HP VPN Firewall Appliances System Management and Maintenance Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

181

182

183

184

185

186

187

188

189

190

174

{ If a client sends the user's public key information to the server through a digital certificate, the

server must specify the PKI domain for verifying the client certificate. For more information about

configuring a PKI domain, see VPN Configuration Guide. To make sure the authorized SSH

users pass the authentication, the specified PKI domain must have the proper CA certificate.

• If the authentication method is publickey or password-publickey, the command level accessible to

the user is set by the user privilege level command on the user interface. If the authentication

method is password, the command level accessible to the user is authorized by AAA.

• SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or

all.

• For an SFTP SSH user, the working folder depends on the authentication method:

{ If the authentication method is password, the working folder is authorized by AAA.

{ If the authentication method is publickey or password-publickey, the working folder is set by

using the ssh user command.

• If you change the authentication mode or public key for an SSH user that has logged in, the change

takes effect only at the next login of the user.

Configuration procedure

To configure an SSH user and specify the service type and authentication method:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Create an SSH user, and

specify the service type

and authentication

method.

• Create an SSH user, and specify the service type

and authentication method for Stelnet users:

ssh user username service-type stelnet

authentication-type { password | { any |

password-publickey | publickey } assign

{ pki-domain pkiname | publickey keyname } }

• Create an SSH user, and specify the service type

and authentication method for all users, SCP or

SFTP users:

ssh user username service-type { all | scp | sftp }

authentication-type { password | { any |

password-publickey | publickey } assign

{ pki-domain pkiname | publickey keyname }

work-directory directory-name }

Use either command.

Setting the SSH management parameters

The SSH management parameters can be set to improve the security of SSH connections. The SSH

management parameters include:

• Compatibility between the SSH server and SSH1 clients.

• RSA server key pair update interval, applicable to users using SSH1 client.

• SSH user authentication timeout period. This parameter is used to reject a connection if the

authentication for the connection is not completed before the timeout period expires.

• Maximum number of SSH authentication attempts. This parameter is used to prevent malicious

password cracking.