H3C S5500-EI series Operation Manual page 1358

Operation Manual – SSH
H3C S5500-EI Series Ethernet Switches
Caution:
Before the negotiation, the server must have already generated the RSA and DSA key
pairs, which are mainly used for generating the session key.
III. Authentication
The client sends to the server an authentication request, which includes the
username, authentication method and information related to the authentication
method (the password in the case of password authentication).
The server authenticates the client. If the authentication fails, the server informs
the client by sending a message, which includes a list of available methods for
re-authentication.
The client selects a method from the list to initiate another authentication.
The above process repeats until the authentication succeeds or the authentication
times timeout and the session is torn down.
SSH provides two authentication methods: password authentication and publickey
authentication.
In password authentication:
The client encrypts the username and password, encapsulates them into a
password authentication request, and sends the request to the server.
Upon receiving the request, the server decrypts the username and password,
compares them against those it maintains, and then informs the client of the
authentication result.
In publickey authentication:
The server authenticates clients using digital signatures. Currently, the device
supports two publickey algorithms to implement digital signatures: RSA and DSA.
The client sends to the server a public authentication request containing its user
name, public key and algorithm. The server validates the public key. If the public
key is invalid, the authentication fails; otherwise, the server generates a digital
signature to authenticate the client, and then sends back a message to inform the
success or failure of the authentication.
1-4
Chapter 1 SSH Configuration