My 2 paisas

OpenSSH Public Key authentication

Posted on: July 7, 2009

Please refer to man pages of SSH command for latest updates.

This is method is used usually when you are a server administrator and usually work by logging through SSH in to the server. You will not like to enter the password everytime you want to log in. For this you can follow this method.

Host-based authentication works as follows: If the machine the user logs
in from is listed in /etc/hosts.equiv or /etc/shosts.equiv on the remote
machine, and the user names are the same on both sides, or if the files
~/.rhosts or ~/.shosts exist in the user’s home directory on the remote
machine and contain a line containing the name of the client machine and
the name of the user on that machine, the user is considered for login.
Additionally, the server must be able to verify the client’s host key
(see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts,
below) for login to be permitted. This authentication method closes se-
curity holes due to IP spoofing, DNS spoofing, and routing spoofing.
[Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the
rlogin/rsh protocol in general, are inherently insecure and should be
disabled if security is desired.]

Public key authentication works as follows: The scheme is based on pub-
lic-key cryptography, using cryptosystems where encryption and decryption
are done using separate keys, and it is unfeasible to derive the decryp-
tion key from the encryption key. The idea is that each user creates a
public/private key pair for authentication purposes. The server knows
the public key, and only the user knows the private key. ssh implements
public key authentication protocol automatically, using either the RSA or
DSA algorithms. Protocol 1 is restricted to using only RSA keys, but
protocol 2 may use either. The HISTORY section of ssl(8) contains a
brief discussion of the two algorithms.

The file ~/.ssh/authorized_keys lists the public keys that are permitted
for logging in. When the user logs in, the ssh program tells the server
which key pair it would like to use for authentication. The client
proves that it has access to the private key and the server checks that
the corresponding public key is authorized to accept the account.

The user creates his/her key pair by running ssh-keygen(1). This stores
the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
2 DSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
~/.ssh/ (protocol 1), ~/.ssh/ (protocol 2 DSA), or
~/.ssh/ (protocol 2 RSA) in the user’s home directory. The us-
er should then copy the public key to ~/.ssh/authorized_keys in his/her
home directory on the remote machine. The authorized_keys file corre-
sponds to the conventional ~/.rhosts file, and has one key per line,
though the lines can be very long. After this, the user can log in with-
out giving the password.

The most convenient way to use public key authentication may be with an
authentication agent. See ssh-agent(1) for more information.

Challenge-response authentication works as follows: The server sends an
arbitrary “challenge” text, and prompts for a response. Protocol 2 al-
lows multiple challenges and responses; protocol 1 is restricted to just
one challenge/response. Examples of challenge-response authentication
include BSD Authentication (see login.conf(5)) and PAM (some non-OpenBSD

Finally, if other authentication methods fail, ssh prompts the user for a
password. The password is sent to the remote host for checking; however,
since all communications are encrypted, the password cannot be seen by
someone listening on the network.

ssh automatically maintains and checks a database containing identifica-
tion for all hosts it has ever been used with. Host keys are stored in
~/.ssh/known_hosts in the user’s home directory. Additionally, the file
/etc/ssh/ssh_known_hosts is automatically checked for known hosts. Any
new hosts are automatically added to the user’s file. If a host’s iden-
tification ever changes, ssh warns about this and disables password au-
thentication to prevent server spoofing or man-in-the-middle attacks,
which could otherwise be used to circumvent the encryption. The
StrictHostKeyChecking option can be used to control logins to machines
whose host key is not known or has changed.

When the user’s identity has been accepted by the server, the server ei-
ther executes the given command, or logs into the machine and gives the
user a normal shell on the remote machine. All communication with the
remote command or shell will be automatically encrypted.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Links that I liked to save

Blog Stats

  • 44,039 hits
%d bloggers like this: