Got it

SSH user that logins with RSA authentication does not receive authorization priv

Latest reply: Apr 27, 2020 20:52:01 1220 3 0 0

Hello everyone,

Today I will share with you the reason of SSH user that logins with RSA authentication does not receive authorization priv.

You can log in to a device by using STelnet on networks with high security requirements. STelnet, based on the SSH protocol, provides powerful authentication functions to ensure information security and protect devices against attacks, such as IP spoofing attacks.
A SSH users can be authenticated in six modes: password, RSA, DSA, Password-RSA, Password-DSA, and All. The mos used are the below:
Password authentication: is based on the user name and password. You need to configure a password for each SSH user in the AAA view. A user must enter the correct user name and password to log in using SSH.
Revest-Shamir-Adleman Algorithm (RSA) authentication: is based on the private key of the client. RSA is a public-key cryptographic system that uses an asymmetric encryption algorithm. An RSA key pair consists of a public key and a private key. You need to copy the public key generated by the client to the SSH server. The SSH server then uses the public key to encrypt data.
<!--[if !supportLists]-->
The SSH password authentication can  be implemented correctly to provide different privilege levels to users after authentication according to the AAA configuration. In this way we can set different user levels for the SSH users to control the device access permission.
The problem appears in the case where we use RSA authentication for the STelnet services. When we are  using RSA key authentication, the user will be correctly authenticated but the user will receive a  default privilege level of 0 even though the same user has different level configured in the AAA view.In this situation the user will not be able to reach the system view and will have access to a limited number of commands.
Config and info:
  statistic enable
local-user admin password irreversible-cipher xxxx
local-user admin privilege level 15
local-user admin service-type telnet terminal ssh ftp
local-user admin user-type netmanager
stelnet server enable
scp server enable
ssh user admin
ssh user admin authentication-type all
ssh user admin assign rsa-key admin
ssh user admin service-type all
ssh user admin sftp-directory flash:/
Result after loging in with ssh and rsa authentication:

That is all I want to share with you! Thank you!

  • x
  • convention:

Created Mar 26, 2016 19:35:01 Helpful(0) Helpful(0)

The problem appears because all the SSH users that connect with the RSA authentication on the VTY interfaces will inherit  the privilege level configured under the VTY interface, despite the level configured in the AAA view . By default this level is 0
To address this problem the only solution offered by the system in the current releases is to configure the user level under the VTY interfaces. In this way,  the users that connect by stelnet with rsa authentication will receive the privilege level configured under the vty interface while the other users  that are authenticated by the AAA  will still get the proper privilege level.

Configuration change:
[Huawei]user-interface vty 0 4                                                                                                             

[Huawei-ui-vty0-4]user privilege level 15             

After the above change, the ssh user that logs in with rsa authentication will receive privilege level 15.

View more
  • x
  • convention:

Created Apr 27, 2020 20:51:47 Helpful(0) Helpful(0)

thanks for this presentation.
View more
  • x
  • convention:

Created Apr 27, 2020 20:52:01 Helpful(0) Helpful(0)

very clear
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits


Huawei Enterprise Support Community
Huawei Enterprise Support Community
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.