R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

321

322

323

324

325

326

327

328

329

330

312

{ Any—The user can use password authentication, publickey authentication, or

keyboard-interactive authentication.

• All authentication methods, except password authentication and keyboard-interactive

authentication, require a client's host public key or digital certificate to be specified.

{ If a client directly sends the user's public key information to the server, the server must specify the

client's public key and the specified public key must already exist. For more information about

public keys, see "Configuring a client's host public key."

{ If a client sends the user's public key information to the server through a digital certificate, the

server must specify the PKI domain for verifying the client certificate. For more information about

configuring a PKI domain, see "Configuring PKI." To make sure the authorized SSH users pass

the authentication, the specified PKI domain must have the proper CA certificate.

• If the authentication method is publickey or password-publickey, the command level accessible to

the user is set by the user privilege level command on the user interface. If the authentication

method is password, the command level accessible to the user is authorized by AAA.

• SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or

all.

• For an SFTP SSH user, the working folder depends on the authentication method:

{ If the authentication method is password, the working folder is authorized by AAA.

{ If the authentication method is publickey or password-publickey, is used, the working folder is

set by using the ssh user command.

• If you change the authentication mode or public key for an SSH user that has logged in, the change

takes effect only at the next login of the user.

To configure an SSH user and specify the service type and authentication method:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create an SSH user, and

specify the service type

and authentication

method.

• Create an SSH user, and specify the service type

and authentication method for Stelnet users:

ssh user username service-type stelnet

authentication-type { password |

keyboard-interactive | { any |

password-publickey | publickey } assign

{ pki-domain pkiname | publickey keyname } }

• Create an SSH user, and specify the service type

and authentication method for all users, SCP or

SFTP users:

ssh user username service-type { all | scp | sftp }

authentication-type { password |

keyboard-interactive | { any |

password-publickey | publickey } assign

{ pki-domain pkiname | publickey keyname }

work-directory directory-name }

Use either command.

Setting the SSH management parameters

The SSH management parameters can be set to improve the security of SSH connections. The SSH

management parameters include: