Authentication order public key detail

There are two keys for public key authentication: a private key stored on the client and a public key stored on the server (local) or AAA server (LDAP). The client uses the private key to create a signature, which only the public key can authenticate. If the signature is authenticated using the public key, then the user is also authenticated and is granted access. SR OS can locally store, using CLI, as many as 32 RSA keys and 32 ECDHA keys for a single user. In total, the SR OS can load a maximum of 128 public keys in a single authentication attempt.

Note: The client creates a signature using a single private key, but this signature can be authenticated on the SR OS with maximum of 128 public keys in a single try. If all these public keys fail to authenticate, then a failure message is sent to the client and the number of failed attempts is incremented.

If the client has another private key, it can create a new signature with this new private key and attempt the authentication one more time, or switch to password authentication.

The following steps describe the procedure where the client attempts to authenticate using a public key and the authentication order is configured as ldap, then local.

Note: With each increment of failed attempts, the SR OS also checks the limit for lock-out. If the limit is reached, the user is locked out.

  1. The SSH client opens a session and tries to authenticate the user with private-key-1 (creating signature-1 from private-key-1).

  2. The SR OS checks the authentication order.

  3. The SR OS loads public keys for the user, as follows.

    1. If exit-on-reject is not configured, the SR OS loads all public keys from the LDAP server and all public keys from the locally-saved location.

    2. If exit-on-reject is configured, the SR OS only loads all public keys from the LDAP server and not from the locally-saved location.

  4. The SR OS compares received client signature-1 with signature calculated from loaded public keys and attempts to find a match.

    1. If a match is found, the user is authenticated. The procedure ends.

    2. If no match is found, authentication fails and the SSH client is informed. The LDAP server waits for the SSH client’s reaction.

  5. The SSH client reacts in one of several ways.

    1. The connection is closed.

    2. The password authentication method is continued. In this case, on the SR OS, the number of failed authentication attempts is not incremented.

    3. The next public key is continued, as follows.

      1. If it is not 21st received public key, return to step 3.

      2. If it is the 21st received public key, the number of failed authentication attempts is incremented and the connection is closed.

Parent topic: Authentication order