H3C S5830V2 Security Configuration Manual page 180
Hide thumbs
Also See for S5830V2:
- Configuration manual (318 pages) ,
- Command reference manual (301 pages) ,
- Installation manual (63 pages)
Table of Contents
Advertisement
If the authentication method is password, you do not need to perform the procedure in this section to
configure them unless you want to use the display ssh user-information command to display all SSH
users, including the password-only SSH users, for centralized management. If such an SSH user has been
created, make sure you have specified the correct service type and authentication method.
Configuration guidelines
When you configure an SSH user, follow these guidelines:
An SSH server supports up to 1024 SSH users.
•
•
For an SFTP or SCP user, the working directory depends on the authentication method:
If the authentication method is password, the working directory is authorized by AAA.
If the authentication method is publickey or password-publickey, the working folder is specified
by the authorization-attribute command in the associated local user view.
For an SSH user, the user role also depends on the authentication method:
•
If the authentication method is password, the user role is authorized by the remote AAA server
or the local device.
If the authentication method is publickey or password-publickey, the user role is specified by
the authorization-attribute command in the associated local user view.
If you change the authentication method or public key for an SSH user that has been logged in, the
•
change can take effect only at the next login of the user.
Except password authentication, the other authentication methods require a client's host public key
•
or digital certificate to be specified.
If a client directly sends the user's public key information to the server, you must specify the
client's public key on the server and the specified public key must already exist. For more
information about public keys, see
If a client sends the user's public key information to the server through a digital certificate, you
must specify the PKI domain for verifying the client certificate on the server. To make sure the
authorized SSH users can pass the authentication, the specified PKI domain must have the
correct CA certificate. For more information about configuring a PKI domain, see
PKI.
When the device acts as an SSH server in FIPS mode, the device does not support the
•
authentication method of any or publickey.
For information about how to configure local users and remote authentication, see
Configuration procedure
To configure an SSH user, and specify the service type and authentication method:
Step
1.
Enter system view.
2.
Create an SSH user, and
specify the service type and
authentication method.
"Configuring a client's host public
Command
system-view
•
In non-FIPS mode:
ssh user username service-type { all | scp | sftp | stelnet }
authentication-type { password | { any | password-publickey |
publickey } assign { pki-domain domain-name | publickey
keyname } }
•
In FIPS mode:
ssh user username service-type { all | scp | sftp | stelnet }
authentication-type { password | password-publickey assign
{ pki-domain domain-name | publickey keyname } }
166
key."
"Configuring
"Configuring
AAA."
Advertisement
Table of Contents
Troubleshooting
