Step 4.1 Authentication with Public Keys

Problem: Normally when you start an SSH session you will authenticate to the remote server using a password. This may pose a security problem in that if anyone were able to discover your password, they would be able to log in and impersonate you. To alleviate this problem, public key authentication can be used.

Public key authentication uses a key-pair, consisting of a public key and a private key, to authenticate to the remote server. The two keys are mathematically related such that anything encrypted with the public key can be decrypted only with the private key.

When public key authentication takes place, a number of steps occur. After the client contacts the server to log in, the server will encrypt a random message using the public key of the client and will send this encrypted message to the client. Using its private key, the client will decrypt the message, combine it with an identifier for the session, create an MD5 hash of the decrypted message and identifier, and send the MD5 hash back to the server. The server will create an MD5 hash of the random message and session identifier and compare it to the one it received from the client. If the hashes match, authentication is successful. This greatly reduces the likelihood that a man-in-the-middle attack can be used to intercept the login credentials. This is covered in more detail in section 5.2.7.

Of course, this method is not foolproof. If someone were to obtain the private key for a user, they could still log in and impersonate that user . Because of this, the private key is encrypted and protected with a passphrase. To unlock the private key and log in, the correct passphrase must be known. This adds a level of complexity to the authentication process, but makes the process more secure. Setting up this authentication requires a little bit of work.

Категории