The following are the steps of authentication process:
a. User starts the SSH process by specifying key pair to be used. Then the client machine sends the SSH connection request to the server with the Key ID.
b. The server checks its ~/.ssh/authorized_keys and try to find the public key with the Key ID. Once the Key is found, the server will generate a random number and encrypts this number with the found public key.
c. The client machine decrypts the message sent by the server with its private key and obtain the random number.
d. The client machine will calculate a MD5 hash value with the "obtained random number + the session key" and send this MD5 value back to server.
(Noted: this "obtained random number + the session key" value will also be used to encrypt the communication messages between client and server later on.)
e. The server will calculate the MD5 value of "obtained random number + the session key" and compare it with the one received from the client. If they are matching, the SSH request is granted.
The follow will describe the steps of configuring the SSH key based authentication:
Step 1: Create SSH keys on the client machine
#mkdir -p $HOME/.ssh
#chmod 0700 $HOME/.ssh
# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
| . |
| . S. . |
| + .o . |
| o o +o . o |
| E * .+. * |
| +o+ .o++= |
After this step, we will have the private key and public key:
$HOME/.ssh/id_rsa– private key.
$HOME/.ssh/id_rsa.pub – public key.
Step 2: Copy the public key to your remote SSH server
[root@localhost ~]# ssh-copy-id email@example.com
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
firstname.lastname@example.org's password: (here is the remote SSH server login password)
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'email@example.com'"
and check to make sure that only the key(s) you wanted were added.
Step 3: Initial the SSH session from the client machine by specifying the key to be used
specifc the prviate key (~/.ssh/id_rsa) to be used:
ssh -i ~/.ssh/id_rsa firstname.lastname@example.org
SSH key based authentication is widely used. In my previous post "
Network Automation 02 - Ansible Play book for FTP server file synchronisation
", we use key based authentication for the "rsync".