F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices System Management and Maintenance Command Reference-6PW100
201
• sftp: Specifies the service type as SFTP.
• stelnet: Specifies the service type of Stelnet.
authentication-type: Specifies the authentication method of an SSH user, which can be one of the
following:
• password: Performs password authentication. This authentication method features easy and fast
encryption, but it is vulnerable. It can work with AAA to implement user authentication,
authorization, and accounting.
• any: Performs either password authentication or publickey authentication.
• password-publickey: Performs both password authentication and publickey authentication
(featuring higher security) if the client runs SSH2, and performs either type of authentication if the
client runs SSH1.
• publickey: Performs publickey authentication. This authentication method has the complicated and
slow encryption, but it provides strong authentication that can defend against brute-force attacks.
This authentication method is easy to use. If this method is configured, the authentication process
completes automatically without the need of entering any password.
assign: Specifies parameters that are used to verify the client.
• pki-domain pkiname: Specifies the PKI domain that verifies the client certificate. The pkiname
argument is a case-insensitive string of 1 to 15 characters. The server uses the CA certificate that is
saved in the PKI domain to verify one or multiple client certificates without saving clients' public keys
in advance.
• publickey keyname: Specifies the public key of the SSH user. The keyname argument represents an
existing public key to an SSH user, and is a case-sensitive string of 1 to 64 characters. The server
checks the validity of the user through the user's public key that has been locally saved. If the public
key file on the client changes, the server needs to update the local configuration properly.
work-directory directory-name: Specifies the working directory for an SFTP user. The directory-name
argument is a string of 1 to 135 characters.
Usage guidelines
If the SSH server uses publickey authentication, you must create an SSH user account on the device. If the
SSH server uses password authentication, you do not need to create the user account on the device, but
you must configure the user account information on the device for local authentication, or on the remote
authentication server (such as a RADIUS server) for remote authentication.
If you use the ssh user command to specify a public key or PKI domain for a user more than one time, the
new parameters overwrite the old ones.
You can change parameters for an SSH user that has logged in, but your changes take effect for the user
at next login.
If an SFTP or SCP user has been assigned a public key or PKI domain, it is necessary to set a working
folder for the user.
The working folder of an SFTP or SCP user depends on the user authentication method. For a user using
only password authentication, the working folder is the AAA authorized one. For a user using only
publickey authentication or using both publickey authentication and password authentication, the
working folder is the one set by using the ssh user command.