Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 18
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1

    [SOLVED] How does ssh encrypt connections?

    I'm a bit confused about how ssh encrypts connections. I've read a few articles on ssh and they talk about 'keys pairs' (that is public and private keys) on the server and client computers. However, ssh doesn't seem to use these keys for encryption. What are the keys it uses?
    This question occurred to me when I was trying to make a remote login to an Ubuntu machine.
    From a remote login perspective, I haven't generated keys on my client machine and haven't enabled key based logins in ssh. (I use the default password based login). If there aren't any keys on my client, then how does encryption work?

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    If you connect to a remote ssh server for the first time,
    you will be asked, if you accept its public key.
    If yes, this public key is stored in your machines ~/.ssh/known_hosts

    Now a asymetric encrypted connection can be established.
    However, this would not be suitable for real work, as it takes much more ressources than a symetric connection.

    Symetric encrypted connections are fine, but you need to make sure, the session key is a) reasonable good and b) exchanged between the two hosts in a secure way.

    So, coming back to our existing asymetric connection between your host and the remote ssh server:
    A random symetric key is generated on the ssh server,
    encrypted with its private key,
    and sent to your host.
    With the help of the public key this symetric key can be decrypted again
    and finally the two computers establish a secure symetric connection.

    You must always face the curtain with a bow.

  3. #3
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    and before I forget it:
    That procedure will "only" encrypt the connection.

    You still need to be authenticated to the server to get a shell (or whatever the ssh server admin wants you to have)

    You can be authenticated by a user/password or if *your* public key (ie the one that was generated with ssh_keygen) is known to the ssh server in your homedir on the server in .ssh/authorized_keys2
    You must always face the curtain with a bow.

  4. $spacer_open
  5. #4
    But then what are the keys one has to generate in order to use 'key based' logins?

  6. #5
    Linux Engineer GNU-Fan's Avatar
    Join Date
    Mar 2008
    You use a program like GNU gpg or OpenSSL to create a new pair.
    It asks for your name, mail, and and optional password.
    Then you get two files. A private key which you must keep secret and store in a certain home directory. And a public key which you can distribute publicly.

    The public key you put in the home dir of the server.
    Debian GNU/Linux -- You know you want it.

  7. #6
    Just Joined!
    Join Date
    Aug 2009
    Evil Empire
    There's no need to use SSL. Just use ssh-keygen to generate a pair based on authentication that you want (RSA1,RSA2,DSA). I would recommend RSA2. So you should type ssh-keygen with no parameters

  8. #7
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    A short step by step:

    On your client machine, as user mahela007:
    $  ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/mahela007/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/mahela007/.ssh/id_rsa.
    Your public key has been saved in /home/mahela007/.ssh/
    The key fingerprint is:
    <somefingerprint> mahela007@client
    The passphrase protects your private key.
    It can only be used if decrypted with the passphrase.
    You *want* your private key protected, so please choose a reasonable passphrase.

    Now there are two files in the .ssh directory of your home
    $ ls -la .ssh/
    -rw------- 1 mahela007 users 1743 Feb 27 15:47 id_rsa
    -rw-r--r-- 1 mahela007 users 398 Feb 27 15:47
    Look at the permissions.
    The private key belongs only to you, the public one is world readable.

    In order to enable key based authentication, the content of must be added to ~/.ssh/authorized_keys2 on the server
    It is just one line and looks like this:
    cat .ssh/
    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6LYac50XpCuA1qkMgWY1QhXZs40a92yNFKWbWH73Uu4zyStjQUQKpReupUklDKo59a1H3b7X7F/oRxe2BgCpHJCpNp2uvyIHYfEGqbKeg23acpig63usQPLWiaXROT10kmohT7cbb5kEJQaE1aOeegtOd/v1XsJExFbOScocuf/O6cT4Z5ODwWTiLWKh7zvgooPx1XxNMZYB4QZB0VSWzIV19pNfl+g+tl+wh9oa29WBqbvrtbewRl9a+YDXdtDN5Yjn/SotBVEAUgwsAv4KzUc5iaekTc36MJxz/wwTBZ2Np66FRjDYODtxRoyr+Vnnadf9S/S6pBFow3+g/N0v7w== mahela007@client
    Not an actual key from me

    So, on the ssh server machine:
    Log in with user/password
    and add your public key in this file ~/.ssh/authorized_keys2

    Thatīs it.

    Usually ssh server are preconfigured to do key based auth, so no need to change the sshd config.

    Try to login again. It will not ask you for a password anymore.
    Well, maybe it asks for the passphrase to your private key.

    To avoid typing that everytime, start ssh-agent.

    Note, that the user on the ssh server must not neccessarily be mahela007.
    You could even put your public key in ssh serverīs /root/.ssh/authorized_keys2
    and therefore connect as root without password.
    This is not recomended.
    Connect as normal user, then sudo to root, if you have to.
    You must always face the curtain with a bow.

  9. #8
    hm.. thanks for your help. By the way, on a stock-standard installation of SSH on Ubuntu, does ssh use symmetric encryption or asymmetric encryption (i.e public key based)?

  10. #9
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    ssh uses both symmetric and asymmetric encryption, but at different stages and for different purposes.
    Here is a graphical presentation of what I explained above,
    along with more details:
    The Architecture of an SSH System (SSH, The Secure Shell: The Definitive Guide)
    You must always face the curtain with a bow.

  11. #10
    So.. the authentication and sharing of the symmetric key is done over an asymmetrically encrypted connection. But the actuall data of the session is encrypted symmetrically?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts