Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 18
I'm a bit confused about how ssh encrypts connections. I've read a few articles on ssh and they talk about 'keys pairs' (that is public and private keys) on the ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2008
    Posts
    36

    [SOLVED] How does ssh encrypt connections?


    I'm a bit confused about how ssh encrypts connections. I've read a few articles on ssh and they talk about 'keys pairs' (that is public and private keys) on the server and client computers. However, ssh doesn't seem to use these keys for encryption. What are the keys it uses?
    This question occurred to me when I was trying to make a remote login to an Ubuntu machine.
    From a remote login perspective, I haven't generated keys on my client machine and haven't enabled key based logins in ssh. (I use the default password based login). If there aren't any keys on my client, then how does encryption work?

  2. #2
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    If you connect to a remote ssh server for the first time,
    you will be asked, if you accept its public key.
    If yes, this public key is stored in your machines ~/.ssh/known_hosts

    Now a asymetric encrypted connection can be established.
    However, this would not be suitable for real work, as it takes much more ressources than a symetric connection.

    Symetric encrypted connections are fine, but you need to make sure, the session key is a) reasonable good and b) exchanged between the two hosts in a secure way.

    So, coming back to our existing asymetric connection between your host and the remote ssh server:
    A random symetric key is generated on the ssh server,
    encrypted with its private key,
    and sent to your host.
    With the help of the public key this symetric key can be decrypted again
    and finally the two computers establish a secure symetric connection.

    Easy
    You must always face the curtain with a bow.

  3. #3
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    and before I forget it:
    That procedure will "only" encrypt the connection.

    You still need to be authenticated to the server to get a shell (or whatever the ssh server admin wants you to have)

    You can be authenticated by a user/password or if *your* public key (ie the one that was generated with ssh_keygen) is known to the ssh server in your homedir on the server in .ssh/authorized_keys2
    You must always face the curtain with a bow.

  4. #4
    Just Joined!
    Join Date
    Apr 2008
    Posts
    36
    But then what are the keys one has to generate in order to use 'key based' logins?

  5. #5
    Linux Engineer GNU-Fan's Avatar
    Join Date
    Mar 2008
    Posts
    935
    You use a program like GNU gpg or OpenSSL to create a new pair.
    It asks for your name, mail, and and optional password.
    Then you get two files. A private key which you must keep secret and store in a certain home directory. And a public key which you can distribute publicly.

    The public key you put in the home dir of the server.
    Debian GNU/Linux -- You know you want it.

  6. #6
    mzv
    mzv is offline
    Just Joined!
    Join Date
    Aug 2009
    Location
    Evil Empire
    Posts
    33
    There's no need to use SSL. Just use ssh-keygen to generate a pair based on authentication that you want (RSA1,RSA2,DSA). I would recommend RSA2. So you should type ssh-keygen with no parameters

  7. #7
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    A short step by step:

    On your client machine, as user mahela007:
    Code:
    $  ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/mahela007/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/mahela007/.ssh/id_rsa.
    Your public key has been saved in /home/mahela007/.ssh/id_rsa.pub.
    The key fingerprint is:
    <somefingerprint> mahela007@client
    The passphrase protects your private key.
    It can only be used if decrypted with the passphrase.
    You *want* your private key protected, so please choose a reasonable passphrase.

    Now there are two files in the .ssh directory of your home
    Code:
    $ ls -la .ssh/
    -rw------- 1 mahela007 users 1743 Feb 27 15:47 id_rsa
    -rw-r--r-- 1 mahela007 users 398 Feb 27 15:47 id_rsa.pub
    Look at the permissions.
    The private key belongs only to you, the public one is world readable.

    In order to enable key based authentication, the content of id_rsa.pub must be added to ~/.ssh/authorized_keys2 on the server
    It is just one line and looks like this:
    Code:
    cat .ssh/id_rsa.pub
    ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA6LYac50XpCuA1qkMgWY1QhXZs40a92yNFKWbWH73Uu4zyStjQUQKpReupUklDKo59a1H3b7X7F/oRxe2BgCpHJCpNp2uvyIHYfEGqbKeg23acpig63usQPLWiaXROT10kmohT7cbb5kEJQaE1aOeegtOd/v1XsJExFbOScocuf/O6cT4Z5ODwWTiLWKh7zvgooPx1XxNMZYB4QZB0VSWzIV19pNfl+g+tl+wh9oa29WBqbvrtbewRl9a+YDXdtDN5Yjn/SotBVEAUgwsAv4KzUc5iaekTc36MJxz/wwTBZ2Np66FRjDYODtxRoyr+Vnnadf9S/S6pBFow3+g/N0v7w== mahela007@client
    <DISCLAIMER>
    Not an actual key from me
    </DISCLAIMER>

    So, on the ssh server machine:
    Log in with user/password
    and add your public key in this file ~/.ssh/authorized_keys2

    Thatīs it.

    Usually ssh server are preconfigured to do key based auth, so no need to change the sshd config.

    Try to login again. It will not ask you for a password anymore.
    Well, maybe it asks for the passphrase to your private key.

    To avoid typing that everytime, start ssh-agent.


    Note, that the user on the ssh server must not neccessarily be mahela007.
    You could even put your public key in ssh serverīs /root/.ssh/authorized_keys2
    and therefore connect as root without password.
    This is not recomended.
    Connect as normal user, then sudo to root, if you have to.
    You must always face the curtain with a bow.

  8. #8
    Just Joined!
    Join Date
    Apr 2008
    Posts
    36
    hm.. thanks for your help. By the way, on a stock-standard installation of SSH on Ubuntu, does ssh use symmetric encryption or asymmetric encryption (i.e public key based)?

  9. #9
    Trusted Penguin Irithori's Avatar
    Join Date
    May 2009
    Location
    Munich
    Posts
    3,356
    ssh uses both symmetric and asymmetric encryption, but at different stages and for different purposes.
    Here is a graphical presentation of what I explained above,
    along with more details:
    The Architecture of an SSH System (SSH, The Secure Shell: The Definitive Guide)
    You must always face the curtain with a bow.

  10. #10
    Just Joined!
    Join Date
    Apr 2008
    Posts
    36
    So.. the authentication and sharing of the symmetric key is done over an asymmetrically encrypted connection. But the actuall data of the session is encrypted symmetrically?

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •