HP Firewall manual 42

Table 7 SSH server and client requirements

To control SSH access to the device operating as an SSH server, configure authentication and user privilege level for SSH users. By default, password authentication is adopted for SSH login, but no login password is configured. To allow SSH access to the device after you enable the SSH server, you must configure a password.

Configuring the SSH server on the device

When scheme authentication is used, you can choose to configure the command authorization and command accounting functions.

If command authorization is enabled, a command is available only if the user has the commensurate user privilege level and is authorized to use the command by the AAA scheme.

Command accounting allows the HWTACACS server to record all commands executed by users, regardless of command execution results. This function helps control and monitor user behaviors on the device. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.

Follow these guidelines when you configure the SSH server:

•To make the command authorization or command accounting function take effect, apply an HWTACACS scheme to the intended ISP domain. This scheme must specify the IP address of the authorization server and other authorization parameters.

•If the local authentication scheme is used, use the authorization-attribute level level command in local user view to set the user privilege level on the device.

•If a RADIUS or HWTACACS authentication scheme is used, set the user privilege level on the RADIUS or HWTACACS server.

The SSH client authentication method is password in this configuration procedure. For more information about SSH and publickey authentication, see System Management and Maintenance Configuration Guide.

To configure the SSH server on the device: