SSH Protocol Support

Chapter 8 User Authentication

SSH Protocol Support

Introduction to SSH

SSH (Secure Shell) protocol is a security protocol that enables establishing a remote session over a secured tunnel, also called a remote shell. SSH accomplishes this by creating a transparent encrypted channel between the local and remote devices. In addition to remote shell, SSH also provides secure file transfer between the local and remote devices.

SSH uses password authentication.

A maximum of two SSH sessions can be active per router module in the stack, with two additional active SSH sessions per stack. For example, if a stack contains three router modules, a maximum of eight SSH sessions can be active on the stack.

The P330 agent reports SSH sessions opened to it. In addition, each router module reports the SSH sessions opened to its router interface. The user can disconnect selected SSH sessions.

The SSH session-establishment process is divided into the following stages, as shown in Figure 8.1:

SSH client connection:

The P330 generates a key of variable length (512-2048 bits) using the DSA encryption method. This is the private key.

The P330 calculates an MD5 Hash of the public key, called a fingerprint. The fingerprint is always 16 bytes long. This fingerprint is displayed.

The P330 sends the public key (i.e., the fingerprint,) to the client computer. This public key is used by the client to encrypt the data it sends to the P330. The P330 decrypts the data using the private key.

Both sides negotiate and must agree on the same chipper type. The P330 only supports 3DES-CBC encryption. The user on the client side accepts the fingerprint. The client keeps an IP vs. fingerprint public key cache and notifies the user if the cache changes.

The client chooses a random number that is used to encrypt and decrypt the information sent.

This random number is sent to the P330, after encryption based on the P330’s public key.

When the P330 receives the encrypted random number, it decrypts it using the private key. This random number is now used with the 3DES-CBC encryption method for all encryption and decryption of data. The public and private keys are no longer used.

User Authentication:

Before any data is transferred, the P330 requires the client to supply a user name and password. This authenticates the user on the client side to the P330.

46

Avaya P334T-ML User’s Guide

Page 62
Image 62
Avaya P3343T-ML manual SSH Protocol Support, Introduction to SSH