DEV Community

dhanush 
dhanush 

Posted on

SSH Protocol Working - Authentication & Encryption

Intro

SSH is the most important network cryptographic protocol after SSL. It lets you securely connect and access the shell of a remote machine to execute commands on it. SSH works based on a client-server model where an ssh client in a machine can connect to the ssh server on another machine. It creates a secure tunnel between two hosts (client and server) by encrypting all the data that flows between the channel. This encryption-based connection ensures that you get the utmost privacy during communication. SSH also provides you the option of using the public key authentication technique for authorizing the users. This way of authentication is far better than password authentication as you will see.

Let's stop this intro right here and get into the intricate details about how SSH authorizes users and encrypts the data flow between them. The devil is in the details.

SSH AUTHORIZATION

Authorizing the right user is important when it comes to remote access. It is easy to exploit a user's identity in remote access than in-person access. By default, users can use the password of the remote machine and its user for authentication in ssh. Password authentication is easy and simple, but it is not secure as a malicious user can easily brute-force the remote machine if the password is weak.

Public key authentication is optional in ssh for authorization, but you should opt for it as it provides vastly improved security over password-based authentication. This method is used for authorizing a client to the server and vice versa. Let's see how it works.

note - Public key authentication is based on asymmetric encryption algorithms such as RSA. The asymmetric encryption algorithm uses two keys - public key & private key for encryption and decryption. The two keys are created in such a way that any file encrypted by the public key can only be decrypted by its equivalent private key.

CLIENT AUTHENTICATION

  • Step 1 - ssh client should create its asymmetric encryption keys (public and private). This can be easily done with the help of the ssh-keygen command in the Openssh client software.

  • Step 2 - The public key of the client should be transported to the ssh server's authorized keys file. The authorized keys file of the server contains the public keys of the different ssh clients that wish to communicates with the server. This transport of the keys can be done manually or with ssh-copy-id command. The private key of the client should be kept private with the client and can be further protected using a passphrase. 
    note - The authorized keys file on the ssh server is important. If a malicious user somehow transports his public key to this file, then the malicious user can log in to the server without any other credentials.

  • Step 3 - After finishing the initial communication with the server, the client will select the public key method for authorization. For client authentication, the server encrypts a random 256-bit string using the client's public key from the authorized keys file. It then sends this encrypted text to the client. As you know that only the equivalent private key can decrypt the contents encrypted by the public key, so if the client has the private key, it can decrypt the content sent by the server. Only the authorized client can decrypt this file as they only have the private key.

  • Step 4 - The client then combines the common session key (will explain later) with the decrypted content and generates a hash of this combination. This hash is sent to the server.

  • Step 5 - The server, in turn, generates its hash with the session key and the 256-bit random string. The hash sent by the client is compared with the hash generated. If the hash is matched, then the client is authenticated.

SERVER AUTHENTICATION

  • Step 1 - Server authentication by the client happens before the client authentication. The server has its own set of the public and private key for authentication. 
  • Step 2 - For server authentication to happen, the client must initially have a copy of the server's public key in its known host's file. The public key is sent by the admin of the server to the client and is saved to the known host's file of the client. During the initial communication, the server sends its public key fingerprint to the client, and the client compares it with its own copy of the server's public key in the known host's file. This checking authenticates the server. note - public key fingerprint is nothing but a hash of the public key. The hash uniquely identifies the key, so it is called a fingerprint.
  • Step 3 - Normally, you won't have the server's public key when you connect to the server for the first time if there are no administrators or other people to send it. So, the client cannot validate the fingerprint sent by the server. Here, the client warns the user when connecting for the first time. In the future connection, you won't get any warnings as the server key will be added to the known host's file during the first connection with the warning.

As you can see, the authentication uses heavily the asymmetric encryption algorithm, mainly the RSA & DSA. It authenticates securely than just using a password.

Some cool things to know about SSH

I've said that SSH is used for executing commands on a remote shell. That is true, but it can also do a lot more than that by using the scp (secure copy), SFTP (Secure File Transfer Protocol), and SSHFS (SSH File System). The scp is a command that lets you copy files between two hosts. SFTP is a protocol like FTP that transfers files between the hosts. SSHFS lets you mount the file system of a remote machine to a host machine. All these works on top of SSH, so you get all the privacy and other benefits from it.

SSH ENCRYPTION

After authenticating both the client and server, you need to create an encrypted channel to pass data securely between the hosts. This is done using the symmetric encryption algorithm. The symmetric algorithm uses a single key to encrypt and decrypt the data. This single key is called a session key (mentioned earlier). There needs to be a way to create the same session key between the client and the server with any compromise. Here, the key exchange algorithm comes into play. SSH uses the Diffie Helman key exchange algorithm to share the common session key without leaking it to any third party. How this key exchange algorithm works is beyond the scope of this article as it needs a separate post to explain. This generation of the session key happens after the server authentication and before the client authentication. After the generation of the session key, all the data that is passed between the client and server is encrypted using it to provide the utmost privacy.

Conclusion:

SSH, with its beautiful implementation of symmetric encryption, asymmetric encryption, and hashing techniques maintains privacy, integrity, and establishes proper authentication. With this implementation, it becomes next to impossible for a malicious user to eavesdrop, perform a man in the middle attack, or other attacks. Hopefully, you got some knowledge about the working of SSH with this post. I'll try to make a similar post for SSL if time permits. Thanks for reading!

Top comments (0)