ssh user authentication-type

Function

The ssh user authentication-type command configures an authentication mode for an SSH user.

The undo ssh user authentication-type command restores the default authentication mode for an SSH user.

By default, no authentication mode is configured for an SSH user.

Format

ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | ecc | password-ecc | all }

undo ssh user user-name authentication-type

Parameters

Parameter	Description	Value
user-name	Specifies an SSH user name.	The value is a string of 1 to 64 case-insensitive characters without spaces. NOTE: The string can contain spaces if it is enclosed with double quotation marks (").
password	Specifies the password authentication mode.	-
rsa	Specifies the RSA authentication mode.	-
password-rsa	Specifies the password and RSA authentication modes.	-
dsa	Specifies the DSA authentication mode.	-
password-dsa	Specifies the password and DSA authentication modes.	-
ecc	Specifies the ECC authentication mode.	-
password-ecc	Specifies the password and ECC authentication modes.	-
all	Specifies the password, ECC, DSA, or RSA authentication mode. NOTE: In all authentication mode, the user priority depends on the authentication mode that the user selected. If password authentication is selected, the user priority is the same as that specified on the AAA module. If RSA/DSA/ECC authentication is selected, the user priority depends on the priority of the VTY interface used during user access. If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA, DSA, or ECC authentication modes. Set relevant parameters as needed.	-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

When you configure an authentication mode for an SSH user, if the user does not exist, a device automatically creates an SSH user named user-name.

Table 1 describes the usage scenarios for different authentication modes.

**Table 1** Usage scenarios for authentication modes
Authentication Mode	Usage Scenario
RSA	It is a public key encryption architecture and an asymmetric encryption algorithm. RSA is mainly used to transmit the keys of the symmetric encryption algorithm, which improves encryption efficiency and simplify key management. The server checks whether the SSH user, public key, and digital user signature are valid. If all of them are valid, the user is permitted to access the server. If any of them is invalid, the authentication fails, and the user is denied to access the server.
DSA	It is same as RSA authentication in implementation. The server checks whether the SSH user, public key, and digital user signature are valid. If all of them are valid, the user is permitted to access the server. If any of them is invalid, the authentication fails, and the user is denied to access the server. Compared with RSA authentication, DSA authentication uses the digital signature algorithm for encryption and has a wider application scope. Many SSH tools only support DSA authentication for servers and clients. Based on the latest RFC recommendation for SSH, DSA authentication takes precedence over RSA authentication.
ECC	Like RSA authentication, the server first checks the validity of the SSH user and whether the public key and the numeric signature are valid. If all of them are consistent with those configured on the server, user authentication succeeds. If any of the three cannot pass authentication, the user access is denied. Compared with the RSA algorithm, the ECC authentication has the following advantages: Provides the same security with shorter key length. Features a shorter computing process and higher processing speed. Requires less storage space. Requires lower bandwidth.
password	On the server, the AAA module assigns each authorized user a password for login. The server has the mapping between user names and passwords. When a user requests to access the server, the server authenticates the user name and password. If either of them fails to be authenticated, the access request of the user is denied. The account information of users who are configured with the password authentication mode can be configured on devices or remote authentication servers (for example, RADIUS servers).
password-rsa, password-dsa, and password-ecc	The SSH server authenticates a client by checking both the public key and password. The client can be authenticated only when both the public key and password meet the requirement.
all	The SSH server authenticates a client by checking the public key or password. The client can be authenticated when either the public key or password meets the requirement.

Precautions

A new SSH user cannot log in to the SSH server unless being configured with an authentication mode. The newly configured authentication mode takes effect upon next login.

To improve security, it is not recommended that you use RSA or DSA as the authentication algorithm.

Example

# Configure password authentication for the SSH user John.

<HUAWEI> system-view

[HUAWEI] ssh user john authentication-type password