Session request, Data exchange, Ssh server and client – H3C Technologies H3C S3600 Series Switches User Manual
Page 894
1-4
z
The server starts to authenticate the user. If authentication fails, the server sends an authentication
failure message to the client, which contains the list of methods used for a new authentication
process.
z
The client selects an authentication type from the method list to perform authentication again.
z
The above process repeats until the authentication succeeds, or the connection is torn down when
the authentication times reach the upper limit.
SSH provides two authentication methods: password authentication and publickey authentication.
z
In password authentication, the client encrypts the username and password, encapsulates them
into a password authentication request, and sends the request to the server. Upon receiving the
request, the server decrypts the username and password, compares them with those it maintains,
and then informs the client of the authentication result.
z
The publickey authentication method authenticates clients using digital signatures. Currently, the
device supports two publickey algorithms to implement digital signatures: RSA and DSA. The client
sends to the server a publickey authentication request containing its user name, public key and
algorithm. The server verifies the public key. If the public key is invalid, the authentication fails;
otherwise, the server generates a digital signature to authenticate the client, and then sends back a
message to inform the success or failure of the authentication.
Session request
After passing authentication, the client sends a session request to the server, while the server listens to
and processes the request from the client. If the client passes authentication, the server sends back to
the client an SSH_SMSG_SUCCESS packet and goes on to the interactive session stage with the
client. Otherwise, the server sends back to the client an SSH_SMSG_FAILURE packet, indicating that
the processing fails or it cannot resolve the request. The client sends a session request to the server,
which processes the request and establishes a session.
Data exchange
In this stage, the server and the client exchanges data in this way:
z
The client encrypts and sends the command to be executed to the server.
z
The server decrypts and executes the command, and then encrypts and sends the result to the
client.
z
The client decrypts and displays the result on the terminal.
SSH Server and Client
To use SSH for secure login to a switch from a device, the switch must be configured as an SSH server
and the device must be configured as an SSH client. As shown in
, Host A, Host B, and Host
D are configured as SSH clients to securely access the Switch A, which is acting as the SSH server.