3Com 4210 PWR Configuration Manual page 391

n
All the packets above are transferred in plain text.
■
Key negotiation
The server and the client send algorithm negotiation packets to each other,
■
which contain public key algorithm lists supported by the server and the client,
encrypted algorithm list, message authentication code (MAC) algorithm list,
and compressed algorithm list.
The server and the client calculate the final algorithm according to the
■
algorithm lists supported.
The server and the client generate the session key and session ID based on the
■
Diffie-Hellman (DH) exchange algorithm and the host key pair.
Then, the server and the client get the same session key and use it for data
■
encryption and decryption to secure data communication.
Authentication negotiation
The negotiation steps are as follows:
The client sends an authentication request to the server. The authentication
■
request contains username, authentication type, and authentication-related
information. For example, if the authentication type is password, the content
is the password.
The server starts to authenticate the user. If authentication fails, the server
■
sends an authentication failure message to the client, which contains the list of
methods used for a new authentication process.
The client selects an authentication type from the method list to perform
■
authentication again.
The above process repeats until the authentication succeeds, or the connection
■
is torn down when the authentication times reach the upper limit.
SSH provides two authentication methods: password authentication and publickey
authentication.
In password authentication, the client encrypts the username and password,
■
encapsulates them into a password authentication request, and sends the
request to the server. Upon receiving the request, the server decrypts the
username and password, compares them with those it maintains, and then
informs the client of the authentication result.
The publickey authentication method authenticates clients using digital
■
signatures. Currently, the device supports two publickey algorithms to
implement digital signatures: RSA and DSA. The client sends to the server a
publickey authentication request containing its user name, public key and
algorithm. The server verifies the public key. If the public key is invalid, the
authentication fails; otherwise, the server generates a digital signature to
authenticate the client, and then sends back a message to inform the success
or failure of the authentication.?
Session request
After passing authentication, the client sends a session request to the server, while
the server listens to and processes the request from the client. If the client passes
authentication, the server sends back to the client an SSH_SMSG_SUCCESS packet
SSH Overview 389