Avaya P3343T-ML Manual Do Utilizador
Chapter 8 User Authentication
46
Avaya P334T-ML User’s Guide
SSH Protocol Support
Introduction to SSH
SSH (Secure Shell) protocol is a security protocol that enables establishing a remote
session over a secured tunnel, also called a remote shell. SSH accomplishes this by
creating a transparent encrypted channel between the local and remote devices. In
addition to remote shell, SSH also provides secure file transfer between the local
and remote devices.
SSH uses password authentication.
A maximum of two SSH sessions can be active per router module in the stack, with
two additional active SSH sessions per stack. For example, if a stack contains three
router modules, a maximum of eight SSH sessions can be active on the stack.
The P330 agent reports SSH sessions opened to it. In addition, each router module
reports the SSH sessions opened to its router interface. The user can disconnect
selected SSH sessions.
The SSH session-establishment process is divided into the following stages, as
shown in Figure 8.1:
•
session over a secured tunnel, also called a remote shell. SSH accomplishes this by
creating a transparent encrypted channel between the local and remote devices. In
addition to remote shell, SSH also provides secure file transfer between the local
and remote devices.
SSH uses password authentication.
A maximum of two SSH sessions can be active per router module in the stack, with
two additional active SSH sessions per stack. For example, if a stack contains three
router modules, a maximum of eight SSH sessions can be active on the stack.
The P330 agent reports SSH sessions opened to it. In addition, each router module
reports the SSH sessions opened to its router interface. The user can disconnect
selected SSH sessions.
The SSH session-establishment process is divided into the following stages, as
shown in Figure 8.1:
•
SSH client connection:
— The P330 generates a key of variable length (512-2048 bits) using the DSA
— The P330 generates a key of variable length (512-2048 bits) using the DSA
encryption method. This is the private key.
— The P330 calculates an MD5 Hash of the public key, called a fingerprint. The
fingerprint is always 16 bytes long. This fingerprint is displayed.
— The P330 sends the public key (i.e., the fingerprint,) to the client computer.
This public key is used by the client to encrypt the data it sends to the P330.
The P330 decrypts the data using the private key.
The P330 decrypts the data using the private key.
— Both sides negotiate and must agree on the same chipper type. The P330
only supports 3DES-CBC encryption. The user on the client side accepts the
fingerprint. The client keeps an IP vs. fingerprint public key cache and
notifies the user if the cache changes.
fingerprint. The client keeps an IP vs. fingerprint public key cache and
notifies the user if the cache changes.
— The client chooses a random number that is used to encrypt and decrypt the
information sent.
— This random number is sent to the P330, after encryption based on the
P330’s public key.
— When the P330 receives the encrypted random number, it decrypts it using
the private key. This random number is now used with the 3DES-CBC
encryption method for all encryption and decryption of data. The public
and private keys are no longer used.
encryption method for all encryption and decryption of data. The public
and private keys are no longer used.
•
User Authentication:
— Before any data is transferred, the P330 requires the client to supply a user
— Before any data is transferred, the P330 requires the client to supply a user
name and password. This authenticates the user on the client side to the
P330.
P330.