Ssh support for vpns, Configuring the device as an ssh server – H3C Technologies H3C SecBlade LB Cards User Manual
Page 169
158
signature. Finally, it informs the client of the authentication result. The device supports using the
publickey algorithm RSA for digital signature.
A client can send public key information to the device that acts as the server for validity check in
either of the following methods:
{
The client directly sends the user's public key information to the server, and the server checks the
validity of the user's public key.
{
The client sends the user's public key information to the server through a digital certificate, and
the server checks the validity of the digital certificate. When acting as a client, the device does
not support this method.
•
Password-publickey authentication—The server requires clients that run SSH2 to pass both
password authentication and publickey authentication. However, if a client runs SSH1, it only needs
to pass either authentication.
•
Any authentication—The server requires the client to pass either of password authentication and
publickey authentication.
SSH support for VPNs
With this function, you can configure the device as an SSH client to establish connections with SSH
servers in different VPNs.
As shown in
, the hosts in VPN 1 and VPN 2 access the backbone through PEs, with the services
of the two VPNs isolated. After a PE is enabled with the SSH client function, it can establish SSH
connections with CEs in different VPNs that are enabled with the SSH server function to implement secure
access to the CEs and secure transfer of log file.
Figure 73 SSH support for VPNs
Configuring the device as an SSH server
You can configure the device as an Stelnet, SFTP, or SCP server. Because the configuration procedures
are similar, the SSH server represents the Stelnet server, SFTP server, and SCP server unless otherwise
specified.
CE
VPN 1
P
Backbone
PE
PE
CE
CE
VPN 2
VPN 2
SSH server
Host
Host
CE
VPN 1
SSH server
SSH client