Configuring ipsec, Overview, Setting the ssh management parameters – H3C Technologies H3C S12500-X Series Switches User Manual

175

{

If the authentication method is password, the user role is authorized by the remote AAA server

or the local device.

{

If the authentication method is publickey or password-publickey, the user role is specified by
the authorization-attribute command in the associated local user view.

•

If you change the authentication method or public key for an SSH user that has been logged in, the
change can take effect only on the user at next login.

•

Except password authentication, the other authentication methods require a client's host public key
to be specified. For more information about host public keys, see "

883H

Configuring a client's host public

key

."

•

When the device operates in FIPS mode as an SSH server, the device does not support the
authentication method of any or publickey.

For information about configuring local users and remote authentication, see "

884H

Configuring AAA

."

495B

Configuration procedure

To configure an SSH user, and specify the service type and authentication method:

Step Command

1.

Enter system view.

system-view

2.

Create an SSH user, and

specify the service type and

authentication method.

•

In non-FIPS mode:

ssh user username service-type { all | scp | sftp | stelnet }
authentication-type { password | { any | password-publickey |

publickey } assign publickey keyname }

•

In non-FIPS mode:
ssh user username service-type { all | scp | sftp | stelnet }

authentication-type { password | password-publickey assign

publickey keyname }

270B

Setting the SSH management parameters

Setting the SSH management parameters can improve the security of SSH connections. The SSH

management parameters include:

•

Whether the SSH server is compatible with SSH1 clients.

•

RSA server key pair update interval, applicable to users using SSH1 clients.

•

SSH user authentication timeout period. You can set this parameter to reject a connection if the
authentication for the connection has not been finished when the timeout period expires.

•

Maximum number of SSH authentication attempts. You can set this parameter to prevent malicious
password cracking. If any authentication is used, the total number of both publickey and password
authentication attempts cannot exceed the configured upper limit.

•

ACL for SSH clients. You can configure an ACL to filter SSH clients which initiate connections with
the SSH server.

•

DSCP value in the packets that are sent by the SSH server. This field determines the transmission
priority of the packet.

•

SFTP connection idle timeout period. When the idle period of an SFTP connection exceeds the
specified threshold, the system automatically tears the connection down.