HP VPN Firewall Appliances System Management and Maintenance Configuration Guide
169
The server examines whether the public key is valid. If the public key is invalid, the authentication
fails. Otherwise, the server authenticates the client by the digital signature. Finally, it informs the
client of the authentication result. The device supports using the publickey algorithms RSA and DSA
for digital signature.
A client can send public key information to the device that acts as the server for validity check in
either of the following methods:
{ The client directly sends the user's public key information to the server, and the server checks the
validity of the user's public key.
{ The client sends the user's public key information to the server through a digital certificate, and
the server checks the validity of the digital certificate. When acting as a client, the device does
not support this method.
• Password-publickey authentication—The server requires clients that run SSH2 to pass both
password authentication and publickey authentication. However, if a client runs SSH1, it only needs
to pass either authentication.
• Any authentication—The server requires the client to pass either of password authentication and
publickey authentication.
SSH support for VPN
With this function, you can configure the device as an SSH client to establish connections with SSH
servers in different VPNs.
As shown in Figure 77, the h
osts in VPN 1 and VPN 2 acce
ss the MPLS backbone through an MCE, with
the services of the two VPNs isolated. After the MCE is enabled with the SSH client function, it can
establish SSH connections with CEs in different VPNs that are enabled with the SSH server function to
implement secure access to the CEs and secure transfer of log file.
Figure 77 SSH support for MPLS L3VPN
Configuring the device as an SSH server
You can configure the device as an Stelnet server or SFTP server. Because the configuration procedures
are similar, the SSH server represents the Stelnet server and SFTP server unless otherwise specified.
MCE
VPN 1
P
MPLS backbone
PE
PE
CE
VPN 2
VPN 2
SSH server
Host
Host
CE
VPN 1
SSH server
SSH client