Usage Scenario
If the bogus-list mode is enabled, public key authentication is required. The authentication process is time consuming. To reduce the authentication duration, run the ssh server authentication-method bogus-list disable command to disable the bogus-list mode, so that keyboard-interactive or password authentication can be performed without sing the other modes. If keyboard-interactive authentication is successful, password authentication is not performed.
In bogus-keyboard-interactiveode, if a server receives a login request with a nonexistent username, the server may reject a connection request or send a bogus list carrying authentication modes that will be unacceptable actually. The bogus-keyboard-interactiveode helps prevent information about existing accounts from being leaked.
If the undo ssh server authentication-type keyboard-interactive enable command is run to disable keyboard-interactive authentication, the bogus list contains public key and password authentication modes. For example, keyboard-interactive authentication is disabled, bogus-keyboard-interactiveode is enabled, and password-rsa authentication is enabled. In this case, an SSH server authenticates a user using both RSA authentication and password authentication.
After keyboard-interactive authentication of the SSH server and the bogus-keyboard-interactiveode are enabled, the bogus list contains all-public-key authentication, eyboard-interactive authentication, and password authentication. SSH authentication is performed for configured accounts based on the configured SSH authentication modes:
- If ssh user user-name authentication-type { password | rsa | dsa | ecc | password-rsa | password-dsa | password-ecc | sm2 | password-sm2 | all } command is not run to configure an SSH user authentication mode, the SSH server attempts to authenticate users using the public key, keyboard-interactive, and password authentication modes in sequence. Once the user is authenticated using a mode, the user can log in to the SSH server without being authenticated through remaining authentication modes. Once ssh user user-name authentication-type { password | rsa | dsa | ecc | password-rsa | password-dsa | password-ecc | sm2 | password-sm2 | all } without being authenticated through keyboard-interactive or password authentication.
- If the ssh user user-name authentication-type { password | rsa | dsa | ecc | password-rsa | password-dsa | password-ecc | sm2 | password-sm2 | all } command is run to configure an SSH user authentication mode, authentication is performed as follows:
- If public key authentication is enabled, it is the only authentication mode. Once the user is authenticated using public key authentication, the user can log in to the SSH server. If the authentication fails, the user cannot log in to the SSH server.
- If password authentication (rsa, sm2, dsa, or ecc) is enabled, the SSH server attempts to authenticate a user using public key authentication first. If the user is authenticated, the SSH server authenticates the user again using keyboard-interactive authentication. If keyboard-interactive authentication is successful, password authentication is not performed. Otherwise, password authentication is also performed.
- If both password and public key authentication modes are enabled, the SSH server attempts to authenticate a user using public key authentication. If the user is authenticated, the SSH server authenticates the user again using the keyboard-interactive or password authentication mode.
- If all authentication modes are enabled, the SSH server attempts to authenticate a user using public key, keyboard-interactive, and password authentication in sequence. Once a user is authenticated using a mode, the user can log in to the SSH server, without being authenticated using remaining modes.
This command applies to both IPv4 and IPv6 connections.