beautypg.com

Session request, Interaction – H3C Technologies H3C SecPath F1000-E User Manual

Page 163

background image

152

Password authentication—The SSH server uses AAA for authentication of the client. During

password authentication, the SSH client encrypts its username and password, encapsulates them
into a password authentication request, and sends the request to the server. After receiving the

request, the SSH server decrypts the username and password, checks the validity of the username

and password locally or by a remote AAA server, and then informs the client of the authentication

result. If the remote AAA server requires the user for a password re-authentication, it carries a
prompt in the authentication response to send to the device. The prompt is transparently transmitted

to the client, and displayed on the client to notify the user to enter a specified password. After the

user enters the correct password and passes validity check by the remote AAA server, the device

returns an authentication success message to the client.

Publickey authentication—The server authenticates the client by the digital signature. During

publickey authentication, the client sends the server a publickey authentication request that contains
its username, public key, and publickey algorithm information. The server checks whether the public

key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates

the client by the digital signature. Finally, the server sends a message to the client to inform the

authentication result. The device supports using the publickey algorithms RSA and DSA for digital
signature.

Password-publickey authentication—The server requires clients that run SSH2 to pass both
password authentication and publickey authentication. However, if a client runs SSH1, it only needs

to pass either authentication.

Any authentication—The server requires the client to pass either of password authentication and
publickey authentication.

The following gives the steps of the authentication stage:

1.

The client sends the server an authentication request, which includes the username, the
authentication method, and the information related to the authentication method (for example, the

password in the case of password authentication).

2.

The server authenticates the client. If the authentication fails, the server informs the client by
sending a message, which includes a list of available methods for re-authentication.

3.

The client selects a method from the list to initiate another authentication.

4.

The preceding process repeats until the authentication succeeds or the number of failed
authentication attempts exceeds the maximum of authentication attempts. In the latter case, the

server tears the session down.

NOTE:

Only clients running SSH2 or a later version support password re-authentication that is initiated by the
device acting as the SSH server.

Session request

After passing authentication, the client sends a session request to the server, and the server listens to and
processes the request from the client. If the server successfully processes the request, the server sends an

SSH_SMSG_SUCCESS packet to the client and goes on to the interaction stage with the client. Otherwise,

the server sends an SSH_SMSG_FAILURE packet to the client to indicate that the processing has failed or

it cannot resolve the request.

Interaction

In this stage, the server and the client exchanges data as follows:

1.

The client encrypts and sends the command to be executed to the server.