[SOLVED] How does ssh encrypt connections?

[mahela007]

I'm a bit confused about how ssh encrypts connections. I've read a few articles on ssh and they talk about 'keys pairs' (that is public and private keys) on the server and client computers. However, ssh doesn't seem to use these keys for encryption. What are the keys it uses?
This question occurred to me when I was trying to make a remote login to an Ubuntu machine.
From a remote login perspective, I haven't generated keys on my client machine and haven't enabled key based logins in ssh. (I use the default password based login). If there aren't any keys on my client, then how does encryption work?

[Irithori]

If you connect to a remote ssh server for the first time,
you will be asked, if you accept its public key.
If yes, this public key is stored in your machines ~/.ssh/known_hosts

Now a asymetric encrypted connection can be established.
However, this would not be suitable for real work, as it takes much more ressources than a symetric connection.

Symetric encrypted connections are fine, but you need to make sure, the session key is a) reasonable good and b) exchanged between the two hosts in a secure way.

So, coming back to our existing asymetric connection between your host and the remote ssh server:
A random symetric key is generated on the ssh server,
encrypted with its private key,
and sent to your host.
With the help of the public key this symetric key can be decrypted again
and finally the two computers establish a secure symetric connection.

Easy

[Irithori]

and before I forget it:
That procedure will "only" encrypt the connection.

You still need to be authenticated to the server to get a shell (or whatever the ssh server admin wants you to have)

You can be authenticated by a user/password or if *your* public key (ie the one that was generated with ssh_keygen) is known to the ssh server in your homedir on the server in .ssh/authorized_keys2

[mahela007]

But then what are the keys one has to generate in order to use 'key based' logins?

[GNU-Fan]

You use a program like GNU gpg or OpenSSL to create a new pair.
It asks for your name, mail, and and optional password.
Then you get two files. A private key which you must keep secret and store in a certain home directory. And a public key which you can distribute publicly.

The public key you put in the home dir of the server.

[mzv]

There's no need to use SSL. Just use ssh-keygen to generate a pair based on authentication that you want (RSA1,RSA2,DSA). I would recommend RSA2. So you should type ssh-keygen with no parameters

[Irithori]

A short step by step:

On your client machine, as user mahela007:

Code:

$  ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mahela007/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mahela007/.ssh/id_rsa.
Your public key has been saved in /home/mahela007/.ssh/id_rsa.pub.
The key fingerprint is:
<somefingerprint> mahela007@client

The passphrase protects your private key.
It can only be used if decrypted with the passphrase.
You *want* your private key protected, so please choose a reasonable passphrase.

Now there are two files in the .ssh directory of your home

Code:

$ ls -la .ssh/
-rw------- 1 mahela007 users 1743 Feb 27 15:47 id_rsa
-rw-r--r-- 1 mahela007 users 398 Feb 27 15:47 id_rsa.pub

Look at the permissions.
The private key belongs only to you, the public one is world readable.

In order to enable key based authentication, the content of id_rsa.pub must be added to ~/.ssh/authorized_keys2 on the server
It is just one line and looks like this:

Code:

cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6LYac50XpCuA1qkMgWY1QhXZs40a92yNFKWbWH73Uu4zyStjQUQKpReupUklDKo59a1H3b7X7F/oRxe2BgCpHJCpNp2uvyIHYfEGqbKeg23acpig63usQPLWiaXROT10kmohT7cbb5kEJQaE1aOeegtOd/v1XsJExFbOScocuf/O6cT4Z5ODwWTiLWKh7zvgooPx1XxNMZYB4QZB0VSWzIV19pNfl+g+tl+wh9oa29WBqbvrtbewRl9a+YDXdtDN5Yjn/SotBVEAUgwsAv4KzUc5iaekTc36MJxz/wwTBZ2Np66FRjDYODtxRoyr+Vnnadf9S/S6pBFow3+g/N0v7w== mahela007@client

<DISCLAIMER>
Not an actual key from me
</DISCLAIMER>

So, on the ssh server machine:
Log in with user/password
and add your public key in this file ~/.ssh/authorized_keys2

That´s it.

Usually ssh server are preconfigured to do key based auth, so no need to change the sshd config.

Try to login again. It will not ask you for a password anymore.
Well, maybe it asks for the passphrase to your private key.

To avoid typing that everytime, start ssh-agent.


Note, that the user on the ssh server must not neccessarily be mahela007.
You could even put your public key in ssh server´s /root/.ssh/authorized_keys2
and therefore connect as root without password.
This is not recomended.
Connect as normal user, then sudo to root, if you have to.

[mahela007]

hm.. thanks for your help. By the way, on a stock-standard installation of SSH on Ubuntu, does ssh use symmetric encryption or asymmetric encryption (i.e public key based)?

[Irithori]

ssh uses both symmetric and asymmetric encryption, but at different stages and for different purposes.
Here is a graphical presentation of what I explained above,
along with more details:
The Architecture of an SSH System (SSH, The Secure Shell: The Definitive Guide)

[mahela007]

So.. the authentication and sharing of the symmetric key is done over an asymmetrically encrypted connection. But the actuall data of the session is encrypted symmetrically?