F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices System Management and Maintenance Configuration Guide-6PW100
161
In a password authentication process, if the remote AAA server requires the user for a password
secondary authentication, it sends the SSH server an authentication response with a prompt. The prompt
is transparently transmitted to the client, and displayed on the client to notify the user to enter a specified
password. After the user enters the correct password and passes validity check by the remote AAA server,
the device returns an authentication success message to the client.
NOTE:
Only clients that run SSH2 or a later version support password secondary authentication that is initiated
by the AAA server.
272BSSH support for VPN
With this function, you can configure the device as an SSH client to establish connections with SSH
servers in different VPNs.
As shown in
872HFigure 72, the hosts in VPN 1 and VPN 2 access the MPLS backbone through an MCE, with
the services of the two VPNs isolated. After the MCE is enabled with the SSH client function, it can
establish SSH connections with CEs in different VPNs that are enabled with the SSH server function to
implement secure access to the CEs and secure transfer of log file.
Figure 72 SSH support for MPLS L3VPN
101B
Configuring the device as an SSH server
You can configure the device as an Stelnet server or SFTP server. Because the configuration procedures
are similar, the SSH server represents the Stelnet server and SFTP server unless otherwise specified.
273BSSH server configuration task list
Task Remarks
873H
Generating local DSA or RSA key pairs Required.
874H
Enabling the SSH server function Required for Stelnet, SFTP and SCP servers.
875H
Enabling the SFTP server function Required only for SFTP server.
876H
Configuring the user interfaces for SSH clients Required.
MCE
VPN 1
P
MPLS backbone
PE
PE
CE
VPN 2
VPN 2
SSH server
Host
Host
CE
VPN 1
SSH server
SSH client