ssh user

Function

The ssh user command creates an SSH user.

The ssh user assign command assigns an existing public key to an SSH user.

The ssh user authentication-type command configures the authentication type of an SSH user.

The ssh user service-type command configures the service type for the SSH user.

The ssh user sftp-directory command configures the authorized directory of the SFTP service for SSH users.

The undo ssh user command deletes an SSH user.

The undo ssh user assign command deletes the binding between an SSH user and a public key.

The undo ssh user authentication-type command deletes the configured authentication mode.

The undo ssh user service-type command restores the default service type of an SSH user.

The undo ssh user sftp-directory command cancels the authorized SFTP service directory for an SSH user.

By default, no ssh user is created, public key is not assigned to the user, the authentication type of the SSH user is not configured, the service type of the SSH user is not configured, the authorized directory of the SFTP service for the SSH user is not configured.

Format

ssh user user-name

ssh user user-name assign { rsa-key | dsa-key | ecc-key | sm2-key } key-name

ssh user user-name authentication-type { password | rsa | password-rsa | dsa | password-dsa | all | ecc | password-ecc | sm2 | password-sm2 | password-x509v3-rsa | x509v3-rsa }

ssh user user-name service-type { sftp | stelnet | snetconf } *

ssh user user-name sftp-directory directoryname

ssh user user-name assign pki pki-name

undo ssh user user-name authentication-type

undo ssh user user-name assign { rsa-key | dsa-key | ecc-key | sm2-key }

undo ssh user user-name assign pki

undo ssh user user-name service-type

undo ssh user user-name sftp-directory

undo ssh user [ user-name ]

Parameters

Parameter Description Value
user-name

Indicates the name of an SSH user.

The name is a string of 1 to 253 characters.
rsa-key

Specifies to assign a RSA public key to a user.

-
dsa-key

Specifies to assign a DSA public key to a user.

-
ecc-key

Specifies to assign a ECC public key to a user.

-
sm2-key

Specifies to assign a SM2 public key to a user.

-
key-name

Specifies the name of an ECC public key generated on the client.

The value is a string of 1 to 40 case-sensitive characters, spaces not supported.
password

Indicates password authentication.

-
rsa

Indicates RSA authentication.

To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits as the authentication type for the SSH user. You are advised to use a more secure ECC authentication algorithm for higher security.

-
password-rsa

Indicates that both password authentication and RSA authentication must be adopted.

-
dsa

Indicates DSA authentication.

-
password-dsa

Indicates that both password authentication and DSA authentication must be adopted.

-
all

Indicates all authentication modes.

-
ecc

Indicates ECC authentication.

-
password-ecc

Indicates that both password authentication and ECC authentication must be adopted.

-
sm2

Indicates SM2 authentication.

-
password-sm2

Indicates that both password authentication and SM2 authentication must be adopted.

-
password-x509v3-rsa

Indicates that both password authentication and X509V3-SSH-RSA authentication must be adopted.

-
x509v3-rsa

Indicates X509V3-SSH-RSA authentication.

-
sftp

Indicates the SFTP service type.

-
stelnet

Indicates the STelnet and SCP service type.

-
snetconf

Indicates the SNETCONF service type.

-
sftp-directory directoryname

Specifies the directory name of the SFTP server.

The name is a string of 1 to 255 characters.
pki pki-name

Indicates PKI domain.

The value is a string of 1 to 64 case-sensitive characters, spaces not supported.

Views

System view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
ssh-server write

Usage Guidelines

You can create a user using either of the following methods:

  • Run the ssh user command.
  • After the ssh user authentication-type, ssh user service-type, and ssh user <user-name> sftp-directory <sftp-dir-path> command are run, the system automatically create a user named user-name if the system detects that the user named user-name does not exist.

The privilege of user supported depends on the ssh authorization-type default command configured by the user.

When the system assigns a public key to a user:

  • The system considers the public key assigned last as valid.
  • The newly configured public key takes effect during the next login.

When ECC/DSA/RSA authentication is used to authenticate an SSH user, the client sends the ECC/DSA/RSA public key that is generated locally to the server, and the server then assigns the ECC public key to the SSH user.

The public key to be assigned must be valid.

To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits as the authentication type for the SSH user. You are advised to use a more secure ECC authentication algorithm for higher security.

A new SSH user cannot log in unless being configured with an authentication type. The newly configured authentication type takes effect on next login.

If an authentication type has been configured, the configuration will be deleted after the ssh user authentication-type command is run, and a new authentication type configured using the command will be used.

The ssh user service-type command configures the service type for the SSH user.

The ssh user <user-name> sftp-directory <sftp-dir-path> command configures the sftp directory for the SSH user.

  • If the username user does not exist, a new SSH user with the specified username is created, and the configured directory is used as an authorized SFTP directory. You can also use the user name configured using the local-user <user-name> ftp-directory <directory> command for login.
  • If the configured directory and the directory configured using local-user <user-name> ftp-directory <directory> do not exist, the SFTP client fails to connect to the SSH server.

When an SFTP user logs in to a device, the directory configured using ssh user username sftp-directory directoryname is preferentially selected, followed by the directory configured using local-user <user-name> ftp-directory <directory>.

The commands take effect for both ipv4 and ipv6 functions.

You can run the display ssh user-information command to view the configuration of all SSH users.

Example

# Create an SSH user named testuser.
<HUAWEI> system-view
[~HUAWEI] ssh user testuser
# Assign an ECC public key named key1 to the user named testuser.
<HUAWEI> system-view
[~HUAWEI] ssh user testuser assign ecc-key key1
# Assign the key named sm2key001 to user testuser.
<HUAWEI> system-view
[~HUAWEI] ssh user testuser assign sm2-key sm2key001
# Configure the service type for SSH user testuser.
<HUAWEI> system-view
[~HUAWEI] ssh user testuser service-type all
# Configure the SFTP service authorized directory of SSH users as cfcard:/ssh.
<HUAWEI> system-view
[~HUAWEI] ssh user testuser sftp-directory cfcard:/ssh
Parent Topic: SSH Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >