SSH authentication methods
When the device acts as an SSH server, it supports the following authentication methods:
Password authentication—The SSH server uses AAA for authentication of the client. During password authentication, the SSH client encrypts its username and password, encapsulates them into an authentication request, and sends the request to the server. After receiving the request, the SSH server decrypts the request to get the username and password in plain text, checks the validity of the username and password locally or by a remote AAA server, and then informs the client of the authentication result.
In a password authentication process, if the remote AAA server requires the user for a secondary password authentication, it sends the SSH server an authentication response with a prompt. The prompt is transparently transmitted to the client, and displayed on the client to notify the user to enter a specific password. After the user enters the correct password and passes validity check by the remote AAA server, the device returns an authentication success message to the client.
Password-publickey authentication—The server requires clients that run SSH2 to pass both password authentication and publickey authentication. However, if a client runs SSH1, it only needs to pass either authentication.
Any authentication—The server requires the client to pass either of password authentication and publickey authentication.
![[NOTE: ]](images/note.png) | NOTE: Only clients that run SSH2 or a later version support secondary password authentication that is initiated by the AAA server. | |
Publickey authentication—The server authenticates the client by the digital signature. During publickey authentication, the client sends the server a publickey authentication request that contains the following information:
Username.
Public key of the client.
Publickey algorithm information (or the digital certificate that carries the public key information).
The server examines whether the public key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates the client by the digital signature. Finally, it informs the client of the authentication result. The device supports using the publickey algorithms RSA and DSA for digital signature.
A client can send public key information to the device that acts as the server for validity check in either of the following methods:
The client directly sends the user's public key information to the server, and the server checks the validity of the user's public key.
The client sends the user's public key information to the server through a digital certificate, and the server checks the validity of the digital certificate. When acting as a client, the device does not support this method.
Password-publickey authentication—The server requires clients that run SSH2 to pass both password authentication and publickey authentication. However, if a client runs SSH1, it only needs to pass either authentication.
Any authentication—The server requires the client to pass either of password authentication and publickey authentication.