Home > Software > Security > ssh authentication

Using SSH for authentication

tony - Tue, 22/03/2011 - 10:17 ( wiki )

Logging in using username and password.

Most of us have used ssh to log into a remote computer. You need an ssh client on your local computer and an ssh server running on the remote computer. You can log into the remote computer by typing the following command.

$> ssh user@hostname.domain.whatever

The remote computer will ask you for your password. You type it in and hey presto you are logged in.

The first time you log in you are presented with a message like this.

The authenticity of host '[hostname.domain.whatever] ([78.111.34.78])' can't be established. RSA key fingerprint is 95:b1:c4:0f:27:29:14:20:ef:3f:ee:88:e6:9a:e5:12. Are you sure you want to continue connecting (yes/no)?

The purpose of this is to avoid what is known as a "man-in-the-middle attack". If an attacker can somehow poisen your dns table or router and have you connect to his computer rather than the one you think you are connecting to, he can allow you to log onto his computer and forward the connection to the correct computer. He can then listen in on the unencrypted conversation.

When ssh is installed on your remote computer, it generates a set of key pairs and puts them in /etc/ssh. When you are physically at this computer or are connecting through a trusted "out of band" connection you can run the command

$>ssh-keygen -l -f/etc/ssh/ssh_host_rsa_key.pub

and the computer will print out the RSA key fingerprint of your host. This should match the RSA key fingerprint being queried by SSH. If it does you can be fairly confident you are connected to your computer and not somebody else's.

If you are connecting to somebody else's computer that you have an account on, you can ask them for its RSA key fingerprint and wait for them to look blankly at you.

Sadly it seems that most people, this author included, do not check the RSA key fingerprint, say yes, and blindly trust that they are not being monitored in this way.

If you say yes to ssh, when it asks you if you are sure you want to continue, it will add the remote computers public key to a file called known_hosts in a directory called .ssh in your home directory and will not ask again for subsequent connections to this computer using your current user name.

Logging in using public key authentication

Ssh uses a form of encryption called asymetric encryption or public and private key. It basically works by generating two large numbers or keys. One key is called the private key and is kept secret and stored securely on your computer. The second key is called the public key and it is freely distributed to all users and programs that wish to securely communicate with your computer. If a computer wishes to send an encrypted message to your computer it encrypts it using your public key which is freely available. The message can only be decoded using the private key which only your computer has. In practice for encrypting large amounts of data, using public and private key encryption is very inefficient and its use is usually limited to securely distributing other keys for faster encryption algorithms.

To use public key encryption as an authentication mechanism the following procedure is used. The user that wishes to be authenticated generates a public and private key pair. He keeps the private key safely on his computer and sends the public key to the remote computer that he wants to authenticate himself to. When he wants to log into the remote computer he gives his user name, the remote computer generates a challenge string and encrypts it using the users public key. The remote system sends the encrypted string back to the user. Since this user is the only one with the private key, only he can unencrypt it. The user sends back the unencrypted string to the remote computer. When the remote computer receives the unencrypted string it compares it to the string it sent. If they match the user is authenticated. This is only a rough idea of what is going on when ssh authenticates a user using public keys, there are a lot of subtleties involved but it gives you the basic idea.

Having established the principles here's what you do to set up public key authentication using ssh.

First in the configuration file /etc/ssh/sshd_config on the remote machine check that the line PubkeyAuthentication is set to yes.

Next the user that wants to authenticate to the remote computer has to generate a public/private key pair on his local machine.

In ssh the private key is also encrypted with a passphrase. To use the key ssh has to ask the user to enter the passphrase.

On your local machine type

$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: 0f:4a:9f:4e:0c:89:c8:b6:18:05:ea:70:a9:37:f0:86 anthony@ingthink The key's randomart image is: 

+--[ RSA 2048]----+
|.                |
|.. .             |
|+ +              |
|oO . . .         |
|E.O . + S        |
| * o . = +       |
|. .   . = .      |
|       o         |
|        .        |
+-----------------+

By default this command creates two files, id_rsa and id_rsa.pub in a subdirectory of your home directory called .ssh.The private key is in id_rsa and the public key is in id_rsa.pub

Enter a passphrase when it is asked for. It does not display on the screen.

Now copy what is in the public key file /home/user/.ssh/id_rsa.pub into the file named authorized_users in the .ssh directory of the user account you want to log into on the remote machine. If this file is not there, create it. Do not add any line breaks.

You can now log into the remote machine by typing

$> ssh user@hostname.domain.whatever

as before. But now ,when asked for a password, type the password you used when creating the public and private keys.

This style of login is more secure than just using a user name and password as someone attempting to log in has to know your password for the key pair and have a copy of the private key file.

When I did this on my debian machine using an xterm, a dialog box came up saying enter password to unlock private key. When I entered the password for the public and private key that I had just created the dialog box disappeared and I was logged into the remote account without having to enter the password again. Subsequent connections to the account were made without having to enter a password. This is because the password was stored in a local ssh agent. I will talk about ssh agents in a future post.

ssh-keygen -t rsa

admin - Sun, 27/03/2011 - 11:58
Having the two machines the client and the remote server it is not at all clear to me at least which of the machines this task "ssh-keygen -t rsa " needs be completed on. Don't get me wrong it is an excellent article and has clarified a some areas I was unsure about, it is also unclear where exactly the file called "id_rsa.pub" should be copied from or for that matter to.

ssh-keygen -t rsa

tony - Thu, 31/03/2011 - 12:50
Thanks for your comment. You are right I did not make it sufficiently clear that this command is run on the local machine from the account of the person that wants to use ssh to log into the remote computer. The place where id_rsa_pub is, is shown in the output of the command and where it should be copied to was, I thought, clear. However I have amended the article to make it clearer as to where these files are.

Really like this Tony.

paul - Thu, 31/03/2011 - 18:09
You should write more often. Great article.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.