[x]

Configuring SSH login > Configuring the device as an SSH server

 

 Next

Configuring the device as an SSH server

This section provides the SSH server configuration procedure used when the SSH client authentication method is password. For more information about SSH and publickey authentication configuration, see Security Configuration Guide.

To configure the device as an SSH server:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Create local key pairs.

  • In non-FIPS mode:public-key local create { dsa | ecdsa [ secp192r1 | secp256r1 | secp384r1 ] | rsa } [ name key-name ]

  • In FIPS mode:public-key local create { dsa | ecdsa [ secp256r1 | secp384r1 ] | rsa } [ name key-name ]

By default, no local key pairs are created.

3. Enable the Stelnet server.

ssh server enable

By default, the Stelnet server is disabled.

4. (Optional.) Create an SSH user and specify the authentication mode.

  • In non-FIPS mode:ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign { pki-domain domain-name | publickey keyname } }

  • In FIPS mode:ssh user username service-type stelnet authentication-type { password | password-publickey assign { pki-domain domain-name | publickey keyname } }

By default, no SSH user is configured on the device.

5. Enter VTY line view or class view.

  • Enter VTY line view: line vty first-number [ last-number ]

  • Enter VTY line class view:line class vty

A setting in user line view applies only to the user line. A setting in user line class view applies to all user lines of the class.

A non-default setting in either view takes precedence over a default setting in the other view. A non-default setting in user line view takes precedence over a non-default setting in user line class view.

A setting in user line class view does not take effect for current online users. It takes effect only for new login users.

6. Enable scheme authentication.

authentication-mode scheme

In non-FIPS mode, password authentication is enabled for VTY lines by default.

In FIPS mode, scheme authentication is enabled for VTY lines by default.

In VTY line view, this command is associated with the protocol inbound command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

7. (Optional.) Specify the protocols for the user lines to support.

  • In non-FIPS mode:protocol inbound { all | ssh | telnet }

  • In FIPS mode:protocol inbound ssh

In non-FIPS mode, both Telnet and SSH are supported by default.

In FIPS mode, SSH is supported by default.

A protocol change does not take effect for current online users. It takes effect only for new login users.

In VTY line view, this command is associated with the authentication-mode command. If you specify a non-default value for one of the two commands, the other command uses the default setting, regardless of the setting in VTY line class view.

8. Exit to system view.

quit

N/A

9. (Optional.) Configure common settings for VTY lines.

See "Configuring common VTY line settings."

N/A

10. (Optional.) Set the maximum number of concurrent SSH users.

aaa session-limit ssh max-sessions

The default is 32.

Changing this setting does not affect users who are currently online. If the new limit is less than the number of online SSH users, no additional SSH users can log in until the number drops below the new limit.

For more information about this command, see Security Command Reference.

prev

 

up

 next

Configuring SSH login 

home

 Using the device to log in to an SSH server

© Copyright 2017 Hewlett Packard Enterprise Development LP