring a PKI domain, see
When the device operates in FIPS mode as an SSH server, the device does not support the
•
authentication method of any or publickey.
Configuration procedure
To configure an SSH user, and specify the service type and authentication method:
Step
1.
Enter system view.
2.
Create an SSH user, and
specify the service type and
authentication method.
Setting the SSH management parameters
Setting the SSH management parameters can improve the security of SSH connections. The SSH
management parameters include:
Whether the SSH server is compatible with SSH1 clients.
•
•
RSA server key pair update interval, applicable to users using SSH1 clients.
SSH user authentication timeout period. You can set this parameter to reject a connection if the
•
authentication for the connection has not been finished when the timeout period expires.
Maximum number of SSH authentication attempts. You can set this parameter to prevent malicious
•
password cracking. If the authentication method is any, the total number of both publickey and
password authentication attempts cannot exceed the configured upper limit.
ACL for SSH clients. You can configure an ACL to filter SSH clients which initiate connections with
•
the SSH server.
DSCP value in the packets that are sent by the SSH server. This field determines the transmission
•
priority of the packet.
•
SFTP connection idle timeout period. When the idle period of an SFTP connection exceeds the
specified threshold, the system automatically tears the connection down.
Maximum number of concurrent online SSH users. When the number of online SSH users reaches
•
the upper limit, the system refuses new SSH connection requests.
"Configuring a client's host public
Command
system-view
•
In non-FIPS mode:
ssh user username service-type { all | scp | sftp | stelnet }
authentication-type { password | { any | password-publickey |
publickey } assign { pki-domain domain-name | publickey
keyname } }
•
In FIPS mode:
ssh user username service-type { all | scp | sftp | stelnet }
authentication-type { password | password-publickey assign
{ pki-domain domain-name | publickey keyname } }
252
key."
"Configuring
PKI."