R3303-HP HSR6800 Routers Security Command Reference
354
Parameters
username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters.
service-type: Specifies the service type of an SSH user:
• all: Specifies Stelnet, SFTP, and SCP.
• scp: Specifies the service type as SCP.
• sftp: Specifies the service type as SFTP.
• stelnet: Specifies the service type of Stelnet.
authentication-type: Specifies the authentication method of an SSH user:
• password: Specifies password authentication. This authentication method features easy and fast
encryption, but it is vulnerable. It can work with AAA to implement user authentication,
authorization, and accounting.
• keyboard-interactive: Specifies keyboard-interactive authentication. When the client initiates an
authentication request, the remote authentication server sends the SSH server an authentication
response with a question. The question is relayed to the client and displayed on the client. The user
must enter the answer to the question. This question-answer exchange might be repeated multiple
times until the user provides all required information. Then, the remote authentication server returns
an authentication success message. This authentication method is supported only when the router
acts as an SSH server and uses the HWTACACS server as the remote authentication server.
• any: Specifies either password authentication, publickey authentication, or keyboard-interactive
authentication.
• password-publickey: Specifies both password authentication and publickey authentication
(featuring higher security) if the client runs SSH2, and specifies either type of authentication if the
client runs SSH1.
• publickey: Specifies publickey authentication. This authentication method has the complicated and
slow encryption, but it provides strong authentication that can defend against brute-force attacks.
This authentication method is easy to use. If this method is configured, the authentication process
completes automatically without the need of entering any password.
assign: Specifies parameters that are used to verify the client.
• pki-domain pkiname: Specifies the PKI domain which verifies the client certificate. The pkiname
argument is a case-insensitive string of 1 to 15 characters. The server uses the CA certificate that is
saved in the PKI domain to verify one or multiple client certificates without saving clients' public keys
in advance.
• publickey keyname: Specifies the public key of the SSH user. The keyname argument represents an
existing public key to an SSH user, and is a case-sensitive string of 1 to 64 characters. The server
checks the validity of the user through the user's public key that has been locally saved. If the public
key file on the client changes, the server needs to update the local configuration promptly.
work-directory directory-name: Specifies the working directory for an SFTP user. The directory-name
argument is a string of 1 to 135 characters.
Usage guidelines
If the SSH server uses publickey authentication, you must create an SSH user account on the device. If the
SSH server uses password authentication, you do not need to create the user account on the device, but
you must configure the user account information on the device for local authentication, or on the remote
authentication server (such as a RADIUS server) for remote authentication.
If you specify a public key or PKI domain for a user multiple times, the most recent configuration takes
effect.