What are different SSH Authentication Methods?

By Tabish Khan on

 Have you ever tried to set up an ssh connection to Linux machines? Have you ever wondered how many ssh authentication methods you can use to get remote access to a Linux machine? 

At the end of the blog post, you will have a great understanding of what are some of the ssh authentication methods that you can use to get remote access to a Linux Machine.

For the purpose of demonstration, I will use the following topology.





I have three Linux machines.
Ubuntu-Workstation having IP address = 10.0.0.249
Ubuntu-Server having IP address = 10.0.2.15
CentOS-Workstation having an IP address = 10.0.2.16

Our main objective will be to get ssh remote access to Ubuntu-Server and CentOS- workstation from Ubuntu -orkstation.

I will discuss Three SSH Authentication Methods.

  1. Password-Based Authentication
  2. Key-Based Authentication  with Passphrase
  3. Key-Based Authentication  without Passphrase

Before starting make sure that the OpenSSH server is installed on all of these machines.

Ubuntu-Workstation


The user name is tabby and the home directory is /home/tabby

Now install OpenSSH server on Ubuntu-Workstation

tabby@Ubuntu-Server:~$ sudo apt install openssh-server -y




Ubuntu-Server

Let us go to Ubuntu-Server



Similarly, install the OpenSSH server on Ubuntu- Workstation as well.


CentOS-Workstation

Install Openssh Server
sudo yum install openssh-server


Start SSH service
Once installation is completed, Start sshd service using systemctl command.

systemctl start sshd.service
systemctl enable sshd.service

View SSH Server status
Using systemctl status command you can view the status of the CentOS sshd Service.
systemctl status sshd.service
Allow SSH Connection

sudo firewall-cmd –permanent –add-service=ssh

sudo firewall-cmd –reload


Note: Do not confuse yourself. On  Ubuntu-Workstation , Ubuntu-Server, and CentOS-Workstation,  I have used the same user tabby, so looking at the machine name you can differentiate if it is a user on Ubuntu-server, Ubuntu-Workstation, or CentOS-Workstation. For instance, tabby@Ubuntu-Server means we are logged in as a tabby user of Ubuntu-server, tabby@Ubuntu-workstation means we are logged in as a tabby user of Ubuntu-workstation, , and tabby@CentOS-workstation means we are logged in as a tabby user of Centos-workstation.

Password-Based Authentication

We want to set up ssh connection to Ubuntu-Server (10.0.2.15) from Ubuntu Workstation (10.0.0.249). In this type of authentication, you need to provide the IP address of Ubuntu-Server, username, and password of that user.

tabby@Ubuntu-Workstation:~$ ssh tabby@10.0.2.15

Whereas 10.0.2.15 is the IP address of Ubuntu-Server and tabby is the user on Ubuntu-Server that we want to log in as.



Notice that we have successfully logged in to Ubuntu-Server as a user tabby. This was password-based Authentication.

In same way set up ssh connection to CentOS-Workstation (10.0.2.16)

Key-Based Authentication  with Passphrase

Before explaining this, we need to generate ssh keys on Ubuntu-Workstation and then copy those keys to Ubuntu-Server and Centos-Workstation. For the time being keep in mind that in this kind of authentication, while setting up an ssh connection you just need to provide a passphrase that you set while generating keys. Do not worry, you will understand it in a while.

Generating SSH Keys

In Ubuntu-workstation, in /home/tabby directory there is a hidden folder called .ssh. It contains two files authorized_keys and known_hosts. That is something we are interested in.



Let us generate ssh keys.

tabby@Workstation:~$ ssh-keygen -t ed25519 -C "My-Key"


Notice that in the third line, we specified the name of the key as my-key and specified the location as well which is /home/tabby/.ssh
We also provided the Passphrase as well. Pay attention , here is the magic. A pair of keys will be generated.



Notice that two files are generated. 
ssh-key files containing the Private key & ssh-key.pub containing the public key.
The ssh-key.pub  has a .pub extension that indicates that this file contains the public key.


The next thing we will do is to copy the ssh-key.pub (Public Key) to the Ubuntu-Server and CentOS-workstation). Before doing so let us understand something.

Like I mentioned before that in the /home/tabby there is a hidden folder called .ssh, in the side .ssh directory we have authorized_keys and known_hosts files. We have to copy the public key to the Ubuntu-Server & CentOS-Workstation authorized_keys files. 

Now let us copy the keys to Ubuntu-Server and CentOS-workstation.

Copying Public key to Ubuntu-Server

tabby@Ubuntu-Workstation~$ ssh-copy-id -i ~/.ssh/ssh-key.pub tabby@10.0.2.15


let us check if the key has been copied or not. 


Notice that the Public key has been copied to Ubuntu-Server.

Copying Public Key to CentOS-Workstation

Well in CentOS, you will not find .ssh folder inside the /home/tabby directory so here is how to deal with it.


Inside /home/tabby, create .ssh folder, then inside .ssh folder create authorized_keys file as shwon. 


It is good pratices to change permission, and make user (tabby in our case) the owner of the authorized_keys.
tabby@Centos-Workstation:~/.ssh$ chown tabby:tabby authorized_keys

This first tabby is the user that we are logged in as and the second tabby is the group who willown the authorized_keys.



We are good to go. Now copy Public Key to CentOS-Workstation in the same way we did to Ubuntu-Server.

Now let us set up ssh connection  into Ubuntu-Server (10.0.2.15)




Notice that while setting up the connection, you have to provide the Passphrase. Just to remind you, the Passphrase was something that you provided while generating keys.

Note: In the same way, you can set up an ssh connection to CentOS-Workstation (10.0.2.16)  as well.

Key-Based Authentication  without Passphrase

 Unlike Key-Based Authentication with Passphrase, in this kind of authentication, while setting up an ssh connection you do not need to provide a passphrase.

Notice that everything remains the same, but the difference is only when you generate keys.


Notice that in the fourth line, we specified the name of the key as my-key and specified the location as well which is /home/tabby/.ssh
Difference is that this time we did not provid the Passphrase . Pay attention , here is the magic. Similarly, a pair of keys will be generate her as well.


Great two files are created. SSH-Key contains the Private key and SSH-Key.pub contains Public Key.

Copying Public key to Ubuntu-Server (10.0.2.15) and CentOS-Workstation (10.0.2.16).

To make things short, there is nothing new here.  Copy Public key to Ubuntu-Server  and CentOS-Workstation  in the same way as we did before.
 
Now let us set up ssh connection  into Ubuntu-Server (10.0.2.15)



Isn't it cool? we are not asked for the Passphrase or any other password and the ssh connection was setup directly to Ubuntu-Server. This is what happens in Key-Based Authentication without a Passphrase.

In the same way, you can set up an ssh connection to CentOS-Workstation. as well.

Maybe you have this question in mind what will happen if you have multiple Private and Public keys? Let me show you what I mean.


Notice that in the Ubuntu-Workstation .ssh directory we have two Private and two public keys.

After copying both public keys to Ubuntu-Server.



Here is the fun part. When setting up the connection, you need to explicitly specify the key.
For example

tabby@Ubuntu-Workstation:~$ ssh -i ~/.ssh/SSH-Key tabby@10.0.2.15



We are telling the ssh client to use SSH-Key ( private key) for connection.

tabby@Ubuntu-Workstation:~$ ssh -i ~/.ssh/SSH-Key-1 tabby@10.0.2.15


Whereas in this case, we are telling the ssh client to use SSH-Key-1( private key) for the connection.

Conclusion

So we discussed three ssh authentication methods. In Password-based  Authentication, you need to provide password, In Key-Based Authentication  with Passphrase, you just need to provide Passphrase, and In Key-Based Authentication  without Passphrase, you do not need to provide password or Passphrase. What method you choose depends on you. But be careful about the security.


















Comments

Post a Comment

Popular posts from this blog

Ever wondered what is difference between SNMP and Syslog?

By Tabish Khan on
Image
SNMP is primarily a protocol for network management and monitoring. Using SNMP, admins can gather and manage information about network devices, track performance metrics, configure devices remotely, and receive notifications (traps) about specific events or conditions. There are two types of SNMP devices 1) SNMP Managed devices These are devices being managed using SNMP such as Routers, Switches, etc. 2) NMS (Network Management System/Status) These are devices/device managing the managed devices. This is an SNMP Server. For the purpose of demonstration, I will consider the following topology. Let's say, I want to get the system name, From the SNMP server, I am sending an SNMP GET message to the managed device to get its name. In the same you, you can send the SNMP SET message to change the system name. Notice that the Router name has been changed from R1 to R5 Syslog is primarily used for log management, troubleshooting, and security analysis. It enables admin...
Read more

Ping Fails But Traceroute works?

By Tabish Khan on
Image
Have you ever encountered a situation?  when you ping a device, it fails but when you traceroute to the same devices, it works. At the end of the blog post, you will have a great understanding of why this happens. In my previous blog post "But How Does Traceroute Works", I have explained in detail how does traceroute works. You can continue reading this blog post without reading my previous blog post but it will really help you out to read that blog post as well. Click  But How Does Traceroute Works?  to read my previous blog. For the purpose of demonstration, I will use the following topology. Figure 1 Throughout this blog post i will use the terms Source and Destination. Whereas  Source = Kali-Linux ( having ip address 192.168.10.105) Destination = Linux Server ( having ip address 192.168.30.105). Case 1 Linux Server  can receive ICMP echo request packets and can respond with ICMP echo replies when it receives ICMP echo request packets. ping -c 4 192.168.30.10...
Read more