Passwordless Login: SSH Public Key Authentication

To encrypt and decrypt data, there are two types of cryptography algorithms

• Symmetric key algorithm which uses a single key
• Asymmetric key algorithm which uses two keys

Symmetric Key Algorithms

Symmetric key algorithms use a single key for encryption as well as decryption of data. The sender if he encrypts the data with a key, the recipient should also have that key to decrypt that data. If there are just two users, then a single key can be shared between them and can be used for encryption and decryption of data. However, if there are more than two users, then each user has to generate a key for each other user and share with that user, so that data encrypted by this user can be decrypted by the other user using the shared key. This is the biggest bottleneck of single key algorithm.

The most common symmetric key algorithms are DES, 3DES, Blowfish and IDEA.

Asymmetric Key Algorithms

Asymmetric key algorithms, uses two keys - one for encryption and the other for decryption of data. Data encrypted by one key can be decrypted only by the other key. So a user who wants to share encrypted data with others, generates a key pair - Private/Public. The user uses the private key for encryption of data and keeps this key with himself(does not share with others). He then distributes the public key to other users to whom he wants to send encrypted data. The other user upon receiving the encrypted data, decrypts using the public key sent to this user. Hence, asymmetric key algorithm is also known as public/private key algorithm.

SSH Passwordless login, uses this asymmetric key algorithm to achieve it's objective.

Public-key authentication allows us to prove our identity to a remote host using a cryptographic key instead of a login password. SSH keys are more secure than passwords  because keys are never transmitted over network while passwords are sent over network.

By generating a key pair, consisting of a public key (shared with everyone) and a private key (which is kept secret with you and not shared with anybody) public key authentication can be achieved. The private key is able to generate signatures. A signature created using your private key cannot be forged by anybody who does not have that key; the public key, which is shared with everyone, can verify that particular signature is genuine.The private key is stored on your local machine, also called as client.The public key is copied to the remote (server) machine.

However, there is a problem here: if your private key is stored unprotected on your own computer, then anybody who is able to gain access to that shall be able to generate signatures as if they were you. So they will be able to log in to your server under your account. For this reason, your private key is usually encrypted when it is stored on your local machine(client), using a passphrase of your choice.

How to setup a public-key authetication between an OpenSSH client and an OpenSSH server?

• Generate public-private key pair as follows

$ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_dsa): 
Enter passphrase (empty for no passphrase): *******
Enter same passphrase again: *******
Your identification has been saved in id_dsa
Your public key has been saved in id_dsa.pub.

• Copy the public key to the remote host

$ scp -p id_dsa.pub remoteuser@remotehost
Password: ******

• Installing public key in remote host(ssh server)

#Login to remote host
$ ssh remoteuser@remotehost
  Password: *****
remotehost$ mkdir -p ~/.ssh
remotehost$ chmod 700 ~/.ssh
remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys
remotehost$ chmod 600 ~/.ssh/authorized_keys

• In the remote host, the ssh server must be configured to permit public-key authentication

/etc/ssh/sshd_config:
PublickeyAuthentication yes