SSH: Difference between revisions

Latest revision as of 22:51, 7 January 2020

General[edit]

Secure Shell (SSH) uses (see here or here) different cryptograhic methods. Assymetric methods for authentication, symmetric methods (AES, ...) for communiction for a session and hashing.

Asymmetric Method[edit]

Asymmetric methods are only used at the beginning when client and server negotiate the authentication and session communication.

A public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public. Together they are known as a key-pair. In SSH, the public key cryptography is used in both directions (client to server and server to client), so two key pairs are used. One key pair is known as a host (server) key, the other as a user (client) key. Any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.

One important issue is confidence/proof that a particular public key is authentic, i.e. that it is correct and belongs to the person or entity claimed, and has not been tampered with or replaced by a malicious third party. There are several possible approaches, including:

A public key infrastructure (PKI), in which one or more third parties – known as certificate authorities – certify ownership of key pairs. TLS relies upon this.
A "web of trust" which decentralizes authentication by using individual endorsements of the link between user and public key. PGP uses this approach, as well as lookup in the domain name system (DNS). The DKIM system for digitally signing emails also uses this approach.

Authentication to Server[edit]

The SSH protocol supports many authentication methods.

Key-based Authentication[edit]

private key of the user who wants to log on to a server is stored on client computer.
public key of the user is stored on every server the user wants to log on to. These keys are called authorized keys.

@@ Line 1: / Line 1: @@
 ==General==
-Secure Shell (SSH) employs a public key cryptography. A public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public. Together they are known as a key-pair. In SSH, the public key cryptography is used in both directions (client to server and server to client), so two key pairs are used. One key pair is known as a '''host (server) key''', the other as a '''user (client) key'''. Any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.
+Secure Shell (SSH) uses (see [https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process here] or [https://www.hostinger.com/tutorials/ssh-tutorial-how-does-ssh-work here]) different cryptograhic methods. Assymetric methods for authentication, symmetric methods (AES, ...) for communiction for a session and hashing.
+==Asymmetric Method==
+Asymmetric methods are only used at the beginning when client and server negotiate the authentication and session communication.
+A public-key cryptography, also known as asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public. Together they are known as a key-pair. In SSH, the public key cryptography is used in both directions (client to server and server to client), so two key pairs are used. One key pair is known as a '''host (server) key''', the other as a '''user (client) key'''. Any person can encrypt a message using the receiver's public key, but that encrypted message can only be decrypted with the receiver's private key.
 One important issue is confidence/proof that a particular public key is authentic, i.e. that it is correct and belongs to the person or entity claimed, and has not been tampered with or replaced by a malicious third party. There are several possible approaches, including:
@@ Line 6: / Line 11: @@
 *A "web of trust" which decentralizes authentication by using individual endorsements of the link between user and public key. PGP uses this approach, as well as lookup in the domain name system (DNS). The DKIM system for digitally signing emails also uses this approach.
-===Host Keys===
+==Authentication to Server==
-A host private key is generated when the SSH server is set up. It is safely stored in a location that should be accessible by a server administrator only. The user connecting to the SSH server does not need to care about host private key in general. A host public key is a counterpart to host private key. They are generated at the same time. The host public key can be safely revealed to anyone, without compromising host identity.
+The SSH protocol supports many authentication methods.
-To allow authorizing the host to the user, the user should be provided with host public key in advance, before connecting. The client application typically prompts the user with host public key on the first connection to allow the user to verify/authorize the key. The host public key is then saved and verified automatically on further connections. The client application warns the user, if the host key changes.
-==Authentication to Server==
+===Key-based Authentication===
-* private key stored on client computer
+* private key of the user who wants to log on to a server is stored on client computer.
-* public key stored on server
+* public key of the user is stored on every server the user wants to log on to. These keys are called authorized keys.