R3102-R3103-HP 6600/HSR6600 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR6602-G Router

331

332

333

334

335

336

337

338

339

340

320

{ If a client directly sends the user's public key information to the server, the server must specify the

client's public key and the specified public key must already exist. For more information about

public keys, see "Configuring a client's host public key."

{ If a client sends the user's public key information to the server through a digital certificate, the

server must specify the PKI domain for verifying the client certificate. For more information about

configuring a PKI domain, see "Configuring PKI." To make sure the authorized SSH users pass

the authentication, the specified PKI domain must have the proper CA certificate.

• If publickey authentication, whether with password authentication or not, is used, the command

level accessible to the user is set by the user privilege level command on the user interface. If only

password authentication is used, the command level accessible to the user is authorized by AAA.

• SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or

all.

• For an SFTP SSH user, the working folder depends on the authentication method:

{ If only password authentication is used, the working folder is authorized by AAA.

{ If publickey authentication, whether with password authentication or not, is used, the working

folder is set by using the ssh user command.

• If you change the authentication mode or public key for an SSH user that has logged in, the change

takes effect only at the next login of the user.

To configure an SSH user and specify the service type and authentication method:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create an SSH user, and

specify the service type

and authentication

method.

• Create an SSH user, and specify the service type

and authentication method for Stelnet users:

ssh user username service-type stelnet

authentication-type { password | { any |

password-publickey | publickey } assign

{ pki-domain pkiname | publickey keyname } }

• Create an SSH user, and specify the service type

and authentication method for all users, SCP or

SFTP users:

ssh user username service-type { all | scp | sftp }

authentication-type { password | { any |

password-publickey | publickey } assign

{ pki-domain pkiname | publickey keyname }

work-directory directory-name }

Use either command.

Setting the SSH management parameters

The SSH management parameters can be set to improve the security of SSH connections. The SSH

management parameters include:

• Compatibility between the SSH server and SSH1 clients.

• RSA server key pair update interval, applicable to users using SSH1 client.

• SSH user authentication timeout period. This parameter is used to reject a connection if the

authentication for the connection is not completed before the timeout period expires.

• Maximum number of SSH authentication attempts. This parameter is used to prevent malicious

password cracking.