What is ssh auth
4 September 2024
This post is for myself to remember for later.
Notable server files:
./.ssh/authorized_keys : This file stores the public keys of clients permitted to access the server
./.ssh/known_hosts : Maintains fingerprints of servers you've connected to, ensuring that you connect to trusted hosts
Notable client file:
./.ssh/known_hosts : Tracks trusted server fingerprints, helping avoid man-in-the-middle attacks.
SSH
SSH stands for Secure Shell Protocol. It's purpose is to provide a secure communication line over an unprotected network with a key-based cryptographic authentication. With SSH, you can access remote systems, execute commands, transfer files, and manage configurations without exposing credentials or data.
Public and Private Keys
Public and private keys are part of an asymmetric cryptographic algorithm used for secure authentication. The public key, stored in ~/.ssh/id_rsa.pub
, is shareable and placed on the server. The private key in ~/.ssh/id_rsa
is never shared and remains only on the client.
Generate these files using:
ssh-keygen -t ed25519 -C "random comment"
Connecting to remote servers
To connect to a remote server, the client needs a key pair (public and private). The public key is shareable and must be added to the server's ~/.ssh/authorized_keys
file. By default, Ubuntu servers include the OpenSSH client, so no extra configuration is necessary.
Once the public key is on the server, connecting is as simple as running:
ssh root@your_ip
How does Key-Based Authentication work?
SSH key-based authentication involves a two-step handshake, similar to a TCP handshake. If you need a recap read my previous post.
Step 1: Initial handshake
- The client sends a connection request to the server
- The request contains the public key fingerprint so the server can select the matching public key from the authorized_keys file.
- The server sends the client encrypted text with the public key.
Step 2: Response and verification
- The client decrypts the encrypted text with it's private key and send a response to the server.
- The server compares the decrypted response with the original text. If they match, authorization is successful.
In simple terms, the encrypted text can only be decrypted by the owner of the private key.
Thanks for reading