Secure Shell (SSH) in HP Systems Insight Manager 5.1 and 5.2

ManualsBrandsHP ManualsSoftwareHP Systems Insight Manager for HP-UX

SSH authentication mechanisms

Every SSH connection involves two authentications in the fo

llowing order:

Server Authentication

. The SSH client verifies the identity of the SSH server. This ensures the

SSH server is genuine and not an imposter. It also guards against an attacker redirecting the

network connection to a different machine. This pr

events a man

the

middle attack where an

attacker positions itself between the client and server and is able to view and modify the

communication.

User Authentication

. The SSH server verifies the identity of the user name account requesting

access.

Serve

r authentication

—

verification of the SSH server

system

To establish a connection, the SSH client first contacts the remote system. Session keys are

exchanged, and are used to encrypt all further communication between the client and server. The

remote SSH

server then sends its identity, known as the host key, to the SSH client for verification.

The SSH client must decide if it accepts the server’s host key. Usually, this is done by comparing the

returned key with a known value for that host by looking for

the key in the known hosts file. If the key

matches, the server is authenticated, while if the key is different, an error is reported and the client

terminates the connection. If the client has never communicated with the server before, there is

probabl

y no key for this remote host. A typical interactive SSH client prompts the user to accept or

reject the new key, saving the key in the known hosts file if accepted. This, accept on first use model,

means that the connection is vulnerable to a man

the

middle attack on first use, but subsequent

connections will use the stored key.

User Authentication

verification of the client user’s credentials

Once the identity of the remote SSH server has been verified, the SSH client sends the user name of

the u

ser who is requesting a login, along with any credentials (based on type of authentication) of the

user to the target SSH server.

The user is authenticated in one of three ways:



Public key authentication

—

using key files



Using host

based authentication

—

using key files



Password authentication

Each method is attempted by the SSH client in sequence until there is a successful user authentication

or after the last method is tried with no response and results in a failure.

Public key

authentication is the

most secure way to authenticate a user and is utilized by HP SIM

4.x and 5.x. Each user has a private key to identify that user, which is kept secret at the client. A

corresponding public key is used by anyone wishing to authenticate this user, and the SS

H server has

SSH server

SSH client

SSH server

SSH client