SSH(Secure Shell) uses a client-server model. SSH ensures that everything sent across the network, between client and server,is encrypted, including password. Basically, SSH uses public-key cryptography. The SSH daemon(server), listening on port 22, offers the public key to clients and keeps the private key to itself. This public-private key is called the host key. The client communicating with ssh server, sends a chunk of data by encrypting with the public key received from the server; the server then decrypts the data with the private key.Since both the public and private keys are necessary to complete the transaction, the data remains secure; even if someone captures the SSH traffic between client and server, all they see shall be a garbage.
Private and public host keys, needed for ssh connection, are available under the path /etc/ssh/ as follows
SSH Version 2 Host keys
DSA keys
- ssh_host_dsa_key (Private host key)
- ssh_host_dsa_key.pub (Public host key, to be shared with client, when the client tries to establish a connection)
RSA keys
- ssh_host_rsa_key (Private host key)
- ssh_host_rsa_key.pub (Public host key, to be shared with client, when the client tries to establish a connection)
SSH Version 1 Host keys
- ssh_host_key (Private host key)
- ssh_host_key.pub (Public host key, to be shared with client, when the client tries to establish a connection)
How does the client get the public host key of the remote machine running ssh daemon(server)?
Say, the client is trying to establish a ssh connection to remotehost
$ ssh remotehost
The authenticity of host 'remotehost' can't be established. RSA key fingerprint is 98:2e:d7:e0:de:9f:ac:67:28:c2:42:2d:37:16:58:4d. Are you sure you want to continue connecting (yes/no)?
The client does two things
- It retrieves the public host key from the remote host
- It checks if that retrieved public host key is already available with it, by checking with the host keys list(available in ~/.ssh/known_hosts)
If the retrieved public host key is already available with it(available in ~/.ssh/known_hosts), then the client assumes that it is talking to the correct host.
If the public host key of the remotehost is not available with the client, then it presents the fingerprint for the approval. Once you validate the host key the first time around, then in the subsequent logins, you shall not be prompted for confirmation again.
When logging to a host, whose host key had been already validated, why do we sometimes see the message WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! ?
This can happen due to two reasons
- If OpenSSH was reinstalled on the remote host and original host key was not restored, OR
- The remote host was replaced by another host
No comments:
Post a Comment