authentication by cryptographic key needs a public key on the server and a private key on the client. How to generate those keys ? Where to copy the keys ?
1) Introduction to SSH 2) SSH : start a session 3) SSH keys architecture 4) Verify the host key when connecting for the first time 5) Authentication by cryptographic key
1) Introduction to SSH (part 1/3) What is SSH ? SSH is a network protocol that allows data to be exchanged using a secure channel between two peers. The security features are: ● Privacy ● Integrity ● Mutual Authentication (proof of identity of senders and receivers) ● Authorization (access control to accounts) What SSH is not ? Although SSH stands for Secure Shell, it is not a shell
1) Introduction to SSH (part 2/3)
SSH versions: ● SSHv1: this protocol went through several revisions. The best known are 1.3 and 1.5 ●
SSHv2: newer version, incompatible with SSHv1.X. Defined in the RFCs 4250 to 4256, 4335, 4344 and 4345.
1) TCP handshake 2) algorithms negociation (*), key negociation, server authentication ==== now the communication is encrypted ==== 3) user authentication *: open .pcap
3) SSH keys architecture Keys: ● Host key files: /etc/ssh/ssh_host_rsa_key.pub, /etc/ssh/ssh_host_rsa_key purpose: authenticate server to the user ●
●
User key files: ~/.ssh/id_rsa.pub, ~/.ssh/id_rsa purpose: authenticate user to the server Session key purpose: encrypt data
4) Verify the host key when connecting for the first time The first time an SSH client encounters a new remote machine, it prints the following message:
The SSH client tells you that you don't trust the public key provided by the remote server (ie: this public key is not in your ~/.ssh/known_hosts file). How to get this fingerprint ? ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
5) Authentication by cryptographic key (part 1/4)
Passwords drawbacks: ● Less entropy than a cryptographic key ● Password can be captured on a compromised host
5) Authentication by cryptographic key (part 2/4) Message sequence:
5) Authentication by cryptographic key (part 3/4) => authentication by cryptographic key needs a public key on the server and a private key on the client. How to generate those keys ? Where to copy the keys ? /!\ openSSH implementation only /!\ 1) Create ~/.ssh/id_rsa, ~/.ssh/id_rsa.pub with “ssh-keygen” 2) Choose a passphrase 3) Append the content of ~/.ssh/id_rsa.pub (client side) into ~/.ssh/authorized_keys (server side) with “ssh-copy-id -i ~/.ssh/id_rsa.pub user@server” 4) Try to connect ...
5) Authentication by cryptographic key (part 4/4) An agent is a program that keeps private keys in memory. It will never give the private key to clients, but will answer theirs request of computation involving a private key. 1) Start a shell who have access to an agent: ssh-agent bash 2) Load a private key in the agent: ssh-add ~/.ssh/id_rsa 3) Type your passphrase 4) Try to connect ...
