No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Basic Configuration

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the Basic configuration supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring an SSH User

Configuring an SSH User

To use STelnet to log in to a device, you need to configure an SSH user. In addition to setting AAA authentication for the VTY user interface, you also need to specify an authentication mode for the SSH user.

Context

SSH users can be authenticated in the following modes: password, Revest-Shamir-Adleman Algorithm (RSA), Elliptic Curves Cryptography (ECC), password-RSA, Password-ECC and all.

  • Password authentication: is based on the user name and password. You need to configure a password for each SSH user in the AAA view. A user must enter the correct user name and password to log in using SSH.
  • Rivest-Shamir-Adleman Algorithm (RSA) authentication: is based on the private key of the client. RSA is a public-key cryptographic system that uses an asymmetric encryption algorithm. An RSA key pair consists of a public key and a private key. You need to copy the public key generated by the client to the SSH server. The SSH server then uses the public key to encrypt data. A maximum of 20 keys can be stored on a device functioning as an SSH client.
  • Elliptic Curves Cryptography (ECC) authentication: is an elliptic curve algorithm. Compared with RSA, ECC features shorter key length, lower computational cost, faster processing speed, smaller storage space, and lower bandwidth requirement under the same security performance.
  • Password-RSA authentication: The SSH server implements both password and RSA authentication on login users. The users must pass both authentication modes to log in.
  • Password-ECC authentication: The SSH server implements both password and ECC authentication on login users. The users must pass both authentication modes to log in.
  • All authentication: The SSH server implements RSA, ECC or password authentication on login users. Users only need to pass either of them to log in.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Configure AAA user information.

    1. Run aaa

      The AAA view is displayed.

    2. Run local-user user-name password { cipher | irreversible-cipher } password

      A local user is created and a password is configured.

    3. Run local-user user-name privilege level level

      A user level is set for the local user.

    4. Run local-user user-name service-type ssh

      A service type is set for the local user.

    5. Run quit

      Return to the system view.

  3. (Optional) Run ssh user default-authentication-type { password | rsa }

    The default authentication mode is configured for SSH users.

    By default, the default authentication mode for SSH users is password authentication.

  4. Run ssh user user-name authentication-type { password | rsa | password-rsa | ecc | password-ecc |all }

    An authentication mode is set for the SSH user.

    • If password authentication is used, the SSH user is the user with the same name as the local user configured in the AAA view.
    • If RSA or ECC authentication is used, you need to configure the public key generated by the SSH client on the SSH server. When the SSH client logs in to the SSH server, the SSH client passes the authentication if the private key of the client matches the configured public key.
      NOTE:

      In RSA or ECC authentication mode, the user level configured in the VTY user interface view takes effect.

      1. Run rsa peer-public-key key-name or ecc peer-public-key key-name

        The RSA or ECC public key view is displayed.

      2. Run public-key-code begin

        The public key editing view is displayed.

      3. Enter the public key of the SSH client.

        The entered public key must be a hexadecimal string complying with the public key format. The string is generated by SSH client software. For detailed operations, see the help document of the SSH client software.

      4. Run public-key-code end

        Exit the public key editing view.

      5. Run peer-public-key end

        Return to the system view from the public key view.

      6. Run ssh user user-name assign { rsa-key | ecc-key } key-name

        An RSA or ECC public key is allocated to the SSH user. When logging in to the server, the client enters the SSH user name corresponding to its public key as prompted.

    • If Password-RSA or Password-ECC authentication is used, configure AAA user information and enter the public key generated on the client.
    • If all authentication is used, configure AAA user information or enter the public key generated on the client or perform the two operations together.

Translation
Download
Updated: 2019-05-20

Document ID: EDOC1100034225

Views: 44882

Downloads: 100

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next