A Guide to Public Key Authentication Using SSH

Application Security Justin today17 February 2024

Background

The SSH (Secure Shell) protocol allows an ability to remotely, and securely, access hosts.

SSH has various options for authenticating to a host including — password authentication, public-key authentication, and host-based authentication.

Before we get into all of that, let’s generate an SSH keypair.

Generating an SSH Keypair

Most Linux OS’s have a built-in command, ssh-keygen that can be used to create a public and private key that can be used for SSH authentication.

The command is so simple that you can run it without any options and it’ll create a basic SSH keypair using RSA encryption.

ssh-keygen

The same SSH keypair could be generated using the option below.

ssh-keygen -t rsa

You’ll be prompted to provide a save location. Once generated, two files will be created and saved to the location provided. The default naming is id_rsa.

  • id_rsa – This file contains the private key. Don’t ever share this!
  • id_rsa.pub – This file contains the public key.

Now that we’ve created our SSH keypair we need to get the local public key to the remote host, so let’s discuss authorization methods.

authorized_keys

Public key authentication is managed by the ~/.ssh/authorized_keys file. It contains the public keys that are authorized for logging into a user account via SSH.

When a user attempts to log in using public key authentication, the host checks the public-key used against the public key’s listed in this file in order to verify authorization.

Each line represents a single public key, and the format of the authorized_keys file is as follows:

ssh-[type] [public key][comment]
  • [type]: the type of key
  • [public key]: the actual public key
  • [comment]: An optional comment.

Adding public keys to the authorized_keys can be done by manually copying the local public key to the remote authorized_hosts file. However, it’s recommended to use the ssh-copy-id command, which is only available on Linux.

Here is an example of how to use the ssh-copy-id command to copy a public key from your local host to a remote host.

$ ssh-copy-id username@remote_host

Alternatively, you can use the following command to copy the local public key to the remote host using cat and the ssh commands.

$ cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

known_hosts

Host-based authentication is managed by the ~/.ssh/known_hosts (per-user) and /etc/ssh/known_hosts (system-wide) file.

When a client connects via SSH for the first time, the server’s public key is exchanged with the client and saved in the known_hosts file on the client’s system.

On each subsequent connection, the client verifies the server’s identity by verifying that the key contained in the known_hosts file is the same. If the public key is different; the SSH connection will fail.

Each line in the known_hosts file represents one public key or certificate. Each line will contain a hostname, or hash of the hostname, and public-key details.

Written by: Justin

Tagged as: , , , , , , , , .

Previous post

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *