Publication Date: 2019-07-15 | Views: 6992 | Downloads: 0 | Author: SU1001835942 | Document ID: EKB1000093321
You can log in to a device by using STelnet on
networks with high security requirements. STelnet, based on the SSH protocol,
provides powerful authentication functions to ensure information security and
protect devices against attacks, such as IP spoofing attacks.
A SSH users can be authenticated in six
modes: password, RSA, DSA, Password-RSA, Password-DSA, and All. The mos used are the below:
The SSH password authentication can be implemented correctly to provide different privilege levels to users after authentication according to the AAA configuration. In this way we can set different user levels for the SSH users to control the device access permission.
The problem appears in the case where we use RSA authentication for the STelnet services. When we are using RSA key authentication, the user will be correctly authenticated but the user will receive a default privilege level of 0 even though the same user has different level configured in the AAA view.In this situation the user will not be able to reach the system view and will have access to a limited number of commands.
Config and info:
aaa
statistic
enable
local-user admin
password irreversible-cipher xxxx
local-user admin
privilege level 15
local-user admin
service-type telnet terminal ssh ftp
local-user admin
user-type netmanager
stelnet server
enable
scp server enable
ssh user admin
ssh user admin authentication-type
all
ssh user admin assign rsa-key admin
ssh user admin service-type
all
ssh user admin sftp-directory
flash:/
Result after loging in with ssh and rsa authentication:
The problem appears because all
the SSH users that connect with the RSA authentication on the VTY interfaces
will inherit the privilege level
configured under the VTY interface, despite the level configured in the AAA
view . By default this level is 0
To address this problem the only
solution offered by the system in the current releases is to configure the user
level under the VTY interfaces. In this way,
the users that connect by stelnet with rsa authentication will receive
the privilege level configured under the vty interface while the other
users that are authenticated by the AAA will still get the proper
privilege level.
Configuration change:
[Huawei]user-interface vty 0 4
[Huawei-ui-vty0-4]user privilege level 15
After the above change, the ssh user that logs in with rsa authentication will receive privilege level 15.