Publickey authentication—The server authenticates the client by the digital signature. During
•
publickey authentication, the client sends the server a publickey authentication request that contains
its username, public key, and publickey algorithm information. The server examines whether the
public key is valid. If the public key is invalid, the authentication fails. Otherwise, the server
authenticates the client by the digital signature. Finally, it informs the client of the authentication
result. The device supports using the publickey algorithms RSA and DSA for digital signature.
Password-publickey authentication—The server requires clients that run SSH2 to pass both
•
password authentication and publickey authentication. However, if a client runs SSH1, it only needs
to pass either authentication.
Any authentication—The server requires the client to pass either of password authentication and
•
publickey authentication.
FIPS compliance
In Release 1208 and later versions, the device supports the FIPS mode that complies with NIST FIPS 140-2
requirements. Support for features, commands, and parameters might differ in FIPS mode (see
"Configuring FIPS") and non-FIPS mode.
SSH support for MPLS L3VPN
With this function, you can configure the device as an SSH client to establish connections with SSH
servers in different MPLS L3VPNs.
As shown in
services of the two VPNs isolated. After a PE is enabled with the SSH client function, it can establish SSH
connections with CEs in different VPNs that are enabled with the SSH server function to implement secure
access to the CEs and secure transfer of log file.
Figure 78 Network diagram
Configuring the device as an SSH server
You can configure the device as an Stelnet server, SFTP server, or SCP server. Because the configuration
procedures are similar, the SSH server represents the Stelnet server, SFTP server, and SCP server unless
otherwise specified.
SSH server configuration task list
Figure
78, the hosts in VPN 1 and VPN 2 access the MPLS backbone through PEs, with the
202