Local authentication and authorization for SSH users
Network requirements
As shown in Figure 15, configure the router to meet the following requirements:
Perform local authentication and authorization for SSH users.
Assign the network-admin user role to SSH users after they pass authentication.
Figure 14: Network diagram
Configuration procedure
# Configure the IP address of interface GigabitEthernet 1/0/1, through which the SSH user accesses the router.
<Router> system-view [Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] ip address 192.168.1.70 255.255.255.0 [Router-GigabitEthernet1/0/1] quit
# Create local RSA and DSA key pairs.
[Router] public-key local create rsa [Router] public-key local create dsa
# Enable the SSH service.
[Router] ssh server enable
# Enable scheme authentication for user lines VTY 0 through VTY 63.
[Router] line vty 0 63 [Router-line-vty0-63] authentication-mode scheme [Router-line-vty0-63] quit
# Create a device management user.
[Router] local-user ssh class manage
# Assign the SSH service to the local user.
[Router-luser-manage-ssh] service-type ssh
# Set the password to 123456TESTplat&! in plaintext form for the local user. In FIPS mode, you must set the password in interactive mode.
[Router-luser-manage-ssh] password simple 123456TESTplat&!
# Specify the user role for the user as network-admin.
[Router-luser-manage-ssh] authorization-attribute user-role network-admin [Router-luser-manage-ssh] quit
# Create an ISP domain named bbb and configure the domain to use local authentication and authorization for login users.
[Router] domain bbb [Router-isp-bbb] authentication login local [Router-isp-bbb] authorization login local [Router-isp-bbb] quit
Verifying the configuration
# Initiate an SSH connection to the router, and enter username ssh@bbb and the correct password. The user logs in to the router. (Details not shown.)
# Verify that the user can use the commands permitted by the network-admin user role. (Details not shown.)