Authentication into a server are done in two ways mostly: username and password, and SSH keys. SSH keys are widely known to be more secure than a username and password due to advanced security techniques. So for fun, in my first post I want to discuss some of the details about the SSH protocol, ssh keys, and how to ssh into any server.
There are two computers involved in ssh. One is the client, who issues the ssh command, and the other is the host, which is running the ssh server. There are two requirements to ssh into a host machine. First, the client must have a ssh key pair. An ssh key pair can be generated using a command 'ssh-keygen' which comes pre-installed on Linux and Windows. This will create two separate files, a public key and a private key. This is known as an ssh key pair. The other requirement to gain access to the host machine is that the host must store the client's public key. The client's public key is stored in a file called 'authorized_keys' on the host
A public key is able to encrypt messages, and a private key is able to encrypt and decrypt messages. A message encrypted by a public key can only be decrypted by its corresponding private key. A public key and its corresponding private key forms a key pair. It is ok to distribute a public key, but not a private key. The reason for this is that if any third party has access to your private key, they can pretend to be you and authenticate themselves into any server which recognizes your public key. A private key should be kept very secure for this reason.
When the client lets the server know it wants to authenticate, the following steps are carried out. Keep in mind this is simplified but captures the main points of a ssh authentication session.
This is an example of a successful authentication:
- The client informs the server that it wants to start a ssh session
- A session id is created
- The client sends its public key to the host.
- If the client's public key is in the file 'authorized_keys', a random string called a 'seed' is created, and the host encrypts the seed using the client's public key.
- The host sends the encrypted seed to the client.
- The client decrypts the server's message to reveal the seed using its corresponding private key.
- The client combines the seed with the session id, and sends it back to the host.
- The client generates a hash of the combined seed and session id for itself.
- The host generates a hash of the combined seed and session id for itself.
- The host compares its hash with the client's hash. If they are the same, the client must have the corresponding private key, so the client is authenticated.
An unsuccessful authentication would go wrong at step 5. If the wrong private key is used to try to decrypt the server's message, the result will not be the seed, it will just be a random string. At step 10 the hashes will not be the same so authentication fails.
To ssh into any server, follow these steps:
into the terminal of the ssh client. When asked for a passphrase just press enter.
Create a folder called '.ssh' on the host in the home directory of a user of your choice. If the '.ssh' folder is already present ignore this step.
Create a blank file called 'authorized_keys' in the '.ssh' folder on the host. If the file 'authorized keys' is present ignore this step.
There should be a file called 'id_rsa.pub' in the '.ssh' folder in the home directory of the client. Open this file.
Open 'authorized_keys' on the host.
Make sure you are on a blank new line in 'authorized_keys'. Paste the contents of 'id_rsa.pub' into 'authorized_keys'.
Type in ssh . You should now be successfully authenticated and running a terminal on the host!
Note: A passphrase in step 1 could be added for extra security but this is just a super quick way to get ssh working.
That is all. This is my first blog post so thanks for viewing :)