Examples of public key management, Example for entering a peer public key, Ssh authentication methods – H3C Technologies H3C S12500-X Series Switches User Manual

170

Stages Description

Key exchange

The two parties use the DH exchange algorithm to dynamically generate
the session key for protecting data transfer and the session ID for
identifying the SSH connection. In this stage, the client authenticates the

server as well.

Authentication

The SSH server authenticates the client in response to the client's
authentication request.

Session request

After passing the authentication, the client sends a session request to the
server to request the establishment of a session (or request the Stelnet,

SFTP, or SCP service).

Interaction

After the server grants the request, the client and the server start to
communicate with each other in the session.
In this stage, you can paste commands in text format and execute them

at the CLI. The text pasted at one time must be no more than 2000 bytes.
H3C recommends that you paste commands in the same view.

Otherwise, the server might not be able to correctly execute the

commands.
To execute commands of more than 2000 bytes, save the commands in
a configuration file, upload it to the server through SFTP, and use it to

restart the server.

262B

SSH authentication methods

When the device acts as an SSH server, it supports the following authentication methods:

•

Password authentication—The SSH server authenticates a client through the AAA mechanism. In a
password authentication, an SSH client encrypts and encapsulates its username and password into

an authentication request, and sends the request to the server. After receiving the request, the SSH

server decrypts the request to get the username and password in plain text, examines the validity of
the username and password locally or by a remote AAA server, and then informs the client of the

authentication result.
If the remote AAA server requires the user to enter a password for secondary authentication, it
send the SSH server an authentication response carrying a prompt. The prompt is transparently

transmitted to the client to notify the user to enter a specific password. After the user enters the

correct password and passes validity check by the remote AAA server, the SSH server returns an
authentication success message to the client.
For more information about AAA, see "

872H

Configuring AAA

."

NOTE:

SSH1 clients do not support secondary password authentication that is initiated by the AAA server.

•

Publickey authentication—The server authenticates a client by the digital signature. In a publickey

authentication, a client sends the server a publickey authentication request that contains its
username, public key, and publickey algorithm information. The server checks whether the public

key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates

the client by the digital signature. Finally, the server informs the client of the authentication result.

The device supports using the public key algorithms RSA and DSA for digital signature.
For more information about public key configuration, see "

873H

Managing public keys

."