R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution

311

312

313

314

315

316

317

318

319

320

306

Sta

es Descri

tion

Algorithm negotiation

SSH supports multiple algorithms. Based on the local algorithms, the two parties

determine the key exchange algorithm for generating session keys, the

encryption algorithm for encrypting data, public key algorithm for digital

signature and authentication, and the HMAC algorithm for protecting data

integrity.

Key exchange

The two parties use the Diffie-Hellman (DH) exchange algorithm to dynamically

generate the session key for protecting data transfer and the session ID for

identifying the SSH connection. In this stage, the client authenticates the server

as well.

Authentication

The SSH server authenticates the client in response to the client's authentication

request.

Session request

After passing authentication, the client sends a session request to the server to

request the establishment of a session (Stelnet, SFTP, or SCP).

Interaction

After the server grants the request, the client and the server start to communicate

with each other in the session.

In the interaction stage, you can execute commands from the client by pasting

the commands in text format (the text must be within 2000 bytes). The

commands must be available in the same view. Otherwise, the server might not

be able to execute the commands correctly.

If you want to execute commands of more than 2000 bytes, you can save the

commands in a configuration file, upload it to the server through SFTP, and use

it to restart the server.

SSH authentication

When the device acts as an SSH server, it supports the following authentication methods:

• Password authentication—The SSH server uses AAA for authentication of the client. During

password authentication, the SSH client encrypts its username and password, encapsulates them

into an authentication request, and sends the request to the server. After receiving the request, the

SSH server decrypts the request to get the username and password in plain text, checks the validity

of the username and password locally or by a remote AAA server, and then informs the client of the

authentication result.

In a password authentication process, if the remote AAA server requires the user for a secondary

password authentication, it sends the SSH server an authentication response with a prompt. The

prompt is transparently transmitted to the client, and displayed on the client to notify the user to

enter the specified password. After the user enters the correct password and passes validity check

by the remote AAA server, the device returns an authentication success message to the client.

NOTE:

Only clients that run SSH2 or a later version support secondary password authentication that is

initiated by the AAA server.

• Publickey authentication—The server authenticates the client by the digital signature. During

publickey authentication, the client sends the server a publickey authentication request that contains

its username, public key, and publickey algorithm information (or the digital certificate that carries

the public key information). The server examines whether the public key is valid. If the public key is

invalid, the authentication fails. Otherwise, the server authenticates the client by the digital