To run NETCONF over SSHv2, the client establishes a connection using the SSHv2, on port 830, to the NETCONF server. The client and server exchange keys over SSHv2 for message integrity and encryption.
The SSHv2 client invokes the ssh-userauth service to authenticate the user. All currently supported SSH user authentication methods such as public-key, password, and keyboard-interactive authentication are supported for a NETCONF session also. If SSH user authentication is disabled, the user is allowed full access.
On successful user authentication, the client invokes the ssh-connection service, also known as the SSH connection protocol. After the SSH session is established, the NETCONF client invokes NETCONF as an SSH subsystem called netconf.