ssh client publickey

Function

The ssh client publickey command enables the public key algorithm function of the SSH client.

The undo ssh client publickey command restores public key algorithms of the SSH client to default values.

If the default configuration file is used, the RSA_SHA2_256, RSA_SHA2_512, RSA, and ECC public key algorithms are enabled, whereas the DSA and SM2 algorithms are disabled. If the ssh client publickey command configuration does not exist in the configuration file that is in use, only RSA_SHA2_256 and RSA_SHA2_512 public key algorithms are enabled.

Format

ssh client publickey { dsa | ecc | rsa | sm2 | rsa_sha2_256 | rsa_sha2_512 } *

undo ssh client publickey [ dsa | ecc | rsa | sm2 | rsa_sha2_256 | rsa_sha2_512 ] *

Parameters

Parameter Description Value
dsa

Indicates the DSA algorithm.

-
ecc

Indicates the ECC algorithm.

-
rsa

Indicates the RSA algorithm.

-
sm2

Indicates the SM2 algorithm.

-
rsa_sha2_256

Indicates the RSA SHA2-256 algorithm.

-
rsa_sha2_512

Indicates the RSA SHA2-512 algorithm.

-

Views

System view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
ssh-client write

Usage Guidelines

Usage Scenario

  • The command enables you to use a more secure public key algorithm to log in to the device, with other public key algorithms rejected. This improves device security. You are advised to use the RSA_SHA2_256 or RSA_SHA2_512 public key algorithm.
  • To allow a public key algorithm and deny other public key algorithms, run the ssh client publickey + the specified public key algorithm command. For example, after the ssh client publickey dsa command is run, the DSA algorithm is allowed but the RSA, ECC SM2 or RSA algorithm is not. If this command is run for multiple times, the last configuration takes effect.
  • To ensure high security, do not use the RSA key pair whose length is less than 2048 digits. You are advised to use a more secure RSA_SHA2_256 or RSA_SHA2_512 authentication algorithm for higher security.

Precautions

  • A public key algorithm can be used for login only after it is enabled on both the client and server.
  • When you run the undo ssh client publickey command with an algorithm specified, ensure that the algorithm specified is the same as that configured using the ssh client publickey command. Or you can run the undo ssh client publickey command with no algorithm specified. Otherwise, the configuration restoration function does not take effect.
  • If the ssh client first-time enable command function is enabled, a message is displayed asking you to save the server public key when you use the client to log in to the server. During the saving process, the SSH client automatically selects a successfully negotiated public key algorithm and allocates the algorithm to the SSH server based on the public key algorithm configured using the ssh client publickey command.
  • If the ssh client first-time enable command function is disabled, run the ssh client peer assign command to allocate a public key to the SSH server. Ensure that the allocated public key algorithm can successfully negotiate with the public key algorithm configured using the ssh client publickey command. Otherwise, the SSH server's public key fails to be authenticated by the SSH client.
  • This command takes effect for both ipv4 and ipv6 SSH clients.

Example

# Allow using of the ECC algorithm and deny other algorithms.
<HUAWEI> system-view
[~HUAWEI] ssh client publickey ecc
# Allow using of the SM2 algorithm and deny other algorithms.
<HUAWEI> system-view
[~HUAWEI] ssh client publickey sm2
Parent Topic: SSH Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >