ssh user authentication-type

Function

The ssh user authentication-type command configures the authentication mode for the SSH user.

The undo ssh user authentication-type command cancels the authentication mode of the SSH user and restores the default configuration, that is, no authentication mode is adopted.

By default, the authentication mode of the SSH user is not configured.

Format

ssh user user-name authentication-type { password | rsa | password-rsa | all | dsa | password-dsa | ecc | password-ecc }

undo ssh user user-name authentication-type

Parameters

Parameter	Description	Value
user-name	Specifies the name of an SSH user.	The name is a string of 1 to 253 case-insensitive characters without a blank space.
password	Indicates the password authentication.	-
rsa	Indicates the RSA authentication.	-
password-rsa	Indicates that both the password authentication and the Revest-Shamir-Adleman Algorithm (RSA) authentication must be adopted.	-
all	Indicates that either the password authentication or the RSA authentication or the Digital Signature Algorithm (DSA) authentication or the Elliptic Curves Cryptography (ECC) authentication can be adopted.	-
dsa	Indicates the DSA authentication.	-
password-dsa	Indicates that both the password authentication and the DSA authentication must be adopted.	-
ecc	Indicates the ECC authentication.	-
password-ecc	Indicates that both the password authentication and the ECC authentication must be adopted.	-

Views

System view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

A new SSH user cannot log in unless being configured with an authentication mode. The newly configured authentication mode takes effect on the next login.

When an authentication mode is configured for an SSH user but user-name of the user does not exist, an SSH user with the name of user-name is created. The authentication mode of the new SSH user is the configured one.

To improve security, it is recommended that you use ECC as the authentication algorithm to log in to the SSH server.

Table 1 shows the application scenario of each authentication mode.

**Table 1** Application scenario of each authentication mode
Authentication Mode	Application Scenario
RSA authentication	It is a public key encryption architecture and an asymmetric encryption algorithm. Based on the problem of factoring large numbers, RSA is mainly used to transmit the keys of the symmetric encryption algorithm, which can improve encryption efficiency and simplify key management. The server must first check the validity of the SSH user and whether the public key and the numeric signature are valid. If all of them are consistent with those configured on the server, user authentication succeeds. If any of the three cannot pass authentication, the user access is denied.
DSA authentication	Like RSA authentication, the server first checks the validity of the SSH user and whether the public key and the numeric signature are valid. If all of them are consistent with those configured on the server, user authentication succeeds. If any of the three cannot pass authentication, the user access is denied. Unlike RSA authentication, DSA authentication uses the widely-used digital signature algorithm for encryption. In SSH, many tools support only DSA authentication for the server and client. As defined in the latest SSH RFC, DSA authentication takes precedence over RSA authentication.
ECC authentication	Like RSA authentication, the server first checks the validity of the SSH user and whether the public key and the numeric signature are valid. If all of them are consistent with those configured on the server, user authentication succeeds. If any of the three cannot pass authentication, the user access is denied. Compared with the RSA algorithm, the ECC authentication has the following advantages: Provides the same security with shorter key length. Features a shorter computing process and higher processing speed. Requires less storage space. Requires lower bandwidth.
Password authentication	On the server, the AAA module assigns each valid user a password for login. That is, the server has the mappings between user names and passwords. When a user wants to log in to the server, the server authenticates the user name and its password respectively. If either of them cannot pass authentication, the user access is denied.
RSA-Password authentication, DSA-Password authentication and ECC-Password authentication	The server can authenticate the client by checking both the public key and the password, and the authentication succeeds only when both the public key and the password are consistent with those configured on the server.
All authentication	The server can authenticate the client by checking both the public key and the password, and the authentication succeeds when either of them is consistent with that configured on the server. NOTE: In all authentication mode, the user priority depends on the authentication mode selected. If password authentication is selected, the user priority is the same as that specified on the AAA module. If RSA/DSA/ECC authentication is selected, the user priority depends on the priority of the VTY window used during user access. If all authentication is selected and an AAA user with the same name as the SSH user exists, user priorities may be different in password authentication and RSA/DSA/ECC authentication modes. Set relevant parameters as needed.

Configuration Impact

If an authentication mode has been configured, the configuration will be deleted after the ssh user authentication-type command is run, and a new authentication mode configured using the command will be used.

Example

# Set the authentication mode to password for the SSH user named user1.

<sysname> system-view
[sysname] ssh user user1 authentication-type password

# Set the authentication mode to DSA for the SSH user.

<sysname> system-view

[sysname] ssh user 10.1.1.1 authentication-type dsa

# Set the authentication mode to ECC for the SSH user.

<sysname> system-view

[sysname] ssh user 10.1.1.1 authentication-type ecc