455
•
scp
: Specifies the service type SCP.
•
sftp
: Specifies the service type SFTP.
•
stelnet
: Specifies the service type Stelnet.
•
netconf
: Specifies the service type NETCONF.
authentication-type
: Specifies an authentication method for the SSH user.
•
password
: Specifies password authentication. This authentication method provides easy and
fast encryption, but it is vulnerable. It can work with AAA to implement user authentication,
authorization, and accounting.
•
any
: Specifies either password authentication or publickey authentication.
•
password
-
publickey
: Specifies both password authentication and publickey authentication for
SSH2 clients. In SSH2, the password-publickey authentication method provides higher security.
If the client runs SSH1, this keyword specifies either password authentication or publickey
authentication.
•
publickey
: Specifies publickey authentication. This authentication method has complicated
and slow encryption, but it provides strong authentication that can defend against brute-force
attacks. This authentication method is easy to use. If this method is configured, the
authentication process completes automatically without entering any password.
assign
: Specifies parameters used for client verification.
pki-domain domain-name
: Specifies the PKI domain that verifies the client's digital certificate. The
domain-name
argument is a case-insensitive string of 1 to 31 characters. Invalid characters are
tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >),
quotation marks ("), and apostrophes ('). The server uses the CA certificate that is saved in the PKI
domain to verify the client's digital certificate. In this scenario, the server does not need to save
clients' public keys in advance.
publickey keyname
&<1-6>: Specifies a space-separated list of up to six SSH client public keys. The
keyname
argument represents the SSH client's public key configured on the server. It is a
case-sensitive string of 1 to 64 characters. The server uses the client's public key to check the
validity of the client. If the public key file of the client is changed, you must update the client's public
key on the server promptly. If you specify multiple client public keys, the device verifies the user
identity by using the public keys in the order they are specified. The user is valid if the user passes
one public key check.
Usage guidelines
Use this command to configure an SSH user depending on the authentication method.
•
If the authentication method is
publickey
, you must create an SSH user and a local user on the
SSH server. The two users must have the same username, so that the SSH user can be
assigned the correct working directory and user role.
•
If the authentication method is
password
, you must perform one of the following tasks:
For local authentication, configure a local user on the SSH server.
For remote authentication, configure an SSH user on a remote authentication server, for
example, a RADIUS server.
You do not need to create an SSH user by using the
ssh user
command. However, if you want
to display all SSH users, including the password-only SSH users, for centralized management,
you can use this command to create them. If such an SSH user has been created, make sure
you have specified the correct service type and authentication method.
•
If the authentication method is
password-publickey
or
any
, you must create an SSH user on
the SSH server and perform one of the following tasks:
For local authentication, configure a local user on the SSH server.
For remote authentication, configure an SSH user on a remote authentication server, for
example, a RADIUS server.