SSH Reference Manual

ManualsBrandsHP ManualsServerHP NonStop G-Series

241

242

243

244

245

246

247

248

249

250

• a small part of the OpenSSL project, see www.openssl.org.

• a small part of the OpenSSH project, see www.openssh.com.

comForte has combined this standard code with its own source code targeted specifically for the NonStop™ platform

and has added additional functionality.

See the copyright statements in chapter "Appendix".

Authentication using User Names and Passwords

The SSH protocol allows for the authentication using user names and passwords. This mechanism is less secure than

Public Key Authentication (discussed in the next section) and that is why most implementations allow to disable

authentication using user names and passwords.

It is up to the SSH server to specify both the allowed and required means of authentication. comForte's SSH

implementation currently supports the following means of authentication:

• When running as SSH client, the SSH2 package allows authentication using either a private key (configured

using the KEY entity in the SSH2 user database, see next section) or a password (to be entered interactively or

configured using the PASSWORD entity in the SSH2 user database)

• When running as SSH daemon, the SSH2 package currently supports both password (verified against the

Guardian user password) and public key authentication (configured in the PUBLICKEY attribute of the USER

entity of the SSH2 database)

Public Key Authentication

Introduction to Public Key Authentication, Terminology

Public Key Authentication makes use of asymmetric cryptography. Without going too much into details, we explain and

define some terms here:

• A key pair consists of a public and a private key. While it is possible to derive the public key from the private

key, the opposite is not possible.

• The private key is normally kept secret and can only be accessed by the entity using it for authentication.

Among other things, a private key can be used for signing bits of information – without the private key nobody

else can do this for a given key pair.

• The public key can be distributed freely as it contains only public information. Using the public key,

documents signed using the private key can be checked for authenticity. When distributing public keys, it is

important to make sure nobody has altered the public key during the distribution process.

• A fingerprint is a cryptographic "shorthand" for a public key. A public key basically is a set of bytes, however

it is hard to compare a long stream of bytes. That is why fingerprints are used to verify public key. Two popular

formats for fingerprints are MD5 (32 bytes of hex characters) and bubble-babble (16 words out of the "bubble-

babble" word set).

The terms "key pair", "public key" and "private key" are all used to specify a key pair or a part of it.

Public Key Authentication and SSH

The SSH protocol uses public key cryptography for authentication both of the server (daemon) to the client as well as –

optionally - for authenticating the client. This implies that if the client uses a key pair to log on to the server, both the

client and the server will:

242 • SSH Protocol Reference HP NonStop SSH Reference Manual