Ssh Authentication - HP 10500 Series Configuration Manual

Table 13 Stages involved in secure session establishment
Stages
Connection establishment
Version negotiation
Algorithm negotiation
Key exchange
Authentication
Session request
Interaction

SSH authentication

When the device acts as an SSH server, it supports the following authentication methods:
Password authentication—The SSH server uses AAA for authentication of the client. During
•
password authentication, the SSH client encrypts its username and password, encapsulates them
into an authentication request, and sends the request to the server. After receiving the request, the
SSH server decrypts the request to get the username and password in plain text, examines the
validity of the username and password locally or by a remote AAA server, and then informs the
client of the authentication result.
If the remote AAA server requires the user for a password secondary authentication, it sends the
SSH server an authentication response with a prompt. The prompt is transparently transmitted to
the client, and displayed on the client to notify the user to enter a specified password. After the user
enters the correct password and passes validity check by the remote AAA server, the device
returns an authentication success message to the client.
NOTE:
Only clients that run SSH2 or a later version support password secondary authentication that is initiated
by the AAA server.
Description
The SSH server listens to the connection requests on port 22. After a client
initiates a connection request, the server and the client establish a TCP
connection.
The two parties determine a version to use after negotiation.
SSH supports multiple algorithms. Based on the local algorithms, the two parties
determine the key exchange algorithm for generating session keys, the
encryption algorithm for encrypting data, public key algorithm for digital
signature and authentication, and the HMAC algorithm for protecting data
integrity.
The two parties use the DH exchange algorithm to dynamically generate the
session key for protecting data transfer and the session ID for identifying the
SSH connection. In this stage, the client authenticates the server as well.
The SSH server authenticates the client in response to the client's authentication
request.
After passing authentication, the client sends a session request to the server to
request the establishment of a session (Stelnet or SFTP).
After the server grants the request, the client and the server start to communicate
with each other in the session.
In this stage, you can execute commands from the client by pasting the
commands in text format. (The text must be within 2000 bytes.) The commands
must be available in the same view. Otherwise, the server might not be able to
execute the commands correctly.
If you want to execute commands of more than 2000 bytes, you can save the
commands in a configuration file, upload it to the server through SFTP, and use
it to restart the server.
201