HP MSR2000/3000/4000 Router Series Security Command Reference
294
• sftp: Specifies the service type as SFTP.
• stelnet: Specifies the service type of Stelnet.
authentication-type: Specifies an authentication method for an SSH user:
• password: Specifies password authentication. This authentication method features easy and fast
encryption, but it is vulnerable. It can work with AAA to implement user authentication,
authorization, and accounting.
• any: Specifies either password authentication or publickey authentication.
• password-publickey: Specifies both password authentication and publickey authentication
(featuring higher security) if the client runs SSH2, and specifies either type of authentication if the
client runs SSH1.
• publickey: Specifies publickey authentication. This authentication method has complicated and
slow encryption, but it provides strong authentication that can defend against brute-force attacks.
This authentication method is easy to use. If this method is configured, the authentication process
completes automatically without the need of entering any password.
assign publickey keyname: Assigns an existing host public key to an SSH user. The keyname argument
is a string of 1 to 64 characters.
Usage guidelines
If the authentication method is publickey, you must create an SSH user and a local user. To get the correct
working directory and user role, the local user must have the same username as the SSH user.
If the authentication method is password-publickey or any, you must create an SSH user, and configure
a local user account by using the local-user command for local authentication, or configure an SSH user
account on an authentication server, for example, a RADIUS server, for remote authentication.
If the authentication method is password, you do not need to execute this command to configure them
unless you want to use the display ssh user-information command to display all SSH users, including the
password-only SSH users, for centralized management.
If you use the ssh user command to configure a host public key for a user who has already had a host
public key, the new one overwrites the old one.
You can change the authentication method, service type, and host public key for an SSH user when the
user is communicating with the SSH server, but your changes take effect only on the clients at next login.
For an SFTP or SCP user, the working directory depends on the authentication method:
• If the authentication method is password, the working directory is authorized by AAA.
• If the authentication method is publickey or password-publickey, the working directory is specified
by the authorization-attribute command in the associated local user view.
For an SFTP or Stelnet user, the user role also depends on the authentication method:
• If the authentication method is password, the user role is authorized by the remote AAA server or
the local device.
• If the authentication method is publickey or password-publickey, the user role is specified by the
authorization-attribute command in the associated local user view.
Examples
# Create an SSH user named user1, set the service type sftp and the authentication method
password-publickey, and assign a host public key named key1 to the user.
<Sysname> system-view