Configuring An Ssh User - HP 12500 Series Configuration Manual

Configuring an SSH user

To configure an SSH user that uses publickey authentication, you must perform the procedure in this
section.
To configure an SSH user that uses password authentication, whether together with publickey
authentication or not, you must configure a local user account by using the local-user command for local
authentication, or configure an SSH user account on an authentication server, for example, a RADIUS
server, for remote authentication. For more information about the local-user command, see Security
Command Reference.
For password-only SSH users, you do not need to perform the procedure in this section to configure them
unless you want to use the display ssh user-information command to display all SSH users, including the
password-only SSH users, for centralized management.
Configuration guidelines
When you perform the procedure in this section to configure an SSH user, follow these guidelines:
You can set the service type to Stelnet or SFTP. For more information about Stelnet and SFTP, see
•
"Overview."
You can enable one of the following authentication modes for the SSH user:
•
Password—The user must pass password authentication.
Publickey authentication—The user must pass publickey authentication.
Password-publickey authentication—As an SSH2 user, the user must pass both password and
publickey authentication. As an SSH1 user, the user must pass either password or publickey
authentication.
Any—The user can use either password authentication or publickey authentication.
All authentication methods, except password authentication, require a client's host public key or
•
digital certificate to be specified.
If a client directly sends the user's public key information to the server, the server must specify the
client's public key and the specified public key must already exist. For more information about
public keys, see
If a client sends the user's public key information to the server through a digital certificate, the
server must specify the PKI domain for verifying the client certificate. For more information about
configuring a PKI domain, see
the authentication, the specified PKI domain must have the proper CA certificate.
If publickey authentication, whether with password authentication or not, is used, the command
•
level accessible to the user is set by the user privilege level command on the user interface. If only
password authentication is used, the command level accessible to the user is authorized by AAA.
• SSH1 does not support SFTP or SCP. An SSH1 client cannot connect to the server through SFTP or
SCP.
For an SFTP SSH user, the working folder depends on the authentication method:
•
If only password authentication is used, the working folder is authorized by AAA.
If publickey authentication, whether with password authentication or not, is used, the working
folder is set by using the ssh user command.
If you change the authentication mode or public key for an SSH user that has been logged in, the change
can take effect only at the next login of the user.
"Configuring a client's host public
"Configuring
214
key."
PKI." To make sure the authorized SSH users pass