R2511-HP MSR Router Series Security Command Reference(V5)

ManualsBrandsHP ManualsNetwork HardwareHP MSR1003-8 AC Router

431

432

433

434

435

436

437

438

439

440

422

completes automatically without the need of entering any password. This method is not supported

in FIPS mode.

assign: Specifies parameters that are used to verify the client.

• pki-domain pkiname: Specifies the PKI domain which verifies the client certificate. The pkiname

argument is a case-insensitive string of 1 to 15 characters. The server uses the CA certificate that is

saved in the PKI domain to verify one or multiple client certificates without saving clients' public keys

in advance.

• publickey keyname: Specifies the public key of the SSH user. The keyname argument represents an

existing public key to an SSH user, and is a case-sensitive string of 1 to 64 characters. The server

checks the validity of the user through the user's public key that has been locally saved. If the public

key file on the client changes, the server needs to update the local configuration promptly.

work-directory directory-name: Specifies the working directory for an SFTP user. The directory-name

argument is a string of 1 to 135 characters.

Usage guidelines

If the SSH server uses publickey authentication, you must create an SSH user account on the device. If the

SSH server uses password authentication, you do not need to create the user account on the device, but

you must configure the user account information on the device for local authentication, or on the remote

authentication server (such as a RADIUS server) for remote authentication.

If you use the ssh user command to specify a public key or PKI domain for a user multiple times, the most

recent configuration takes effect.

You can change parameters for an SSH user that has logged in, but your changes take effect on the user

at next login.

If an SFTP or SCP user has been assigned a public key or PKI domain, it is necessary to set a working

folder for the user.

The working folder of an SFTP or SCP user depends on the user authentication method:

• If the authentication method is password, the working folder is the AAA authorized one.

• If the authentication method is publickey or password-publickey, the working folder is the one set

by using the ssh user command.

Examples

# Create an SSH user named user1, setting the service type as sftp, the authentication method as

publickey, assigning a public key named key1 to the client, and the work folder of the SFTP server as

flash:

<Sysname> system-view

[Sysname] ssh user user1 service-type sftp authentication-type publickey assign publickey

key1 work-directory flash:

Related commands

• display ssh user-information

• pki domain