Sat, 14 Jul 2007

Assymetric keys instead of passwords for SSH authentication to increase security and convenience

I've been using OpenSSH already for a while and although I've seen mentions of "public key authentication" and "RSA encryption" several times in it's config files, I never decided to figure out what it did exactly, and stuck to password authentication. But now the guys at work explained how it works and after reading more about it, I'm totally hooked on it!

It's a feature in ssh protocol version 2 (thus it's around for already a while, e.g. we can all use it without updating something) which essentially comes down to this: you generate an asymmetric key pair and distribute the public key to all remote hosts. When logging in to that host, the host will encrypt a random integer, which only you can decrypt (using the private key) and hence prove your identity. Too secure your private key you'll store it encrypted with a password. Ssh-agent (which is bundled with openssh) is the tool that interacts with ssh to perform this task: when logging in to a host, ssh-agent will open the private key for you automatically if it can decrypt it with the password it receives from you But the problem is you'll have to load (enter your password and decrypt the key) each time again.

This is where keychain comes in, or you can use SSH Agent (don't confuse this with the ssh agent that comes with openssh) if you're a Mac user and like gui's. These tools basically ask you your passwords for all private keys you wish to use in a session (with session I mean "the whole time of using your computer"), decrypt the encrypted key on your hard disk and cache the decrypted key in ram, so it can be used in all terminals you open.

For more information:
OpenSSH key management, Part 1: Understanding RSA/DSA authentication
OpenSSH key management, Part 2: Introducing ssh-agent and keychain
OpenSSH key management, Part 3: Agent forwarding and keychain improvements (freaks only ;-))

Have fun


I just discovered that ssh-agent & ssh-add do the job just fine and in my case (and for most other users) there is no need for keychain.

The arguments for using keychain instead of ssh-add is that
1) a new ssh-agent is started for each login session. If you use virtual consoles without being in X you need to login for each of them, hence you need to do ssh-add for all of them. I just login once, have X open in that session, and inside X I can use as many terminals as I want :-) (this is what 99,9% of the users do I think ;-)
2) ssh-add is not compatible with cronjobs because they are started from the cron process. Well, I'm not running cronjobs that do ssh, so no problem here either.

So, for me, and probably most other users, ssh-agent & ssh-add (tools that come with openssh by default!) do the job just fine. If i ever need passwordless ssh sessions in crontabs I'll take a look at this again ...





What is the first name of the guy blogging here?

This comment form is pretty crude. Make sure mandatory fields are entered correctly.
Basic html tags (a,i,b, etc) are allowed, others are sanitized