Secure Shell Authentication; Protocol Identification; Algorithm And Key Exchange; Authentication Phase - Alcatel-Lucent OmniSwitch AOS Release 6 Manual

Logging Into the Switch

Secure Shell Authentication

Secure Shell authentication is accomplished in several phases using industry standard algorithms and
exchange mechanisms. The authentication phase is identical for Secure Shell and Secure Shell FTP. The
following sections describe the process in detail.

Protocol Identification

When the Secure Shell client in the OmniSwitch connects to a Secure Shell server, the server accepts the
connection and responds by sending back an identification string. The client will parse the server's identi-
fication string and send an identification string of its own. The purpose of the identification strings is to
validate that the attempted connection was made to the correct port number. The strings also declare the
protocol and software version numbers. This information is needed on both the client and server sides for
debugging purposes.
At this point, the protocol identification strings are in human-readable form. Later in the authentication
process, the client and the server switch to a packet-based binary protocol, which is machine readable
only.

Algorithm and Key Exchange

The OmniSwitch Secure Shell server is identified by one or several host-specific DSA keys. Both the
client and server process the key exchange to choose a common algorithm for encryption, signature, and
compression. This key exchange is included in the Secure Shell transport layer protocol. It uses a key
agreement to produce a shared secret that cannot be determined by either the client or the server alone.
The key exchange is combined with a signature and the host key to provide host authentication. Once the
exchange is completed, the client and the server turn encryption on using the selected algorithm and key.
The following elements are supported:
Host Key Type
Cipher Algorithms
Signature Algorithms
Compression Algorithms
Key Exchange Algorithms
Note. The OmniSwitch generates a 512 bit DSA host key at initial startup. The DSA key on the switch is
made up of two files contained in the /flash/network directory; the public key is called
ssh_host_dsa_key.pub, and the private key is called ssh_host_dsa_key. To generate a different DSA
key, use the Secure Shell tools available on your Unix or Windows system and copy the files to the /flash/
network directory on your switch. The new DSA key will take effect after the OmniSwitch is rebooted.

Authentication Phase

When the client tries to authenticate, the server determines the process used by telling the client which
authentication methods can be used. The client has the freedom to attempt several methods listed by the
server. The server will disconnect itself from the client if a certain number of failed authentications are
attempted or if a time-out period expires. Authentication is performed independent of whether the Secure
Shell interface or the SFTP file transfer protocol will be implemented.
OmniSwitch AOS Release 6 Switch Management Guide
DSA
AES, Blowfish, Cast, 3DES, Arcfour, Rijndael
MD5, SHA1
None Supported
diffie-hellman-group-exchange-sha1
diffie-hellman-group1-sha1
July 2010
Using Secure Shell
page 2-13