161Stages DescriptionKey exchangeThe two parties use the DH exchange algorithm to dynamically generatethe session key for protecting data transfer and the session ID foridentifying the SSH connection. In this stage, the client authenticates theserver as well.Authentication The SSH server authenticates the client in response to the client'sauthentication request.Session requestAfter passing the authentication, the client sends a session request to theserver to request the establishment of a session (or request the Stelnet,SFTP, or SCP service).InteractionAfter the server grants the request, the client and the server start tocommunicate with each other in the session.In this stage, you can paste commands in text format and execute themat the CLI. The text pasted at one time must be no more than 2000 bytes.H3C recommends that you paste commands in the same view.Otherwise, the server might not be able to correctly execute thecommands.To execute commands of more than 2000 bytes, save the commands ina configuration file, upload it to the server through SFTP, and use it torestart the server.SSH authentication methodsWhen the device acts as an SSH server, it supports the following authentication methods:• Password authentication—The SSH server authenticates a client through the AAA mechanism. In apassword authentication, an SSH client encrypts and encapsulates its username and password intoan authentication request, and sends the request to the server. After receiving the request, the SSHserver decrypts the request to get the username and password in plain text, examines the validity ofthe username and password locally or by a remote AAA server, and then informs the client of theauthentication result.If the remote AAA server requires the user to enter a password for secondary authentication, itsend the SSH server an authentication response carrying a prompt. The prompt is transparentlytransmitted to the client to notify the user to enter a specific password. After the user enters thecorrect password and passes validity check by the remote AAA server, the SSH server returns anauthentication success message to the client.For more information about AAA, see "Configuring AAA."NOTE:SSH1 clients do not support secondary password authentication that is initiated by the AAA server.• Publickey authentication—The server authenticates a client by the digital signature. In a publickeyauthentication, a client sends the server a publickey authentication request that contains itsusername, public key, and publickey algorithm information (or the digital certificate that carries thepublic key information). The server checks whether the public key is valid. If the public key is invalid,the authentication fails. Otherwise, the server authenticates the client by the digital signature.Finally, the server informs the client of the authentication result. The device supports using the publickey algorithms RSA and DSA for digital signature.For more information about public key configuration, see "Managing public keys."