Secure Shell (SSH) in HP SIM
SSH authentication mechanisms
Every SSH connection involves two authentications in the following order:
1.
Server
a
uthentication
. The SSH client verifies t
he identity of the SSH server.
This
authentication
ensures the SSH serv
er is genuine and not an imposter. It also guards against an attacker
redirecting the network connection to a different machine. This prevents a man
-
in
-
the
-
middle attack
where an attacker positions itself between the client and server and
can
view and modi
fy the
communication.
2.
User Authentication
. The SSH server verifies the identity of the user name account requesting
access.
Server authentication
—
V
erification of the SSH server system
To establish a connection, the SSH client first contacts the remote sys
t
em. Session keys are exchanged
and are used to encrypt all further communication between the client and server. The remote SSH
server then sends its identity, known as the host key, to the SSH client for verification.
The SSH client must
decide if it accep
ts the server
host key. Usually, this is done by comparing the
returned key with a known value for that host by looking for th
e key in the known hosts file.
If the key
match
es, the server is authenticated. I
f the key is different, an error is reported
,
an
d the client
terminates the connection.
If the client has never communicated with the server before, there is
probabl
y no key for this remote host.
A typical interactive SSH client prompts the user to accept or
reject the new key
and, saves
the
accepted
ke
y in the known hosts file. This accept
-
on
-
first
-
use model
means that the connection is vulnerable to a man
-
in
-
the
-
middle attack on first
use, but subsequent
connections
use the stored key.
User Authentication
-
V
erification of the client user’s credentials
After
the identity of the remote SSH server
is
verified, the SSH client sends the user name along with
any credentials (based on type of authentication) to the target SSH server.
The user is authenticated in one of
the following
ways:
1.
Public key authenti
cation
—
U
sing key files
2.
H
ost
-
based authentication
—
U
sing key files
3.
Password authentication
Each method is attempted by the SSH client in sequence until a successful user authentication
occurs
or after the last method results in a failure.
Public key
authen
tication is the most secure way to authenticate a user and is
used
by HP SIM
5
.x
and
6
.x. Each user has a private key, which
is kept secret at the client.
A corresponding public key is
used by anyone wishing to authenticate this user, and the SSH server ha
s a copy of this public key.
The SSH client uses the user’s private key to encrypt a m
essage sent to the SSH server.
The SSH server
uses the user’s public key to de
crypt this message. If this decryption
is successful, the user is
authenticated because the
message must have been sent by a client with access to the private key.
SSH server
SSH client
SSH server
SSH client