HP MSR Series Configuration Manual page 413

•
If the authentication method is password-publickey or any, you must create an SSH user on
the SSH server and perform one of the following tasks:
For local authentication, configure a local user on the SSH server.
For remote authentication, configure an SSH user on a remote authentication server, for
example, a RADIUS server.
In either case, the local user or the SSH user configured on the remote authentication server
must have the same username as the SSH user.
For information about configuring local users and remote authentication, see
Configuration restrictions and guidelines
When you configure an SSH user, follow these restrictions and guidelines:
•
An SSH server supports up to 1024 SSH users.
•
For an SFTP or SCP user, the working directory depends on the authentication method.
If the authentication method is password, the working directory is authorized by AAA.
If the authentication method is publickey or password-publickey, the working folder is
specified by the authorization-attribute command in the associated local user view.
•
For an SSH user, the user role also depends on the authentication method.
If the authentication method is password, the user role is authorized by the remote AAA
server or the local device.
If the authentication method is publickey or password-publickey, the user role is specified
by the authorization-attribute command in the associated local user view.
•
If you change the authentication parameters for a logged-in SSH user, the change takes effect
on the user at the next login.
•
For all authentication methods except password authentication, you must specify a client's host
public key or digital certificate.
For a client that sends the user's public key information directly to the server, specify the
client's host public key on the server. The specified public key must already exist. For more
information about public keys, see
For a client that sends the user's public key information to the server through a digital
certificate, specify the PKI domain on the server. This PKI domain verifies the client's digital
certificate. For successful verification, the specified PKI domain must have the correct CA
certificate. For more information about configuring a PKI domain, see
•
When the device operates as an SSH server in FIPS mode, the device does not support the
authentication method of any or publickey.
Configuration procedure
To configure an SSH user, and specify the service type and authentication method:
Step
1. Enter system view.
2. Create an SSH user, and
specify the service type and
authentication method.
"Configuring a client's host public
Command
system-view
•
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet } authentication-type { password | { any |
password-publickey | publickey } assign { pki-domain
domain-name | publickey keyname } }
•
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet } authentication-type { password |
password-publickey assign { pki-domain domain-name |
publickey keyname } }
398
"Configuring AAA."
key."
"Configuring PKI."