To authenticate the client to the server, the client may use any of the methods in the list of authentication methods received from the server. Three well-known authentication methods are:
Password authentication uses the password of the username account (ServerUser, for example) on the remote host to perform client authentication.
With this method, the user enters the password, and the client encrypts and transmits the password. The server receives and decrypts the password, and the remote host authenticates the password against its password database.
Public-key authentication uses public/private key pairs to perform client authentication, without the need to transmit a password over the network. A user creates a public/private key pair for authentication purposes. The server knows the user’s public key, and only the user has the private key.
With this method, the server generates a random number, uses the user’s public key to encrypt the number, and sends the encrypted number to the client. The client uses the user’s private key to decrypt the number and sends the number back to the server.
Host authentication uses the client’s hostname and the user’s username (NPMUser, for example) on the remote host to perform client authentication.
With this method, the client sends a signature created with the user’s private key, and the server verifies the signature with the user’s public key. When the user’s identity is established, authorization is performed based on (1) the client’s hostname and (2) the user’s username on both the server and the client.
When the user’s identity has been accepted by the server, the server logs in to the remote host and gives the user a normal shell on the remote host. All CLI commands and responses with/from the remote shell will be encrypted.