NOTE:
SSH1 clients do not support secondary password authentication that is initiated by the AAA server.
Publickey authentication
The server authenticates a client by verifying the digital signature of the client. The publickey
authentication process is as follows:
1.
The client sends the server a publickey authentication request that includes the username,
public key, and public key algorithm name.
If the digital certificate of the client is required in authentication, the client also encapsulates the
digital certificate in the authentication request. The digital certificate carries the public key
information of the client.
2.
The server verifies the client's public key.
If the public key is invalid, the server informs the client of the authentication failure.
If the public key is valid, the server requests the digital signature of the client. After receiving
the signature, the server uses the public key to verify the signature and informs the client of
the authentication result.
When acting as an SSH server, the device supports using the public key algorithms RSA and DSA to
verify digital signatures.
When acting as an SSH client, the device supports using the public key algorithms RSA and DSA to
generate digital signatures.
For more information about public key configuration, see
Password-publickey authentication
The server requires SSH2 clients to pass both password authentication and publickey authentication.
However, an SSH1 client only needs to pass either authentication.
Any authentication
The server requires clients to pass password authentication or publickey authentication.
FIPS compliance
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for
features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more
information about FIPS mode, see
Configuring the device as an SSH server
SSH server configuration task list
Tasks at a glance
(Optional.)
Generating local DSA or RSA key pairs
(Required.)
(Required.)
(Required.)
(Required.)
Enabling the Stelnet server
Enabling the SFTP server
Enabling the SCP server
Enabling NETCONF over SSH
"Configuring
FIPS."
Remarks
N/A
Required only for Stelnet servers.
Required only for SFTP servers.
Required only for SCP servers.
Required only for NETCONF-over-SSH servers.
393
"Managing public
keys."