ssh server publickey

Function

The ssh server publickey command enables the public key algorithm function of the SSH server.

The undo ssh server publickey command restores public key algorithms of the SSH server to default values.

If the default configuration file is used, the RSA_SHA2_256, RSA_SHA2_512, RSA, and ECC public key algorithms are enabled, whereas the DSA, SM2, and x509v3-ssh-rsa algorithms are disabled. If the ssh server publickey command configuration does not exist in the configuration file that is in use, only RSA_SHA2_256 and RSA_SHA2_512 public key algorithms are enabled.

Format

ssh server publickey { dsa | ecc | rsa | sm2 | x509v3-ssh-rsa | rsa_sha2_256 | rsa_sha2_512 } *

undo ssh server publickey [ dsa | ecc | rsa | sm2 | x509v3-ssh-rsa | rsa_sha2_256 | rsa_sha2_512 ] *

Parameters

Parameter Description Value
dsa

Indicates the DSA algorithm.

-
ecc

Indicates the ECC algorithm.

-
rsa

Indicates the RSA algorithm.

-
sm2

Indicates the SM2 algorithm.

-
x509v3-ssh-rsa

Indicates the X509-SSH-RSA algorithm.

-
rsa_sha2_256

Indicates the RSA SHA2-256 algorithm.

-
rsa_sha2_512

Indicates the RSA SHA2-512 algorithm.

-

Views

System view

Default Level

3: Management level

Task Name and Operations

Task Name Operations
ssh-server write

Usage Guidelines

Usage Scenario

  • The command enables you to use a more secure public key algorithm to log in to the device, with other public key algorithms rejected. This improves device security. You are advised to use the RSA_SHA2_256 or RSA_SHA2_512 public key algorithm.
  • To allow a public key algorithm and deny other public key algorithms, run the ssh server publickey specified public key algorithm command. For example, after the ssh server publickey dsa command is run, the DSA algorithm is allowed but other algorithms are not. If this command is run more than once, the latest configuration overrides the previous one.
  • To ensure high security, do not use the RSA algorithm whose length is less than 2048 digits as the authentication type for the SSH user. You are advised to use a more secure RSA_SHA2_256 or RSA_SHA2_512 authentication algorithm for higher security.

Precautions

  • A public key algorithm can be used for login only after it is enabled on both the client and server.
  • When you run the undo ssh server publickey command with an algorithm specified, ensure that the algorithm specified is the same as that configured using the ssh server publickey command. Or you can run the undo ssh server publickey command with no algorithm specified. Otherwise, the configuration restoration function does not take effect.
  • If the ssh user authentication-type { password | rsa | dsa | ecc | password-rsa | password-dsa | password-ecc | sm2 | password-sm2 | all } command is run to configure public key authentication as the authentication mode of SSH users, the involved public key algorithm must be consistent with that enabled in the ssh server publickey { dsa | ecc | rsa | sm2 } * command. Otherwise, device login fails. For example, if the ssh server publickey ecc command is run, run the ssh user authentication-type { ecc | password-ecc | all } command to set the authentication mode of SSH users to ECC, Password-ECC, or All.
  • This command takes effect for both IPv4 and IPv6 SSH servers.

Example

# Allow using of the ECC algorithm and deny other algorithms.
<HUAWEI> system-view
[~HUAWEI] ssh server publickey ecc
# Allow using of the SM2 algorithm and deny other algorithms.
<HUAWEI> system-view
[~HUAWEI] ssh server publickey sm2
Parent Topic: SSH Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >