SSH authentication methods

This section describes authentication methods that are supported by the device when it acts as an SSH server.

Password authentication

The SSH server authenticates a client through the AAA mechanism. The password authentication process is as follows:

  1. The client sends the server an authentication request that includes the encrypted username and password.

  2. The server performs the following operations:

    1. Decrypts the request to get the username and password in plain text.

    2. Verifies the username and password locally or through remote AAA authentication.

    3. Informs the client of the authentication result.


      [NOTE: ]

      NOTE:

      SSH1 clients do not support secondary password authentication that is initiated by the AAA server.


If the AAA server requires the user to enter a password for secondary authentication, it sends the SSH server an authentication response carrying a prompt. The prompt is transparently transmitted to the client to notify the user to enter a specific password. When the user enters the correct password, the AAA server examines the password validity. If the password is valid, the SSH server returns an authentication success message to the client.

For more information about AAA, see "Configuring AAA."

Publickey authentication

The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows:

  1. The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.

    If the digital certificate of the client is required in authentication, the client also encapsulates the digital certificate in the authentication request. The digital certificate carries the public key information of the client.

  2. The server verifies the client's public key.

    • If the public key is invalid, the server informs the client of the authentication failure.

    • If the public key is valid, the server requests the digital signature of the client. After receiving the signature, the server uses the public key to verify the signature, and informs the client of the authentication result.

When acting as an SSH server, the device supports using the public key algorithms DSA, ECDSA, and RSA to verify digital signatures.

When acting as an SSH client, the device supports using the public key algorithms DSA, ECDSA, and RSA to generate digital signatures.

For more information about public key configuration, see "Managing public keys."

Password-publickey authentication

The server requires SSH2 clients to pass both password authentication and publickey authentication. However, an SSH1 client only needs to pass either authentication, regardless of the requirement of the server.

Any authentication

The server requires clients to pass password authentication or publickey authentication.