Session request, Interactive session – H3C Technologies H3C WX6000 Series Access Controllers User Manual

64-4

z

The server authenticates the client. If the authentication fails, the server informs the client by
sending a message, which includes a list of available methods for re-authentication.

z

The client selects a method from the list to initiate another authentication.

z

The above process repeats until the authentication succeeds or the authentication times timeout
and the session is torn down.

SSH provides two authentication methods: password authentication and publickey authentication.

In password authentication:

z

The client encrypts the username and password, encapsulates them into a password
authentication request, and sends the request to the server.

z

Upon receiving the request, the server decrypts the username and password, compares them
against those it maintains, and then informs the client of the authentication result.

In publickey authentication:

z

The server authenticates clients using digital signatures. Currently, the device supports two
publickey algorithms to implement digital signatures: RSA and DSA. The client sends to the server
a public authentication request containing its user name, public key and algorithm. The server
validates the public key. If the public key is invalid, the authentication fails; otherwise, the server
generates a digital signature to authenticate the client, and then sends back a message to inform
the success or failure of the authentication.

Besides password authentication and publickey authentication, SSH provides another two
authentication methods:

z

password-publickey

: Performs both password authentication and publickey authentication of the

client. A client running SSH1 client only needs to pass either type of the two, while a client running
SSH2 client must pass both of them to login.

z

any

: Performs either password authentication or publickey authentication. The client tries

publickey authentication first.

Session request

After passing authentication, the client sends a session request to the server, while the server listens to
and processes the request from the client. If the client passes authentication, the server sends back to
the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the
client. Otherwise, the server sends back to the client an SSH_SMSG_FAILURE packet, indicating that
the processing fails or it cannot resolve the request.

Interactive session

In this stage, the server and the client exchanges data in this way:

z

The client encrypts and sends the command to be executed to the server.

z

The server decrypts and executes the command, and then encrypts and sends the result to the
client.

z

The client decrypts and displays the result on the terminal.