Local authentication and authorization for SSH users

As shown in Figure 15, configure the router to meet the following requirements:

• Perform local authentication and authorization for SSH users.

• Assign the network-admin user role to SSH users after they pass authentication.

# Configure the IP address of interface GigabitEthernet 1/0/1, through which the SSH user accesses the router.

<Router> system-view
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] ip address 192.168.1.70 255.255.255.0
[Router-GigabitEthernet1/0/1] quit

# Create local RSA and DSA key pairs.

[Router] public-key local create rsa
[Router] public-key local create dsa

# Enable the SSH service.

[Router] ssh server enable

# Enable scheme authentication for user lines VTY 0 through VTY 63.

[Router] line vty 0 63
[Router-line-vty0-63] authentication-mode scheme
[Router-line-vty0-63] quit

# Create a device management user.

[Router] local-user ssh class manage

# Assign the SSH service to the local user.

[Router-luser-manage-ssh] service-type ssh

# Set the password to 123456TESTplat&! in plaintext form for the local user. In FIPS mode, you must set the password in interactive mode.

[Router-luser-manage-ssh] password simple 123456TESTplat&!

# Specify the user role for the user as network-admin.

[Router-luser-manage-ssh] authorization-attribute user-role network-admin
[Router-luser-manage-ssh] quit

# Create an ISP domain named bbb and configure the domain to use local authentication and authorization for login users.

[Router] domain bbb
[Router-isp-bbb] authentication login local
[Router-isp-bbb] authorization login local
[Router-isp-bbb] quit

# Initiate an SSH connection to the router, and enter username ssh@bbb and the correct password. The user logs in to the router. (Details not shown.)

# Verify that the user can use the commands permitted by the network-admin user role. (Details not shown.)