HP 3600 v2 Series Security Configuration Manual page 284

secondary protocol version numbers constitute the protocol version number. The software version
number is used for debugging.
After receiving the packet, the client resolves the packet and compares the server's protocol
4.
version number with that of its own. If the server's protocol version is lower and supportable, the
client uses the protocol version of the server; otherwise, the client uses its own protocol version. In
either case, the client sends a packet to the server to notify the server of the protocol version that
it decides to use.
The server compares the version number carried in the packet with that of its own. If the server
5.
supports the version, the negotiation succeeds and the server and the client proceed with key and
algorithm negotiation. Otherwise, the negotiation fails, and the server breaks the TCP connection.
NOTE:
All the packets involved in the preceding steps are transferred in plain text.
Key and algorithm negotiation
The server and the client send algorithm negotiation packets to each other, notifying the peer of the
supported public key algorithms, encryption algorithms, Message Authentication Code (MAC)
algorithms, and compression algorithms.
Based on the received algorithm negotiation packets, the server and the client figure out the algorithms
to be used. If the negotiation of any type of algorithm fails, the algorithm negotiation fails and the server
tears down the connection with the client.
The server and the client use the DH key exchange algorithm and parameters such as the host key pair
to generate the session key and session ID, and the client authenticates the identity of the server.
Through the steps, the server and the client get the same session key and session ID. The session key will
be used to encrypt and decrypt data exchanged between the server and client later. The session ID will
be used to identify the session established between the server and client and will be used in the
authentication stage.
CAUTION:
Before the key and algorithm negotiation, the server must have already generated a DSA or RSA key pair,
which is used in generating the session key and session ID, and by the client to authenticate the identity of
the server. For more information about DSA and RSA key pairs, see the chapter "Public key
configuration."
Authentication
SSH supports the following authentication methods:
Password authentication—The SSH server uses AAA for authentication of the client. During
•
password authentication, the SSH client encrypts its username and password, encapsulates them
into a password authentication request, and sends the request to the server. After receiving the
request, the SSH server decrypts the username and password, checks the validity of the username
and password locally or by a remote AAA server, and then informs the client of the authentication
result. If the remote AAA server requires the user for a password re-authentication, it carries a
prompt in the authentication response sent to the client. The prompt is transparently transmitted to
the client, and displayed on the client to notify the user to enter a specified password. After the user
enters the correct password and passes validity check on the remote AAA server, the server returns
an authentication success message to the client.
273