Session request, Interaction – H3C Technologies H3C SecPath F1000-E User Manual
Page 163
152
•
Password authentication—The SSH server uses AAA for authentication of the client. During
password authentication, the SSH client encrypts its username and password, encapsulates them
into a password authentication request, and sends the request to the server. After receiving the
request, the SSH server decrypts the username and password, checks the validity of the username
and password locally or by a remote AAA server, and then informs the client of the authentication
result. If the remote AAA server requires the user for a password re-authentication, it carries a
prompt in the authentication response to send to the device. The prompt is transparently transmitted
to the client, and displayed on the client to notify the user to enter a specified password. After the
user enters the correct password and passes validity check by the remote AAA server, the device
returns an authentication success message to the client.
•
Publickey authentication—The server authenticates the client by the digital signature. During
publickey authentication, the client sends the server a publickey authentication request that contains
its username, public key, and publickey algorithm information. The server checks whether the public
key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates
the client by the digital signature. Finally, the server sends a message to the client to inform the
authentication result. The device supports using the publickey algorithms RSA and DSA for digital
signature.
•
Password-publickey authentication—The server requires clients that run SSH2 to pass both
password authentication and publickey authentication. However, if a client runs SSH1, it only needs
to pass either authentication.
•
Any authentication—The server requires the client to pass either of password authentication and
publickey authentication.
The following gives the steps of the authentication stage:
1.
The client sends the server an authentication request, which includes the username, the
authentication method, and the information related to the authentication method (for example, the
password in the case of password authentication).
2.
The server authenticates the client. If the authentication fails, the server informs the client by
sending a message, which includes a list of available methods for re-authentication.
3.
The client selects a method from the list to initiate another authentication.
4.
The preceding process repeats until the authentication succeeds or the number of failed
authentication attempts exceeds the maximum of authentication attempts. In the latter case, the
server tears the session down.
NOTE:
Only clients running SSH2 or a later version support password re-authentication that is initiated by the
device acting as the SSH server.
Session request
After passing authentication, the client sends a session request to the server, and the server listens to and
processes the request from the client. If the server successfully processes the request, the server sends an
SSH_SMSG_SUCCESS packet to the client and goes on to the interaction stage with the client. Otherwise,
the server sends an SSH_SMSG_FAILURE packet to the client to indicate that the processing has failed or
it cannot resolve the request.
Interaction
In this stage, the server and the client exchanges data as follows:
1.
The client encrypts and sends the command to be executed to the server.