ssh server assign

Function

The ssh server assign command assigns a host key or PKI certificate to an SSH server.

The undo ssh server assign command deletes a host key or PKI certificate assigned to an SSH server.

By default, no key or PKI certificate is assigned to an SSH server.

Format

ssh server assign { rsa-host-key key-name | dsa-host-key key-name | ecc-host-key key-name | sm2-host-key key-name | pki key-name }

undo ssh server assign rsa-host-key

undo ssh server assign dsa-host-key

undo ssh server assign ecc-host-key

undo ssh server assign sm2-host-key

undo ssh server assign pki

Parameters

Parameter	Description	Value
rsa-host-key key-name	Assigns an RSA host key to an SSH server and specifies the name of the RSA host key.	The value is a string of 1 to 35 case-insensitive characters and can only contain digits, letters, and underscores (_).
dsa-host-key key-name	Assigns an DSA host key to an SSH server and specifies the name of the DSA host key.	The value is a string of 1 to 35 case-insensitive characters and can only contain digits, letters, and underscores (_).
ecc-host-key key-name	Assigns an ECC host key to an SSH server and specifies the name of the ECC host key.	The value is a string of 1 to 35 case-insensitive characters and can only contain digits, letters, and underscores (_).
sm2-host-key key-name	Assigns an SM2 host key to an SSH server and specifies the name of the SM2 host key.	The value is a string of 1 to 35 case-insensitive characters and can only contain digits, letters, and underscores (_).
pki key-name	Specifies the name of an PKI domain.	The value is a string of 1 to 64 case-sensitive characters, spaces not supported.

Views

System view

Default Level

3: Management level

Task Name and Operations

Task Name	Operations
ssh-server	write

Usage Guidelines

Usage Scenario

To provide security for an SSH server, run the ssh server assign command to assign an RSA host key, RSA server key, DSA host key, sm2-host-key or ECC host key that has been created or assign a PKI certificate to the SSH server.

You are advised to use a more secure ECC authentication algorithm for higher security.

Prerequisites

A key pair has been created by performing any of the following operations based on the selected key:

The rsa key-pair label command creates an RSA key pair with a specified label name.
The dsa key-pair label command creates a DSA key pair with a specified label name.
The ecc key-pair label command creates an ECC key pair with a specified label name.
The sm2 key-pair label command creates an SM2 key pair with a specified label name.
The pki domain <domain-name> command creates an pki domain with a specified label name.

Configuration Impact

The RSA, DSA, or ECC key assigned to an SSH server takes precedence over the RSA, DSA, or ECC key created using the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create command, respectively. If the ssh server assign command is not run, an SSH server uses the key-pair created using the rsa local-key-pair create, dsa local-key-pair create, or ecc local-key-pair create command.

Precautions

The RSA host key and server key in a pair must differ in length by 128 bits. Otherwise, SSHv1 clients cannot log in to the server.
If an RSA host key and an RSA server key have been assigned to an SSH server, and the RSA host key or server key is changed, or the key length is changed in a local RSA key pair so that the keys do not differ in length by 128 bits, SSHv1 applications are affected.
Deleting an RSA, DSA, or ECC key pair also deletes the key assigned to an SSH server.
This command takes effect for both ipv4 and ipv6 SSH server.

Example

# Assign an ECC host key named ecckey to an SSH server.

<HUAWEI> system-view
[~HUAWEI] ecc key-pair label ecckey
[*HUAWEI] ssh server assign ecc-host-key ecckey

# Assign an SM2 host key named sm2key001 to an SSH server.

<HUAWEI> system-view
[~HUAWEI] sm2 key-pair label sm2key001
[*HUAWEI] ssh server assign sm2-host-key sm2key001

# Assign a PKI certificate to an SSH server.

<HUAWEI> system-view
[*HUAWEI] ssh server assign pki default