Configuring the ssh server on the lb product – H3C Technologies H3C SecBlade LB Cards User Manual
Page 36
26
To control SSH access to the LB product operating as an SSH server, configure authentication and user
privilege level for SSH users.
Configuring the SSH server on the LB product
When scheme authentication is used, you can choose to configure the command authorization and
command accounting functions.
If command authorization is enabled, a command is available only if the user has the commensurate user
privilege level and is authorized to use the command by the AAA scheme.
Command accounting allows the HWTACACS server to record all commands executed by users,
regardless of command execution results. This function helps control and monitor user behaviors on the
LB product. If command accounting is enabled and command authorization is not enabled, every
executed command is recorded on the HWTACACS server. If both command accounting and command
authorization are enabled, only the authorized and executed commands are recorded on the
HWTACACS server.
Follow these guidelines when you configure the SSH server:
•
To make the command authorization or command accounting function take effect, apply an
HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the
authorization server and other authorization parameters.
•
If the local authentication scheme is used, use the authorization-attribute level level command in
local user view to set the user privilege level on the LB product.
•
If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the
RADIUS or HWTACACS server.
The SSH client authentication method is password in this configuration procedure. For more information
about SSH and publickey authentication, see Security Configuration Guide.
To configure the SSH server on the LB product:
Step Command
Remarks
1.
Enter system view.
system-view
N/A
2.
Create local key pairs.
public-key local create rsa
By default, no local key pairs are
created.
3.
Enable SSH server.
ssh server enable
By default, SSH server is disabled.
4.
Enter one or multiple VTY user
interface views.
user-interface vty first-number
[ last-number ]
N/A
5.
Enable scheme
authentication.
authentication-mode scheme
By default, scheme authentication
is enabled on VTY user interfaces.
6.
Enable the user interfaces to
support Telnet, SSH, or both
of them.
protocol inbound { all | ssh }
Optional.
By default, both Telnet and SSH
are supported.
7.
Enable command
authorization.
command authorization
Optional.
By default, command authorization
is disabled. The commands
available for a user only depend
on the user privilege level.