Authentication – H3C Technologies H3C S7500E Series Switches User Manual

11-3

and the session ID will be used to identify the session established between the server and client and

will be used in the authentication stage.

Before the negotiation, the server must have already generated a DSA or RSA key pair, which is not

only used for generating the session key, but also used by the client to authenticate the identity of the

server. For more information about DSA and RSA key pairs, see Public Key Configuration in the

Security Configuration Guide.

Authentication

SSH provides two authentication methods: password authentication and publickey authentication.

z

Password authentication: The server uses AAA for authentication of the client. During password

authentication, the client encrypts its username and password, encapsulates them into a

password authentication request, and sends the request to the server. Upon receiving the request,

the server decrypts the username and password, checks the validity of the username and

password locally or by a remote AAA server, and then informs the client of the authentication

result.

z

Publickey authentication: The server authenticates the client by the digital signature. During

publickey authentication, the client sends to the server a publickey authentication request that

contains its username, public key, and publickey algorithm information. The server checks

whether the public key is valid. If the public key is invalid, the authentication fails; otherwise, the

server authenticates the client by the digital signature. Finally, the server sends a message to the

client to inform the authentication result. Currently, the device supports two publickey algorithms

for digital signature: RSA and DSA.

The following gives the steps of the authentication stage:

1) The client sends to the server an authentication request, which includes the username,

authentication method (password authentication or publickey authentication), and information

related to the authentication method (for example, the password in the case of password

authentication).

2) The server authenticates the client. If the authentication fails, the server informs the client by

sending a message, which includes a list of available methods for re-authentication.

3) The client selects a method from the list to initiate another authentication.

4) The above process repeats until the authentication succeeds or the number of failed

authentication attempts exceeds the maximum of authentication attempts and the session is torn

down.

Besides password authentication and publickey authentication, SSH2.0 provides another two

authentication methods: