Manualshelf

R21xx-HP FlexFabric 11900 Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products
81828384858687888990
83
{ If publickey authentication, whether with password authentication or not, is used, the user role
is specified by the authorization-attribute command in the associated local user view.
If you change the authentication method or public key for an SSH user that has been logged in, the
change can take effect only at the next login of the user.
Except password authentication, the other authentication methods require a client's host public key
to be specified. For more information about host public keys, see "Configuring a client's host public
ke
y."
Any authentication and publickey authentication are not available when the device acts as an SSH
server in FIPS mode.
For information about configuring local users and remote authentication, see "Configuring AAA."
Configuration procedure
To configure an SSH user, and specify the service type and authentication method:
Ste
p
Command
1. Enter system view.
system-view
2. Create an SSH user, and
specify the service type and
authentication method.
In non-FIPS mode:
ssh user username service-type { all | scp | sftp | stelnet }
authentication-type { password | { any | password-publickey |
publickey } assign publickey keyname }
In FIPS mode:
ssh user username service-type { all | scp | sftp | stelnet }
authentication-type { password | password-publickey assign
publickey keyname }
Setting the SSH management parameters
Setting the SSH management parameters can improve the security of SSH connections. The SSH
management parameters include:
Whether the SSH server is compatible with SSH1 clients.
RSA server key pair update interval, applicable to users using SSH1 clients.
SSH user authentication timeout period. You can set this parameter to reject a connection if the
authentication for the connection has not been finished when the timeout period expires.
Maximum number of SSH authentication attempts. You can set this parameter to prevent malicious
password cracking. If any authentication is used, the total number of both publickey and password
authentication attempts cannot exceed the configured upper limit.
ACL for SSH clients. You can configure an ACL to filter SSH clients which initiate connections with
the SSH server.
SFTP connection idle timeout period. When the idle period of an SFTP connection exceeds the
specified threshold, the system automatically tears the connection down.
To set the SSH management parameters:
Ste
p
Command
Remarks
1. Enter system view. system-view
N/A