Ssh Authentication - HP 12500 Series Configuration Manual

Stages
Key exchange
Authentication
Session request
Interaction

SSH authentication

When the device acts as an SSH server, it supports the following authentication methods:
Password authentication—The SSH server uses AAA for authentication of the client. During
•
password authentication, the SSH client encrypts its username and password, encapsulates them
into an authentication request, and sends the request to the server. After receiving the request, the
SSH server decrypts the request to get the username and password in plain text, checks the validity
of the username and password locally or by a remote AAA server, and then informs the client of the
authentication result.
If the remote AAA server requires the user for a password secondary authentication, it sends the
SSH server an authentication response with a prompt. The prompt is transparently transmitted to
the client, and displayed on the client to notify the user to enter a specified password. After the user
enters the correct password and passes validity check by the remote AAA server, the device
returns an authentication success message to the client.
NOTE:
Only clients running SSH2 or a later version support password secondary authentication that is initiated
by the AAA server.
Publickey authentication—The server authenticates the client by the digital signature. During
•
publickey authentication, the client sends the server a publickey authentication request that contains
its username, public key, and public key algorithm information. The server checks whether the
public key is valid. If the public key is invalid, the authentication fails. Otherwise, the server
authenticates the client by the digital signature. Finally, the server informs the client of the
authentication result. The device supports using the public key algorithms RSA and DSA for digital
signature.
• Password-publickey authentication—The server requires clients that run SSH2 to pass both
password authentication and publickey authentication. However, if the client runs SSH1, it only
needs to pass either authentication.
Description
The two parties use the Diffie-Hellman (DH) exchange algorithm to dynamically
generate the session key for protecting data transfer and the session ID for
identifying the SSH connection.
The SSH server authenticates the client in response to the client's authentication
request.
After passing authentication, the client sends a session request to the server to
request the establishment of a session (Stelnet or SFTP).
After the server grants the request, the client and the server start to communicate
with each other in the session.
In this stage, you can paste commands in text format and execute them at the
CLI. The text pasted at one time must be no more than 2000 bytes. HP
recommends you to paste commands in the same view. Otherwise, the server
might not be able to execute the commands correctly.
To execute more than 2000 bytes of command text, save the commands in a
configuration file, upload it to the server through SFTP, and use it to restart the
server.
209