DELL N3000 User Manual

Page of 1460
210
Configuring Authentication, Authorization, and Accounting
The methods available for authentication are: host-based authentication, 
public key authentication, challenge-response authentication, and password 
authentication. Authentication methods are tried in the order specified 
above, although SSH-2 has a configuration option to change the default 
order.
Host-based authentication operates as follows:
If the host from which the user logs in is listed in a specific file 
(/etc/hosts.equiv or /etc/ssh/shosts.equiv) on the remote host, and the user 
names are the same on both hosts, or if the files ~/.rhosts or ~/.shosts exist in 
the user's home directory on the remote host and contain a line containing 
the name of the client machine and the name of the user on that machine, 
the user is considered for login. Additionally, the server must be able to verify 
the client's host key for login to be permitted. This authentication method 
closes security holes due to IP spoofing, DNS spoofing, and routing spoofing. 
This authentication method is not implemented by DNOS.
Public key authentication operates as follows:
The administrator first generates a pair of encryption keys, the "public" key 
and the "private" key. Messages encrypted with the private key can only be 
decrypted by the public key, and vice-versa. The administrator keeps the 
private key on his/her local machine, and loads the public key on to the 
switch. When the administrator attempts to log into the switch, the protocol 
sends a brief message, encrypted with the public key. If the switch can decrypt 
the message (and can send back some proof that it has done so) then the 
response proves that switch must possess the private key, and user is 
authenticated without giving a username/password.
This method is implemented in DNOS. If the user does not present a 
certificate, it is not considered an error, and authentication will continue with 
challenge-response authentication.
Challenge-response authentication works as follows:
The switch sends an arbitrary "challenge" text and prompts for a response.  
SSH-2 allows multiple challenges and responses; SSH-1 is restricted to one 
challenge/response only. Examples of challenge-response authentication 
include BSD Authentication.
Finally, if all other authentication methods fail, SSH prompts the user for a 
password.