Configuring an SSH user

To configure an SSH user that uses publickey authentication, you must perform the procedure in this section.

To configure an SSH user that uses password authentication, whether together with publickey authentication or not, you must configure a local user account by using the local-user command for local authentication, or configure an SSH user account on an authentication server, for example, a RADIUS server, for remote authentication. For more information about the local-user command, see Security Command Reference.

For password-only SSH users, you do not need to perform the procedure in this section to configure them unless you want to use the display ssh user-information command to display all SSH users, including the password-only SSH users, for centralized management.

Configuration guidelines

When you perform the procedure in this section to configure an SSH user, follow these guidelines:

You can set the service type to Stelnet, SFTP, and SCP (Secure copy). For more information about Stelnet, see "Overview." For more information about SFTP, see "Configuring SFTP." For more information about SCP, see "Configuring SCP."

You can enable one of the following authentication modes for the SSH user:
- Password—The user must pass password authentication.
- Publickey authentication—The user must pass publickey authentication.
- Password-publickey authentication—As an SSH2.0 user, the user must pass both password and publickey authentication. As an SSH1 user, the user must pass either password or publickey authentication.
- Any—The user can use either password authentication or publickey authentication.
If only publickey authentication is used, the command level accessible to the user is set by the user privilege level command on the user interface. If password authentication is used, either with or without publickey authentication, the command level accessible to the user is authorized by AAA.
SSH1 does not support SCP and SFTP. For an SSH1 client, you must set the service type to stelnet or all.
For an SCP or SFTP user, the working folder depends on the authentication method:
- If only password authentication is used, the working folder is authorized by AAA.
- If publickey authentication is used, either with or without password authentication, the working folder is set by using the ssh user command.
If you change the authentication mode or public key for an SSH user that has been logged in, the change can take effect only at the next login of the user.
In FIPS mode, the SSH server does not support any authentication and publickey authentication.

Configuration procedure

To configure an SSH user and specify the service type and authentication method:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create an SSH user, and specify the service type and authentication method.	For Stelnet users: In non-FIPS mode:ssh user username service-type stelnet authentication-type { password \| { any \| password-publickey \| publickey } assign publickey keyname&<1-6> } In FIPS mode:ssh user username service-type stelnet authentication-type { password \| password-publickey assign publickey keyname&<1-6> } For all users, SCP or SFTP users: In non-FIPS mode:ssh user username service-type { all \| scp \| sftp } authentication-type { password \| { any \| password-publickey \| publickey } assign publickey keyname&<1-6> work-directory directory-name } In FIPS mode:ssh user username service-type { all \| scp \| sftp } authentication-type { password \| password-publickey assign publickey keyname&<1-6> work-directory directory-name }	Use one of the commands.

prev	up	next
Configuring a client's host public key	home	Setting the SSH management parameters