If the negotiation is successful, the server and the client go on to key and
■
algorithm negotiation; otherwise, the server breaks the TCP connection.
n
All the packets involved in the above steps are transferred in plain text.
Key and algorithm negotiation
The server and the client send key algorithm negotiation packets to each other,
■
which include the supported public key algorithm list, encryption algorithm list,
MAC algorithm list, and compression algorithm list.
Based on the received algorithm negotiation packets, the server and the client
■
figure out the algorithms to be used.
The server and the client use the DH key exchange algorithm and parameters
■
such as the host key pair to generate the session key and session ID.
Through the above steps, the server and the client get the same session key, which
is to be used to encrypt and decrypt data exchanged between the server and the
client later. The server and the client use session ID in the authentication stage.
c
CAUTION: Before the negotiation, the server must have already generated the
RSA and DSA key pairs, which are mainly used for generating the session key.
Authentication
The client sends to the server an authentication request, which includes the
■
username, authentication method, and information related to the
authentication method (the password in the case of password authentication).
The server authenticates the client. If the authentication fails, the server
■
informs the client by sending a message, which includes a list of available
methods for re-authentication.
The client selects a method from the list to initiate another authentication.
■
The above process repeats until the authentication succeeds or the
■
authentication times timeout and the session is torn down.
SSH provides two authentication methods: password authentication and publickey
authentication.
In password authentication:
The client encrypts the username and password, encapsulates them into a
■
password authentication request, and sends the request to the server.
Upon receiving the request, the server decrypts the username and password,
■
compares them against those it maintains, and then informs the client of the
authentication result.
In publickey authentication:
The server authenticates clients using digital signatures. Currently, the device
■
supports two publickey algorithms to implement digital signatures: RSA and
DSA. The client sends to the server a public authentication request containing
its user name, public key and algorithm.
The server validates the public key. If the public key is invalid, the
■
authentication fails; otherwise, the server generates a digital signature to
SSH2.0 Overview
1921