HP 5120 SI Series Security Configuration Manual page 255

Stages
Interaction
Version negotiation
1. The server opens port 22 to listen to connection requests from clients.
2. The client sends a TCP connection request to the server.
3. After the TCP connection is established, the server sends a packet that carries a version information
string to the client. The version information string is in the format SSH-<primary protocol version
number>.<secondary protocol version number>-<software version number>. The primary and
secondary protocol version numbers constitute the protocol version number. The software version
number is used for debugging.
4. Upon receiving the packet, the client resolves the packet and compares the server's protocol
version number with that of its own. If the server's protocol version is lower and supportable, the
client uses the protocol version of the server; otherwise, the client uses its own protocol version. In
either case, the client sends a packet to the server to notify the server of the protocol version that
it decides to use.
5. The server compares the version number carried in the packet with that of its own. If the server
supports the version, the negotiation succeeds and the server and the client proceed with key and
algorithm negotiation. Otherwise, the negotiation fails, and the server breaks the TCP connection
NOTE:
All the packets involved are transferred in plain text.
Key and algorithm negotiation
1. The server and the client send algorithm negotiation packets to each other, which include the
supported public key algorithms list, encryption algorithms list, Message Authentication Code
(MAC) algorithms list, and compression algorithms list.
2. Based on the received algorithm negotiation packets, the server and the client figure out the
algorithms to be used. If the negotiation of any type of algorithm fails, the algorithm negotiation
fails and the server tears down the connection with the client.
3. The server and the client use the DH key exchange algorithm and parameters such as the host key
pair to generate the session key and session ID, and the client authenticates the identity of the
server.
Through the steps, the server and the client get the same session key and session ID. The session key will
be used to encrypt and decrypt data exchanged between the server and client later. The session ID will
be used to identify the session established between the server and client and will be used in the
authentication stage.
CAUTION:
Before the negotiation, the server must have already generated a DSA or RSA key pair, which is not only
used for generating the session key, but also used by the client to authenticate the identity of the server. For
more information about DSA and RSA key pairs, see the chapter "Public key configuration."
Authentication
SSH provides password authentication and publickey authentication.
Description
After the server grants the request, the client and server start to
communicate with each other.
243