3Com Switch 8800 Advanced Software V5 Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 9400sl 4-Port 10-GbE Module

931

932

933

934

935

936

937

938

939

940

938 CHAPTER 72: CONFIGURING SSH VERSION 2.0

■ The server and the client use the DH key exchange algorithm and parameters

such as the host key pair to generate the session key and session ID.

Through the above steps, the server and the client get the same session key, which

is to be used to encrypt and decrypt data exchanged between the server and the

client later. The server and the client use session ID in the authentication stage.

CAUTION: Before the phase of negotiation, the system has generated a server key

pair and host key pair on the server. They are used for generating session keys. The

server key pair is only available for SSH1.

Authentication

■ The client sends to the server an authentication request, which includes the

username, authentication method and information related to the

authentication method.

■ The server authenticates the client. If the authentication fails, the server

informs the client by sending a message, which includes a list of available

methods for re-authentication.

■ The client selects a method from the list to initiate another authentication.

■ The above process repeats until the authentication succeeds or the

authentication times timeout and the session is torn down.

SSH provides two authentication methods: password authentication and public

key authentication.

In password authentication:

■ The client encrypts the username and password, encapsulates them into a

password authentication request, and sends the request to the server.

■ Upon receiving the request, the server decrypts the username and password,

compares them against those it maintains, and then informs the client of the

authentication result.

In RSA authentication:

■ The client sends an RSA authentication request (containing its public key) to

the server. Upon receiving the request, the server checks its validity. If the

request is not valid, the server directly sends a failure message. Otherwise, the

server generates a 32-byte random number, arranges the random number into

a multiple-precision (MP) integer according to the most significant bit (MSB),

encrypts the MP integer using the public key of the client, and initiates an

authentication challenge to the client.

■ Upon receiving the challenge message, the client decrypts the MP integer using

its own private key, generates a message abstract MD5 using the integer and

session ID (an intermediate result generated in the key and algorithm

negotiation phase), encrypts the 16-byte MD5 value, and then sends the

encrypted MD5 value to the server.

■ Upon receiving the MD5 value, the server reverts it to the original value, and

compares the reverted MD5 value with the MD5 value calculated by itself. If

the two MD5 values are the same, the server sends an authentication success

message. Otherwise, the server sends an authentication failure message.