Manualshelf

R3303-HP HSR6800 Routers Security Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP HSR68xx Configure-to-Order Router Solution
321322323324325326327328329330
307
signature. Finally, it informs the client of the authentication result. The device supports using the
publickey algorithms RSA and DSA for digital signature.
A client can send public key information to the device that acts as the server for validity check in
either of the following methods:
{ The client directly sends the user's public key information to the server, and the server checks the
validity of the user's public key.
{ The client sends the user's public key information to the server through a digital certificate, and
the server checks the validity of the digital certificate. When acting as a client, the device does
not support this method.
Password-publickey authentication—The server requires clients that run SSH2 to pass both
password authentication and publickey authentication. However, if a client runs SSH1, it only needs
to pass either authentication.
Keyboard-interactive—When the client initiates an authentication request, the remote
authentication server sends the SSH server an authentication response with a question. The question
is relayed to the client and displayed on the client. The user must enter the answer to the question.
This question-answer exchange might be repeated multiple times until the user provides all required
information. Then, the remote authentication server returns an authentication success message. This
authentication method is supported only when the router acts as an SSH server and uses the
HWTACACS server as the remote authentication server.
Any authentication—The server requires the client to pass either of password authentication and
publickey authentication.
SSH support for MPLS L3VPN
With this function, you can configure the device as an SSH client to establish connections with SSH
servers in different MPLS L3VPNs.
As shown in Figure 99, the h
osts in VPN 1 and VPN 2 access the MPLS backbone through PEs, with the
services of the two VPNs isolated. After a PE is enabled with the SSH client function, it can establish SSH
connections with CEs in different VPNs that are enabled with the SSH server function to implement secure
access to the CEs and secure transfer of log file.
Figure 99 SSH support for MPLS L3VPN