F3215-HP Load Balancing Module Security Configuration Guide-6PW101

117

• Password-publickey authentication—The server requires clients that run SSH2 to pass both

password authentication and publickey authentication. However, if a client runs SSH1, it only needs

to pass either authentication.

• Any authentication—The server requires the client to pass either of password authentication and

publickey authentication.

In a password authentication process, if the remote AAA server requires the user for a password

secondary authentication, it sends the SSH server an authentication response with a prompt. The prompt

is transparently transmitted to the client, and displayed on the client to notify the user to enter a specified

password. After the user enters the correct password and passes validity check by the remote AAA server,

the device returns an authentication success message to the client.

NOTE:

Only clients that run SSH2 or a later version support password secondary authentication that is initiated

by the AAA server.

SSH support for VPNs

With this function, you can configure the device as an SSH client to establish connections with SSH

servers in different VPNs.

As shown in Figure 42, the h

sts in VPN 1 and VPN 2 access the backbone through PEs, with the services

of the two VPNs isolated. After a PE is enabled with the SSH client function, it can establish SSH

connections with CEs in different VPNs that are enabled with the SSH server function to implement secure

access to the CEs and secure transfer of log file.

Figure 42 SSH support for VPNs

Configuring the device as an SSH server

You can configure the device as an Stelnet, SFTP or SCP server. Because the configuration procedures

are similar, the SSH server represents the Stelnet server, SFTP server, and SCP server unless otherwise

specified.

VPN 1

Backbone

VPN 2

SSH server

Host

VPN 1

SSH server

SSH client