Configuring an ssh user, Configuration restrictions and guidelines, Required/optional.) – H3C Technologies H3C S6300 Series Switches User Manual
Page 288
273
Step Command
2.
Import a client's public key
from a public key file.
public-key peer keyname import sshkey filename
Configuring an SSH user
To configure an SSH user that uses publickey authentication, perform the procedure in this section.
If the authentication method is publickey, you must create an SSH user and a local user on the server. To
get the correct working directory and user role, the local user must have the same username as the SSH
user.
If the authentication method is password-publickey or any, you must create an SSH user, and configure
a local user account by using the local-user command for local authentication, or configure an SSH user
account on an authentication server, for example, a RADIUS server, for remote authentication. In either
case, the local user or the SSH user configured for remote authentication must have the same username
as the SSH user.
If the authentication method is password, you do not need to create an SSH user or local user. However,
if you want to display all SSH users, including the password-only SSH users, for centralized management,
you can use this command to create them. If such an SSH user has been created, make sure you have
specified the correct service type and authentication method.
Configuration restrictions and guidelines
When you configure an SSH user, follow these restrictions and guidelines:
•
An SSH server supports up to 1024 SSH users.
•
For an SFTP or SCP user, the working directory depends on the authentication method:
{
If the authentication method is password, the working directory is authorized by AAA.
{
If the authentication method is publickey or password-publickey, the working folder is specified
by the authorization-attribute command in the associated local user view.
•
For an SSH user, the user role also depends on the authentication method:
{
If the authentication method is password, the user role is authorized by the remote AAA server
or the local device.
{
If the authentication method is publickey or password-publickey, the user role is specified by
the authorization-attribute command in the associated local user view.
•
If you change the authentication method or public key for an SSH user that has been logged in, the
change can take effect only on the user at the next login.
•
All authentication methods except password authentication require a client's host public key or
digital certificate to be specified.
{
If a client directly sends the user's public key information to the server, you must specify the
client's public key on the server and the specified public key must already exist. For more
information about public keys, see "
Configuring a client's host public key
{
If a client sends the user's public key information to the server through a digital certificate, you
must specify the PKI domain for verifying the client certificate on the server. To make sure the
authorized SSH users can pass the authentication, the specified PKI domain must have the
correct CA certificate. For more information about configuring a PKI domain, see "