Examples of public key management, Example for entering a peer public key, Ssh authentication methods – H3C Technologies H3C S12500-X Series Switches User Manual
Page 182
170
Stages Description
Key exchange
The two parties use the DH exchange algorithm to dynamically generate
the session key for protecting data transfer and the session ID for
identifying the SSH connection. In this stage, the client authenticates the
server as well.
Authentication
The SSH server authenticates the client in response to the client's
authentication request.
Session request
After passing the authentication, the client sends a session request to the
server to request the establishment of a session (or request the Stelnet,
SFTP, or SCP service).
Interaction
After the server grants the request, the client and the server start to
communicate with each other in the session.
In this stage, you can paste commands in text format and execute them
at the CLI. The text pasted at one time must be no more than 2000 bytes.
H3C recommends that you paste commands in the same view.
Otherwise, the server might not be able to correctly execute the
commands.
To execute commands of more than 2000 bytes, save the commands in
a configuration file, upload it to the server through SFTP, and use it to
restart the server.
262B
SSH authentication methods
When the device acts as an SSH server, it supports the following authentication methods:
•
Password authentication—The SSH server authenticates a client through the AAA mechanism. In a
password authentication, an SSH client encrypts and encapsulates its username and password into
an authentication request, and sends the request to the server. After receiving the request, the SSH
server decrypts the request to get the username and password in plain text, examines the validity of
the username and password locally or by a remote AAA server, and then informs the client of the
authentication result.
If the remote AAA server requires the user to enter a password for secondary authentication, it
send the SSH server an authentication response carrying a prompt. The prompt is transparently
transmitted to the client to notify the user to enter a specific password. After the user enters the
correct password and passes validity check by the remote AAA server, the SSH server returns an
authentication success message to the client.
For more information about AAA, see "
872H
Configuring AAA
."
NOTE:
SSH1 clients do not support secondary password authentication that is initiated by the AAA server.
•
Publickey authentication—The server authenticates a client by the digital signature. In a publickey
authentication, a client sends the server a publickey authentication request that contains its
username, public key, and publickey algorithm information. The server checks whether the public
key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates
the client by the digital signature. Finally, the server informs the client of the authentication result.
The device supports using the public key algorithms RSA and DSA for digital signature.
For more information about public key configuration, see "
873H
Managing public keys
."