Configuring an SSH user
If the authentication method is publickey, you must perform the procedure in this section.
If the authentication method is password or password-publickey, you must perform one of the following tasks:
For local authentication, configure a local user account by using the local-user command.
For remote authentication, configure an SSH user account on an authentication server, for example, a RADIUS server.
If the authentication method is password, you do not need to create an SSH user. However, if you want to display all SSH users, including the password-only SSH users, for centralized management, you can use this command to create them. If such an SSH user has been created, make sure you have specified the correct service type and authentication method.
Configuration guidelines
When configure an SSH user, follow these guidelines:
You can set the service type to Stelnet, SFTP or SCP.
You can specify one of the following authentication methods for the SSH user:
Password
Publickey authentication
Password-publickey authentication
Keyboard-interactive authentication
Any
For more information about these authentication methods, see "SSH authentication methods."
For all authentication methods except password authentication and keyboard-interactive authentication, you must specify a client's host public key or digital certificate.
For a client that directly sends the user's public key information to the server, you must specify the client's host public key on the server. The specified public key must already exist. For more information about public keys, see "Configuring a client's host public key."
For a client that sends the user's public key information to the server through a digital certificate, you must specify the PKI domain on the server. This PKI domain verifies the client certificate. For successful verification, the CA certificate in the specified PKI domain must be correct. For more information about PKI domain configuration, see "Configuring PKI."
The command level accessible to a publickey or password-publickey authenticated user is set by the user privilege level command on the user interface. The command level accessible to a password authenticated user is authorized by AAA.
SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or all.
For an SFTP SSH user, the working folder depends on the authentication method:
If the authentication method is password, the working folder is authorized by AAA.
If the authentication method is publickey or password-publickey, the working folder is set by using the ssh user command.
If you change the authentication parameters for a logged-in SSH user, the change can take effect on the user only at the next login.
When the device operates in FIPS mode as an SSH server, the device does not support the authentication method of any or publickey.
Configuration procedure
To configure an SSH user and specify the service type and authentication method:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Create an SSH user, and specify the service type and authentication method. |
| Use either command. |