ssh user
Use ssh user to create an SSH user and specify the service type and authentication method.
Use undo ssh user to delete an SSH user.
Syntax
In non-FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | { any | password-publickey | publickey } [ assign { pki-domain domain-name | publickey keyname&<1-6> } ] }
undo ssh user username
In FIPS mode:
ssh user username service-type { all | netconf | scp | sftp | stelnet } authentication-type { password | password-publickey [ assign { pki-domain domain-name | publickey keyname&<1-6> } ] }
undo ssh user username
Default
No SSH users exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
username: Specifies an SSH username, a case-sensitive string of 1 to 80 characters. The username cannot be a, al, or all. In addition, the username cannot include vertical bars (|), colons (:), asterisks (*), question marks (?), or angle brackets (< >). The at sign (@), slash (/), and backslash (\) can only be used to append ISP domain names to usernames in the pureusername@domain, pureusername/domain, and domain\pureusername format. Do not include hyphens (-) in the username of an SCP user. Otherwise, SCP logins using that username will fail.
service-type: Specifies a service type for the SSH user.
all: Specifies service types Stelnet, SFTP, SCP, and NETCONF.
scp: Specifies the service type SCP.
sftp: Specifies the service type SFTP.
stelnet: Specifies the service type Stelnet.
netconf: Specifies the service type NETCONF.
authentication-type: Specifies an authentication method for the SSH user.
password: Specifies password authentication. This authentication method provides easy and fast encryption, but it is vulnerable. It can work with AAA to implement user authentication, authorization, and accounting.
any: Specifies either password authentication or publickey authentication.
password-publickey: Specifies both password authentication and publickey authentication for SSH2 clients. In SSH2, the password-publickey authentication method provides higher security. If the client runs SSH1, this keyword specifies either password authentication or publickey authentication.
publickey: Specifies publickey authentication. This authentication method has complicated and slow encryption, but it provides strong authentication that can defend against brute-force attacks. This authentication method is easy to use. If this method is configured, the authentication process completes automatically without entering any password.
assign: Specifies parameters used for client verification.
pki-domain domain-name: Specifies the PKI domain that verifies the client's digital certificate. The domain-name argument is a case-insensitive string of 1 to 31 characters. Invalid characters are tildes (~), asterisks (*), backslashes (\), vertical bars (|), colons (:), dots (.), angle brackets (< >), quotation marks ("), and apostrophes ('). The server uses the CA certificate that is saved in the PKI domain to verify the client's digital certificate. In this scenario, the server does not need to save clients' public keys in advance.
publickey keyname&<1-6>: Specifies a space-separated list of up to six SSH client public keys. The keyname argument represents the SSH client's public key configured on the server. It is a case-sensitive string of 1 to 64 characters. The server uses the client's public key to check the validity of the client. If the public key file of the client is changed, you must update the client's public key on the server promptly. If you specify multiple client public keys, the device verifies the user identity by using the public keys in the order they are specified. The user is valid if the user passes one public key check.
Usage guidelines
Use this command to configure an SSH user depending on the authentication method.
If the authentication method is publickey, you must create an SSH user and a local user on the SSH server. The two users must have the same username, so that the SSH user can be assigned the correct working directory and user role.
If the authentication method is password, you must perform one of the following tasks:
For local authentication, configure a local user on the SSH server.
For remote authentication, configure an SSH user on a remote authentication server, for example, a RADIUS server.
You do not need to create an SSH user by using the ssh user command. However, if you want to display all SSH users, including the password-only SSH users, for centralized management, you can use this command to create them. If such an SSH user has been created, make sure you have specified the correct service type and authentication method.
If the authentication method is password-publickey or any, you must create an SSH user on the SSH server and perform one of the following tasks:
For local authentication, configure a local user on the SSH server.
For remote authentication, configure an SSH user on a remote authentication server, for example, a RADIUS server.
In either case, the local user or the SSH user configured on the remote authentication server must have the same username as the SSH user.
For an SFTP or SCP user, the working directory depends on the authentication method.
If the authentication method is publickey or password-publickey, the working directory is specified by the authorization-attribute command in the associated local user view.
If the authentication method is password, the working directory is authorized by AAA.
For an SSH user, the user role also depends on the authentication method.
If the authentication method is publickey or password-publickey, the user role is specified by the authorization-attribute command in the associated local user view.
If the authentication method is password, the user role is authorized by AAA.
If you use this command to specify a host public key or a PKI domain for a user multiple times, the most recent configuration takes effect. If neither a host public key nor a PKI domain is specified for the user, the user uses certificate authentication for login. The server uses the PKI domain of its own certificate to verify the client's certificate.
The command configuration does not affect logged-in users. It affects only users that attempt to log in after the configuration.
Examples
# Create an SSH user named user1. Specify the service type as sftp and the authentication method as password-publickey for the user. Assign the host public key key1 to the user.
<Sysname> system-view [Sysname] ssh user user1 service-type sftp authentication-type password-publickey assign publickey key1
# Create a local device management user named user1. Specify the password as 123456TESTplat&! in plain text and the service type as ssh for the user. Assign the working directory flash: and the network-admin user role to the user.
[Sysname] local-user user1 class manage [Sysname-luser-manage-user1] password simple 123456TESTplat&! [Sysname-luser-manage-user1] service-type ssh [Sysname-luser-manage-user1] authorization-attribute work-directory flash: user-role network-admin
Related commands
authorization-attribute
display ssh user-information
local-user
pki domain