Your Browser is not longer supported

Please use Google Chrome, Mozilla Firefox or Microsoft Edge to view the page correctly
Loading...

{{viewport.spaceProperty.prod}}

Authentication between OpenSSH client ssh and server sshd

&pagelevel(4)&pagelevel

Client authentication

When using the default value for the PreferredAuthentication option in the client configuration file ssh_config (see section “Configuring the OpenSSH client ssh”), the OpenSSH client executes the following authentication methods one after the other:

  1. host based authentication

  2. Public key authentication

  3. Password authentication

The methods are applied one after the other until a method has successfully provided authentication or until all methods have failed.

Public key authentication permits the use of RSA, DSA ECDSA and Ed25519 algorithms. The OpenSSH client signs the session ID together with other data with its private key ($HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa, $HOME/.ssh/id_ecdsa or $HOME/.ssh/id_ed25519) and sends the result to the OpenSSH server. The server checks whether a corresponding public key is contained in the file <user home>/.ssh/authorized_keys file. If yes the server accepts the connection. <user home> is the home directory of the user with whose user ID the ssh caller wishes to log in.

SSH protocol is using (amongst others) the following mechanisms which ensure confidentiality and integrity of the connection:

  • Confidentiality is guaranteed by encrypting the data traffic using AES, ChaCha20 or 3DES.
  • Integrity is guaranteed by encrypting the data traffic using mac-sha2, hmacsha1 or umac.

Server authentication

The OpenSSH client authenticates the server by checking whether a public key is stored for the respective system in the user's file $HOME/.ssh/known_hosts or in the file provided centrally by the system administrator /etc/ssh/ssh_known_hosts and, if this is the case, whether it matches the host key type sent from sshd (RSA/DSA/ECDSA/Ed25519).

The StrictHostKeyChecking option in the configuration file ssh_config controls the behavior of the client in the event that no suitable entry is found in the known_hosts files:

  • If no is returned, the previously unknown host key is entered in $HOME/.ssh/known_hosts without requesting confirmation. If ask is returned, the user is asked whether the host key is to be entered.

  • If yes is returned, the host key is never entered by the client but must be entered in the respective known_hosts file by the user or system administrator instead.

A detailed description of the StrictHostKeyChecking options is provided in the OpenSSH man pages.

Powered by Atlassian Confluence and Scroll Viewport.