Configuring an ssh user, Configuration guidelines – H3C Technologies H3C SecBlade LB Cards User Manual
Page 173
162
Importing a client public key from a public key file
Step Command
1.
Enter system view.
system-view
2.
Import the public key from a public key file.
public-key peer keyname import sshkey filename
Configuring an SSH user
If the authentication method is publickey, you must perform the procedure in this section.
If the authentication method is password or password-publickey, you must configure a local user account
by using the local-user command for local authentication, or configure an SSH user account on an
authentication server, for example, a RADIUS server, for remote authentication.
If the authentication method is password, you do not need to perform the procedure in this section to
configure them unless you want to use the display ssh user-information command to display all SSH
users, including the password-only SSH users, for centralized management.
Configuration guidelines
•
You can set the service type to Stelnet, SFTP, or SCP.
•
You can enable one of the following authentication modes for the SSH user:
{
Password—The user must pass password authentication.
{
Publickey authentication—The user must pass publickey authentication.
{
Password-publickey authentication—As an SSH2.0 user, the user must pass both password and
publickey authentication. As an SSH1 user, the user must pass either password or publickey
authentication.
{
Any—The user can use either password authentication or publickey authentication.
•
All authentication methods, except password authentication, require a client's host public key or
digital certificate to be specified.
{
If a client directly sends the user's public key information to the server, the server must specify the
client's public key and the specified public key must already exist. For more information about
public keys, see "
Configuring a client's host public key
{
If a client sends the user's public key information to the server through a digital certificate, the
server must specify the PKI domain for verifying the client certificate. For more information about
configuring a PKI domain, see "Configuring PKI." To make sure the authorized SSH users pass
the authentication, the specified PKI domain must have the proper CA certificate.
•
If the authentication method is publickey or password-publickey, the command level accessible to
the user is set by the user privilege level command on the user interface. If the authentication
method is password, the command level accessible to the user is authorized by AAA.
•
SSH1 does not support SFTP or SCP. For an SSH1 client, you must set the service type to stelnet or
all.
•
For an SFTP SSH user, the working folder depends on the authentication method:
{
If the authentication method is password, the working folder is authorized by AAA.
{
If the authentication method is publickey or password-publickey, the working folder is set by
using the ssh user command.