Configuring an SSH user
About the SSH user
Configure an SSH user and a local user depending on the authentication method.
If the authentication method is publickey, you must create an SSH user and a local user on the SSH server. The two users must have the same username, so that the SSH user can be assigned the correct working directory and user role.
If the authentication method is password, you must perform one of the following tasks:
For local authentication, configure a local user on the SSH server.
For remote authentication, configure an SSH user on a remote authentication server, for example, a RADIUS server.
You do not need to create an SSH user by using the ssh user command. However, if you want to display all SSH users, including the password-only SSH users, for centralized management, you can use this command to create them. If such an SSH user has been created, make sure you have specified the correct service type and authentication method.
If the authentication method is password-publickey or any, you must create an SSH user on the SSH server and perform one of the following tasks:
For local authentication, configure a local user on the SSH server.
For remote authentication, configure an SSH user on a remote authentication server, for example, a RADIUS server.
In either case, the local user or the SSH user configured on the remote authentication server must have the same username as the SSH user.
For information about configuring local users and remote authentication, see "Configuring AAA."
Restrictions and guidelines
If you change the authentication parameters for a logged-in SSH user, the change takes effect on the user at the next login.
When the device operates as an SSH server in FIPS mode, the device does not support authentication method any or publickey.
For an SFTP or SCP user, the working directory depends on the authentication method.
If the authentication method is password, the working directory is authorized by AAA.
If the authentication method is publickey or password-publickey, the working folder is specified by the authorization-attribute command in the associated local user view.
For an SSH user, the user role also depends on the authentication method.
If the authentication method is password, the user role is authorized by AAA.
If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view.
For all authentication methods except password authentication, you must specify a client's host public key or digital certificate.
For a client that sends the user's public key information directly to the server, specify the client's host public key on the server. The specified public key must already exist. For more information about public keys, see "Configuring a client's host public key." If you specify multiple client public keys, the device verifies the user identity by using the public keys in the order they are specified. The user is valid if the user passes one public key check.
For a client that sends the user's public key information to the server through a digital certificate, specify the PKI domain on the server. This PKI domain verifies the client's digital certificate. For successful verification, the specified PKI domain must have the correct CA certificate. To specify the PKI domain, use the ssh user or ssh server pki-domain command. For more information about configuring a PKI domain, see "Configuring PKI."
Procedure
Enter system view.
system-view
Create an SSH user, and specify the service type and authentication method.
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } [ assign { pki-domain domain-name | publickey keyname&<1-6> } ] }
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | password-publickey [ assign { pki-domain domain-name | publickey keyname&<1-6> } ] }
An SSH server supports up to 1024 SSH users.