No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - Basic Configuration

S1720, S2700, S5700, and S6720 V200R011C10

This document describes methods to use command line interface and to log in to the device, file operations, and system startup configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an SSH User

Configuring an SSH User

Context

SSH users can be authenticated in eight modes: password, Revest-Shamir-Adleman Algorithm (RSA), Digital Signature Algorithm (DSA), Elliptic Curve Cryptography (ECC), password--RSA, password--DSA, password--ECC, and all.

  • Password authentication: is based on the user name and password. You need to configure a password for each SSH user in the AAA view. A user must enter the correct user name and password to log in using SSH.
  • RSA authentication: is based on the private key of the client. RSA is a public-key cryptographic system that uses an asymmetric encryption algorithm. An RSA key pair consists of a public key and a private key. You need to copy the public key generated by the client to the SSH server. The SSH server then uses the public key to encrypt data.
  • DSA authentication: is similar to RSA authentication. DSA uses the digital signature algorithm to encrypt data.
  • ECC authentication: is an elliptic curve algorithm. Compared with RSA, ECC features shorter key length, lower computational cost, faster processing speed, smaller storage space, and lower bandwidth requirement under the same security performance.
  • Password-RSA authentication: The SSH server implements both password and RSA authentication on login users. The users must pass both authentication modes to log in.
  • Password-DSA authentication: The SSH server implements both password and DSA authentication on login users. The users must pass both authentication modes to log in.
  • Password-ECC authentication: The SSH server implements both password and ECC authentication on login users. The users must pass both authentication modes to log in.
  • All authentication: The SSH server implements public key or password authentication on login users. Users only need to pass either of them to log in.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ssh user user-name

    An SSH user is created.

  3. Run ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | ecc | password-ecc | all }

    An authentication mode is set for the SSH user.

    By default, an SSH user does not support any authentication mode.
    NOTE:
    • If password authentication is selected, the user priority is the same as that specified on the AAA module.
    • If RSA/DSA/ECC authentication is selected, the user priority depends on the priority of the VTY window used during user access.
    • If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA/DSA/ECC authentication modes. Set relevant parameters as needed.
    • You can run the ssh authentication-type default password command to set the default authentication mode of an SSH user to password authentication. When multiple SSH users need to be authenticated in password authentication mode, such configuration simplifies configurations and improves configuration efficiency because you do not need to repeatedly configure password authentication for each SSH user.
    • If password authentication is used, create a local user with the same name as the SSH user in the AAA view.
      1. Run aaa

        The AAA view is displayed.

      2. Run local-user user-name password { cipher | irreversible-cipher } password

        A local user with the same name as the SSH user is created and a password is configured.

      3. Run local-user user-name service-type ssh

        A service type is set for the local user.

      4. Run local-user user-name privilege level level

        A user level is set for the local user.

      5. Run quit

        Return to the system view.

    • If RSA, DSA, or ECC authentication is used, you need to configure the public key generated by the SSH client on the SSH server. When the SSH client logs in to the SSH server, the SSH client passes the authentication if the private key of the client matches the configured public key.
      1. Run rsa peer-public-key key-name [ encoding-type { der | openssh | pem } ], dsa peer-public-key key-name encoding-type { der | openssh | pem }, or ecc peer-public-key key-name encoding-type { der | openssh | pem }

        The RSA, DSA, or ECC public key view is displayed.

      2. Run public-key-code begin

        The public key editing view is displayed.

      3. Enter the public key of the SSH client.

        The entered public key must be a hexadecimal string complying with the public key format. The string is generated by SSH client software. For detailed operations, see the help document of the SSH client software.

      4. Run public-key-code end

        Exit the public key editing view.

      5. Run peer-public-key end

        Return to the system view from the public key view.

      6. Run ssh user user-name assign { rsa-key | dsa-key | ecc-key } key-name

        An RSA, a DSA, or an ECC public key is allocated to the SSH user. When logging in to the server, the client enters the SSH user name corresponding to its public key as prompted.

    • If Password-RSA, Password-DSA, or Password-ECC authentication is used, configure AAA user information and enter the public key generated on the client. Both operations are mandatory.
    • If all authentication is used, configure AAA user information or enter the public key generated on the client or perform the two operations together.

  4. Run ssh user user-name service-type { stelnet | all }

    By default, no service type is configured for an SSH user.

Translation
Download
Updated: 2019-10-21

Document ID: EDOC1000178166

Views: 255642

Downloads: 1944

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next