How does SSH key authentication work?

-

From the user's point of view, an SSH connection is established like a telnet session (connection request, login request, password request), the principle is actually much more complex.

SSH guarantees:

  • Confidentiality: packet encryption guarantees this. The old services such as telnet, rlogin... sent the data in the clear;

  • Integrity: SSH ensures that packets flowing from one host to another are not corrupted;

  • Authentication: each SSH connection verifies the identity of the server (by its host key ~ / .ssh / known_hosts ) then that of the client (by password or public key ~ / .ssh / authorized_keys );

  • Authorization: it is possible with SSH to limit the actions authorized to the user ( ~ / ssh / .authorization );

  • Tunneling: SSH is used to secure a service whose information usually circulates in clear (POP, IMAP, VNC...). Other aspects of tunneling are the securing of the X11 protocol (X11forwarding), and the use of private SSH Keys located on a remote host (Agent forwarding).

SSH is therefore secure but does not protect everything. Password authentication remains relatively vulnerable (password too easy to discover ... all the difficulty of a good password: easy to remember, difficult for others to discover).

Key authentication

Faced with the weakness of password authentication, key authentication is proving to be very effective.

The key makes it possible to guarantee to a system that a user is indeed who he claims to be ... in two words: "I swear and I prove that it is indeed me".

Key authentication works thanks to 3 components:

  • A public key: it will be exported to each host to which you want to be able to connect;

  • A private key: it allows you to prove your identity to the servers;

  • A passphrase: Used to secure the private key (note the subtlety, passphrase and not password ... therefore “passphrase” and not “password”).

Security is really increased because the passphrase alone is useless without the private key, and vice versa.

Creation of the key pair

The creation of the key pair is done with ssh-keygen.

There are 2 types of SSH Keys: RSA and DSA. Each can be of different length: 1024, 2048, 4096 bits (keys less than 2048 bits are to be avoided ... especially RSA). To create a 2048-bit DSA key: ssh-keygen -t dsa -b 2048 -C username@domain.tld. Without parameters, the default options are RSA type in 2048 bits.

The comment makes it possible to distinguish the keys, useful when you have several keys (in particular a personal one and one for the job). Here the distinction is made on the e-mail address. If the comment is omitted, it will be of the form user @ host.

$ ssh-keygen

Generating public / private RSA key pair.

Enter file in which to save the key (/home/drpixel/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter the same passphrase again:

  • Your identification has been saved in /home/drpixel/.ssh/id_rsa.

  • Your public key has been saved in /home/drpixel/.ssh/id_rsa.pub.

The key fingerprint is:

cb: 61: 48: 6b: b4: 53: 00: 9b: d1: 2a: cf: 44: 88: 79: c2: 19 username@domain.tld

Two files have been created (in the ~ / .ssh / folder ):

id_rsa (or id_dsa in the case of a DSA key): contains the private key and must not be disclosed or made available;

id_rsa.pub (or id_dsa.pub in the case of a DSA key): contains the public key, it is this which will be placed on the servers whose access is desired.





Setting up SSH Keys


The configuration file is / etc / ssh / sshd_config .

Key authentication is enabled by default. In fact, in the original configuration file, all commented values ​​(preceded by a #) are set to their default value. Indeed, the line

#PubkeyAuthentication yes 

This means that the default key-value PubkeyAuthenticationis Yes; key authentication is allowed. If you want to change the value of a key, just uncomment it. The rest of this tutorial will give you some examples.

This is of course not sufficient because no public key has been sent to the server.

Password authentication will be used

First method of copying a key:

[drpixel @ sidewinder ~] $ cat ~ / .ssh / id_rsa.pub | ssh user @ ip_machine "cat - >> ~ / .ssh / authorized_keys"

user @ ip_machine's password:

This command will read the file $ HOME / .ssh / id_rsa.pub (public key), connect to the server with the ip address "ip_machine" with the username "user" and add authorized keys ( $ HOME / .ssh / authorized_keys ) the content of the key read.

A second method of copying a key:

This is the same principle as the first method except that everything is broken down (useful for understanding):

[drpixel @ sidewinder ~] $ scp ~ / .ssh / id_rsa.pub user @ ip_machine: / tmp

user @ ip_machine's password:

id_rsa.pub 100% 609 0.6KB / s 00:00

[drpixel @ sidewinder ~] $ ssh user @ ip_machine

[user @ machine_name ~] $ cat /tmp/id_rsa.pub >> /root/.ssh/authorized_keys

[user @ machine_name ~] $ rm /tmp/id_rsa.pub

Third method:

This is the most automated and easiest method. This is also the officially recommended method.

[drpixel @ sidewinder ~] $ ssh-copy-id -i ~ / .ssh / id_rsa.pub user @ ip_machine

root @ durandal's password:

Now try logging into the machine, with "ssh 'user @ ip_machine'", and check-in:

  • .ssh / authorized_keys

  • to make sure we haven't added extra SSH Keys that you weren't expecting.

  • ssh-copy-id will copy the public key to the remote host. For security, the script appends the extension .pubto the identity file if it has been omitted.

Note that if you have more than one key, this command may copy more than one. Be sure to check the ~ / .ssh / authorized_keys file on ip_machine to possibly remove any SSH Keys you don't want to post to that server.

The target situation will then be:

PubkeyAuthentication yes

AuthorizedKeysFile .ssh / authorized_keys

ChallengeResponseAuthentication yes


In the case where an authorized_keys file is present, it must be ensured that it ends with a new line. Otherwise, the addition will be done on the fly and 2 keys (the last one and the one added) will be unusable.


Comments

Post a Comment

Popular posts from this blog

Secure Your Data From Hacker With RBAC System

-
The role based access control system is a secure security approach that helps to protect your business sensitive data from cyber hackers. It is an authorized and restricted cyber security system that gives access data to users that is based on their roles within an organization. It is based on the concept of roles and privileges. The data using the access system is dependent upon authority, competency, and responsibilities.
Read more

Security of Zero Trust Model in Business Infrastructure

-
The Zero Trust Mode l is a cybersecurity approach that assumes no trust by default, both inside and outside a corporate network. This means that every user, device, and application trying to access resources on a private network must be verified and authenticated, regardless of their location or network environment. The model challenges the traditional notion of "trust but verify" by implementing strict access controls and continuous verification processes. 
Read more

Zero Trust vs. Traditional Security: The Power of Automation and AI in Modern Cybersecurity

-
Image
The Zero Trust Model has emerged as a powerful alternative to traditional security models in the ever-evolving cybersecurity landscape. It challenges the long-standing notion of Trust within a network and offers a more proactive, comprehensive approach to safeguarding sensitive data.  This article conducts a comparative analysis of Zero Trust and traditional security models, shedding light on what sets Zero Trust apart and why it is gaining momentum. Traditional Security: The Perimeter Defense Paradigm The idea of a network perimeter has long been a cornerstone of conventional security approaches. Trust is often assumed inside the network, while external entities are treated as potential threats. Critical characteristics of traditional security include: Firewalls and Intrusion Detection Systems (IDS) - They serve as a perimeter defense and stop unlawful entry. To identify insider risks, though, they might have trouble. VPN and Network Segmentation -   These technologies crea...
Read more