NOTE: Versions earlier than 2.0.12 of the SSH protocol client are not supported. The
SSH server embedded within the router recognizes SSH clients that report an SSH
protocol version of 1.99, with the expectation that such clients are compatible with
SSH protocol version 2.0. Clients that report an SSH protocol version of 1.99
apparently do so to determine the protocol version supported by the server.
SSH provides the following major features:
■ Server authentication through a Diffie-Hellman key exchange—Protects against
hackers interjecting mimics to obtain your password. You can be confident that
you are connected to your own router.
■ User authentication—Ensures that the router is allowing connection from a
permitted host and remote user.
NOTE: Digital Signature Standard (DSS) public key user authentication for SSH is not
supported. Only password type SSH user authentication is supported. RADIUS and
TACACS+ password authentication are the only user authentication protocols
currently supported. RADIUS authentication is enabled by default. If authentication
is disabled, then all SSH clients that pass protocol negotiation are accepted.
■ Data encryption and key-protected hashing—Provides a secure, trustable session
to the upper-layer user interface. Encryption provides confidentiality by
preventing unauthorized persons from listening in on management traffic.
Encryption and hashing ensure data integrity to obstruct man-in-the-middle
attacks, in which unauthorized persons access messages and modify them without
detection.
Transport
The SSH transport layer handles algorithm negotiation between the server and client
over TCP/IP. Negotiation begins when the SSH client and server send each other
textual information that identifies their SSH version. If they both agree that the
versions are compatible, the client and server exchange lists that specify the
algorithms that they support for key exchange, encryption, data integrity through a
message authentication code (MAC), and compression. Each party sends two lists.
One list has the algorithms supported for transmission; the other has the algorithms
supported for receipt. The algorithms are specified in order of preference in each
list. The client and server use the algorithm for each process that matches the client’s
highest preference and is supported by the server. If no intersection is found, the
negotiation attempt fails and the connection is terminated.
If algorithm negotiation is successful, the server sends its public host key to the client
for authentication so the client can be certain that it is connected to the intended
host rather than to an imposter. The client compares the key to its host key database.
The client authenticates the server if the key is found in the database. If the key is
not present, then the client can accept or reject this new, unknown key depending
on how you have configured the client. For more information, see “Host Key
Management” on page 437.
436 ■ Secure System Administration with SSH
JUNOSe 11.1.x System Basics Configuration Guide
To Next Page
Loading...
Need help?
General
