What is SSH ?
SSH is a network protocol that allows secure connection between different computers. SSH protocol also referred to as Secure Shell, provides many functionalities like,
- Strong connection and security
- Strong authentication
- Maintains connection integrity
- Strong encryption.
In general, there are different ways for logging in to a remote machine,
- Know the password of that machine.
- SSH public and private keys.
- Host-based authentication
Well, in case of a password, when one would want to gain access to the remote machine, the user will have to enter the password each time. This led to the introduction of SSH keys, the public key and the private key.
The scenario, before SSH came into the picture –
Telnet, was the application protocol that provided bidirectional interactive but textual-based communication between two remote systems connected on an insecure network. This was a problem because any type of data that was sent over such a network, could easily be leaked – whether that be normal data or some private data like user credentials. Thus, SSH gained much popularity as it was a cryptographic-based secured network protocol.
GETTING STARTED WITH SSH KEYS :
Various algorithms can be used to create an SSH key pair. Some of them include,
- RSA – RSA is an algorithm based upon the difficulty of factoring large numbers. RSA is getting old and significant advances have been made in factoring. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better.
- DSA – DSA is an old US government Digital Signature Algorithm. It is based on the difficulty of computing discrete logarithms. A key size of 1024 is in use with dsa.
- ECDSA – It is a new Digital Signature Algorithm based upon elliptic curves. This is probably a good algorithm for current applications. Only three key sizes are supported: 256, 384, and 521 bits.
- ED25519 – This is a new algorithm that has been added in OpenSSH. Support for it in clients is not yet universal. Thus, its use is not much advisable.
Let’s create a SSH-key-pair
There are many ways to create a ssh-key-pair :
- Run the ssh-keygen command without any arguments.
- To select an algorithm and a key size – Use the -t tag to select the algorithm and key size using the -b tag. The following commands illustrate:
– RSA – based key, Command: ssh-keygen -t rsa -b 4096
– DSA – based key, Command: ssh-keygen -t dsa
– ECDSA – based key, Command: ssh-keygen -t ecdsa -b 521
– ED255 based key, Command: ssh-keygen -t ed25519
- In order to specify file name while creating the keys, use
ssh-keygen -f ~/demo-key-ecdsa -t ecdsa -b 521
Encryption techniques used by SSH :
- Symmetrical encryption: Symmetrical encryption includes the generation of a single key for the purpose of encryption as well as decryption. The steps to follow are – 1) generate a secret key and then, 2) distribute the key among the clients and servers for establishing a secure connection. This method is generally not useful, since the leakage of a key can result in an insecure network, where the host that has access to the key can harm the network participant’s information. Symmetrical encryption is useful when encryption and decryption occurs on a single machine.
- Asymmetrical encryption: Asymmetrical encryption is way more secure than the symmetrical because it generates two different keys: Public and Private key. As a rule, we distribute a
public keyto different host machines, while the
private keyis kept secret and secure on the client machine. A secure connection is established using this
public-private key pair.
- Hashing: Hashing is a more secured connection technique since it ensures that the data is unaltered and comes from a genuine sender. We apply a hash function over the data to generate a hash value. Now, it will be impossible to regenerate the data from the hash value. The hash value is calculated at both the sender as well as the receiver’s end, and if the hash values match, the data is considered authentic.
Concept of Authorized_keys and known_hosts
I understand they can be confusing sometimes.
In simple terms, the known_hosts file lets the clients authenticate the server, to check that it isn’t connecting to an impersonator. And the authorized_keys file lets the server authenticate the user.
- ~/.ssh/authorized_keys: Holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file.
- ~/.ssh/known_hosts: Contains DSA host keys of SSH servers accessed by the user. This file ensures that the SSH client is connecting the correct SSH server.
Risks associated with SSH keys :
Large organizations have been using SSH keys for many years now. SSH keys turn out to be extremely common among such large-enterprise organizations. Many of such user companies have used the keys without proper management. And in such a large period of time, their number of keys put to use have increased exponentially. These keys are in millions of numbers. And with such a large amount of keys present (probably thousands or millions) , mismanagement of a few can result in huge risks for the entire organization.
Hope this blog gives you a better understanding of SSH.