349
Stages Description
Key exchange
The two parties use the Diffie-Hellman (DH) exchange algorithm to
dynamically generate the session key for protecting data transfer and the
session ID for identifying the SSH connection. In this stage, the client
authenticates the server as well.
Authentication
The SSH server authenticates the client in response to the client's
authentication request.
Session request
After passing authentication, the client sends a session request to the server
to request the establishment of a session (Stelnet, SFTP, or SCP).
Interaction
After the server grants the request, the client and the server start to
communicate with each other in the session.
In the interaction stage, you can execute commands from the client by
pasting the commands in text format (the text must be within 2000 bytes). The
commands must be available in the same view. Otherwise, the server might
not be able to execute the commands correctly.
If you want to execute commands of more than 2000 bytes, you can save the
commands in a configuration file, upload it to the server through SFTP, and
use it to restart the server.
SSH authentication methods
When the device acts as an SSH server, it supports the following authentication methods:
• Password authentication—The SSH server uses AAA for authentication of the client. During
password authentication, the SSH client encrypts its username and password, encapsulates
them into an authentication request, and sends the request to the server. After receiving the
request, the SSH server decrypts the request to get the username and password in plain text,
checks the validity of the username and password locally or by a remote AAA server, and then
informs the client of the authentication result.
In a password authentication process, if the remote AAA server requires the user for a
secondary password authentication, it sends the SSH server an authentication response with a
prompt. The prompt is transparently transmitted to the client, and displayed on the client to
notify the user to enter a specific password. After the user enters the correct password and
passes validity check by the remote AAA server, the device returns an authentication success
message to the client.
NOTE:
Only clients that run SSH2 or a later version support secondary password authentication that is
initiated by the AAA server.
• Publickey authentication—The server authenticates the client by the digital signature. During
publickey authentication, the client sends the server a publickey authentication request that
contains the following information:
{ Username.
{ Public key of the client.
{ Publickey algorithm information (or the digital certificate that carries the public key
information).
The server examines whether the public key is valid. If the public key is invalid, the
authentication fails. Otherwise, the server authenticates the client by the digital signature.
Finally, it informs the client of the authentication result. The device supports using the publickey
algorithms RSA and DSA for digital signature.
A client can send public key information to the device that acts as the server for validity check in
either of the following methods:
To Next Page
Loading...
Need help?
General
