Table of Contents
Advertisement
•
For all authentication methods except password authentication, you must specify a client's host
public key or digital certificate.
For a client that directly sends the user's public key information to the server, you must
specify the client's host public key on the server. The specified public key must already exist.
For more information about public keys, see
For a client that sends the user's public key information to the server through a digital
certificate, specify a PKI domain on the server to verify the client's digital certificate. For
successful verification, the specified PKI domain must have the correct CA certificate. To
specify the PKI domain, use the ssh user or ssh server pki-domain command. For more
information about configuring a PKI domain, see "Configuring PKI."
•
When the device operates in FIPS mode as an SSH server, the device does not support the
authentication method of any or publickey.
For information about configuring local users and remote authentication, see "Configuring AAA."
Configuration procedure
To configure an SSH user, and specify the service type and authentication method:
Step
1.
Enter system view.
2.
Create an SSH user, and
specify the service type and
authentication method.
Configuring the SSH management parameters
Step
1.
Enter system view.
2.
Enable the SSH server to
support SSH1 clients.
3.
Set the minimum update
interval for the RSA server
key pair.
4.
Set the SSH user
authentication timeout timer.
5.
Set the maximum number of
SSH authentication
attempts.
"Configuring a client's host public
Command
system-view
•
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet } authentication-type { password | { any |
password-publickey | publickey } [ assign { pki-domain
domain-name | publickey keyname } ] }
•
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp |
stelnet } authentication-type { password |
password-publickey [ assign { pki-domain domain-name |
publickey keyname } ] }
Command
system-view
ssh server compatible-ssh1x
enable
ssh server rekey-interval hours
ssh server
authentication-timeout
time-out-value
ssh server
authentication-retries times
333
key."
Remarks
N/A
By default, the SSH server
supports SSH1 clients.
This command is not available in
FIPS mode.
By default, the RSA server key
pair is not updated.
This command takes effect only
on SSH1 users.
This command is not available in
FIPS mode.
The default setting is 60 seconds.
If a user does not finish the
authentication when the timeout
timer expires, the connection
cannot be established.
The default setting is 3.
If a user does not finish the
Advertisement
Table of Contents
Troubleshooting
