When using the default value for the PreferredAuthentication option in the client configuration file ssh_config (see „InterNet Services User Guide“), the OpenSSH client executes the following authentication methods one after the other:
host based authentication
Public key authentication
Password authentication
The methods are applied one after the other until a method has successfully provided authentication or until all methods have failed.
Alternatively or additionally, authentication can also be performed using OpenPAM, see section Authentication and configuration of OpenPAM.
Public key authentication permits the use of RSA, DSA, ECDSA and Ed25519 algorithms. The OpenSSH client signs the session ID (together with other data) with its private key ($HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa, $HOME/.ssh/id_ecdsa or $HOME/.ssh/id_ed25519) and sends the result to the OpenSSH server. The server checks whether the corresponding public key is contained in the <user home>/.ssh/authorized_keys file. <user home> is the home directory of the user with whose user ID the ssh caller wishes to log in. If yes, the server accepts the connection.
The OpenSSH client ssh authenticates the server by checking whether a public key is stored for the respective system in the user's file $HOME/.ssh/known_hosts or in the file provided centrally by the system administrator /etc/ssh/ssh_known_hosts and, if this is the case, whether it matches the host key type sent from sshd (RSA/DSA/ECDSA/Ed25519).
The StrictHostKeyChecking option in the configuration file ssh_config controls the behavior of the client if no suitable entry is found in the known_hosts files:
If no is returned, the previously unknown host key is entered in $HOME/.ssh/known_hosts without requesting confirmation.
If ask is returned, the user is asked whether the host key is to be entered.
If yes is returned, the host key is never entered by the client, but must be entered in the respective known_hosts file by the user or system administrator instead.
A detailed description of the StrictHostKeyChecking options is provided in the OpenSSH man pages.