R3166-R3206-HP High-End Firewalls System Management and Maintenance Configuration Guide-6PW101
133
of “SSH-<primary protocol version number>.<secondary protocol version number>-<software
version number>”. The primary and secondary protocol version numbers constitute the protocol
version number, while the software version number is used for debugging.
3. The client receives and resolves the packet. If the protocol version of the server is lower but
supportable, the client uses the protocol version of the server; otherwise, the client uses its own
protocol version.
4. The client sends to the server a packet that contains the number of the protocol version it decides
to use. The server compares the version carried in the packet with that of its own. If the server
supports the version, the server and client will use the version. Otherwise, the negotiation fails.
5. If the negotiation is successful, the server and the client proceed with key and algorithm
negotiation; otherwise, the server breaks the TCP connection.
NOTE:
A
ll the packets involved in the above steps are transferred in plain text.
Key and algorithm negotiation
• The server and the client send algorithm negotiation packets to each other, which include the
supported public key algorithms list, encryption algorithms list, Message Authentication Code
(MAC) algorithms list, and compression algorithms list.
• Based on the received algorithm negotiation packets, the server and the client figure out the
algorithms to be used. If the negotiation of any type of algorithm fails, the algorithm negotiation
fails and the server tears down the connection with the client.
• The server and the client use the DH key exchange algorithm and parameters such as the host key
pair to generate the session key and session ID, and the client authenticates the identity of the
server.
Through the above steps, the server and client get the same session key and session ID. The session key
will be used to encrypt and decrypt data exchanged between the server and client later, and the session
ID will be used to identify the session established between the server and client and will be used in the
authentication stage.
NOTE:
Before the negotiation, the server must have already generated a DSA or RSA key pair, which is not only
used for generating the session key, but also used by the client to authenticate the identity of the server. For
more information about DSA and RSA key pairs, see
VPN Configuration Guide
.
Authentication
SSH provides two authentication methods: password authentication and publickey authentication.
• Password authentication: The server uses AAA for authentication of the client. During password
authentication, the client encrypts its username and password, encapsulates them into a password
authentication request, and sends the request to the server. Upon receiving the request, the server
decrypts the username and password, checks the validity of the username and password locally or
by a remote AAA server, and then informs the client of the authentication result.
• Publickey authentication: The server authenticates the client by the digital signature. During
publickey authentication, the client sends to the server a publickey authentication request that
contains its username, public key, and publickey algorithm information. The server checks whether
the public key is valid. If the public key is invalid, the authentication fails; otherwise, the server
authenticates the client by the digital signature. Finally, the server sends a message to the client to