SSH authentication methods
This section describes authentication methods that are supported by the device when it acts as an SSH server.
Password authentication
The SSH server authenticates a client through the AAA mechanism. The password authentication process is as follows:
The client sends the server an authentication request that includes the encrypted username and password.
The SSH server performs the following operations:
Decrypts the request to get the username and password in plain text.
Verifies the username and password locally or through remote AAA authentication.
Informs the client of the authentication result.
![[NOTE: ]](images/note.png)
NOTE:
Only clients that run SSH2 or a later version support secondary password authentication that is initiated by the AAA server.
If the AAA server requires the user for a secondary password authentication, it sends the SSH server an authentication response with a prompt. The prompt is transparently transmitted to the client to notify the user to enter a specific password. When the user enters the correct password, the AAA sever examines the password validity. If the password is valid, an authentication success message is sent to the client.
Publickey authentication
The server authenticates a client by verifying the digital signature of the client. The publickey authentication process is as follows:
The client sends the server a publickey authentication request that includes the username, public key, and public key algorithm name.
If the digital certificate of the client is required in authentication, the client also encapsulates the digital certificate in the authentication request. The digital certificate carries the public key information of the client.
The server verifies the client's public key.
If the public key is invalid, the server informs the client of the authentication failure.
If the public key is valid, the server requests the digital signature of the client. After receiving the signature, the server uses the public key to verify the signature, and informs the client of the authentication result.
When acting as an SSH server, the device supports using the public key algorithms RSA, DSA, and ECDSA to verify digital signatures.
When acting as an SSH client, the device supports using the public key algorithms RSA, DSA, and ECDSA to generate digital signatures.
Password-publickey authentication
The server requires SSH2 clients to pass both password authentication and publickey authentication. However, SSH1 clients only need to pass either authentication.
Keyboard-interactive
When a client initiates an authentication request, the remote authentication server sends the SSH server an authentication response with a question. The question is relayed to the client. The user must enter the answer to the question. This question-answer exchange might be repeated multiple times until the user provides all required information. Then, the remote authentication server returns an authentication success message. This authentication method is supported only when the switch acts as an SSH server and the HWTACACS server acts as the remote authentication server.
Any authentication
The server requires the client to pass password authentication, keyboard-interactive authentication, or publickey authentication.