Sunday, April 24, 2011

SSH Authentication in Linux

SSH is considered to be a secure way of login into a remote machine.

In this case there are three ways of authenticating through ssh before logging into a remote machine.


1)Host key authentication
2)Public Key Authentication
3)Public Key Authentication without authentication


1)Host Key Authentication:

In this case,username and password is used to authenticate to login to a remote shell.
Here SSH keys(Host keys)  are used to encrypt the session.
In this type of authentication, host keys are alone used ,which is used to assure the system you are logging is what it claims to be.
These host keys are directly added to your known_hosts in your local home(~/.ssh/known_hosts)
the first time you login to a remote system,though it will ask for confirmation whether the remote shell host key can be added to the known_hosts and it will display RSA finger print of the remote shell.

In case of security concerns,this host key can also added manually by using ssshkeygen to generate the keys.These keys generated can also be added  to the ~/.ssh/known_hosts of each of the remote system which you think need to login to your local system.

2)Public Key authentication:

In this case,SSH identity keys are used to authenticate the users instead of system Login.
Here the identity keys authenticate the users  instead of host key used in previous case.

But in this case,you need to do a little more work ,

you have to create public/private pair using the ssh key-gen using the following step: 

ssh-keygen -t rsa

this will generate the rsa key pair
private key will be stored in your  ~/.ssh/id_rsa
public key will be stored in the ~/.ssh/id_rsa.pub
Please provide the paraphrase to secure your private key

Keep your private key securely and the public key can be sent to other remote systems which you think has to login to your local system.

The public key should  be sent into ~/.ssh/authorized_keys2 files in the remote login
.This copying can also be done using ssh-copy-id utility like

This authorized_keys2 file is the default if you want to change the name you need to change it in the /etc/ssh/sshd.conf

ssh-copy-id  -i   id_rsa.pub karthik@10.10.10.10
(this command also creates the file authorized_keys2 in the remote system)

or just copy.


So in this case the data is encrypted by the public key in the  remote system and it is decrypted by the private key saved in your local system..Though the data can be encrypted by anyone having the public-key it can be decrypted only by a person possessing the private key.
Chances of data spoofing is completely reduced as long as private key is secure.As we have also used paraphrase along with the private key ,the spoofer cannot acheive his target only with the private key.


3)Public Key Authentication without using paraphrase:

In this case it is same as Public Key Authentication.But in this case we don't provide paraphrase to protect the private key.