beautypg.com

Publickey authentication, Password-publickey authentication, Any authentication – H3C Technologies H3C S6300 Series Switches User Manual

Page 283: Fips compliance

background image

268

b.

Verifies the username and password locally or through remote AAA authentication.

c.

Informs the client of the authentication result.

If the remote AAA server requires the user to enter a password for secondary authentication, it
send the SSH server an authentication response carrying a prompt. The prompt is transparently

transmitted to the client to notify the user to enter a specific password. After the user enters the
correct password and passes validity check by the remote AAA server, the SSH server returns an

authentication success message to the client.

For more information about AAA, see "

Configuring AAA

."

NOTE:

SSH1 clients do not support secondary password authentication that is initiated by the AAA server.

Publickey authentication

The server authenticates a client by verifying the digital signature of the client. The publickey

authentication process is as follows:

1.

The client sends the server a publickey authentication request that includes the username, public
key, and public key algorithm name.
If the digital certificate of the client is required in authentication, the client also encapsulates the
digital certificate in the authentication request. The digital certificate carries the public key

information of the client.

2.

The server verifies the client's public key.

{

If the public key is invalid, the server informs the client of the authentication failure.

{

If the public key is valid, the server requests the digital signature of the client. After receiving the
signature, the server uses the public key to verify the signature, and informs the client of the

authentication result.

When acting as an SSH server, the device supports using the public key algorithms RSA, DSA, and
ECDSA to verify digital signatures.
When acting as an SSH client, the device supports using the public key algorithms RSA, DSA, and

ECDSA to generate digital signatures.
For more information about public key configuration, see "

Managing public keys

."

Password-publickey authentication

The server requires SSH2 clients to pass both password authentication and publickey authentication.

However, an SSH1 client only needs to pass either authentication, regardless of the requirement of the

server.

Any authentication

The server requires clients to pass either password authentication or publickey authentication.

FIPS compliance

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features,

commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about

FIPS mode, see "

Configuring FIPS

."

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: