6 SSH Authentication Methods and How to Use Them

SSH Authentication Methods and How to Use Them

As more companies migrate their services to the cloud and more people continue to work remotely, a secure connection is needed to connect to a remote computer over a network.

One of the most utilized encryption protocols to mitigate cyber threats such as password sniffing is SSH (Secure Shell).

SSH was designed and developed to replace unsecured protocols such as rlogin, rsh, and telnet to connect two remote hosts.

Other than just establishing a secure connection between two computers, SSH is also helpful in creating a secure tunnel (port forwarding), X-Forwarding, securing local mounts for directories, and can act as a SOCKS proxy.

This tutorial will give you the various methods to create a secure connection with OpenSSH.

In this example, our local machine is Debian 10, and the remote PC (server) that we will be connecting to is Debian-Server.

Let’s get started by looking at the various OpenSSH authentication methods available.

OpenSSH Authentication Methods

This post will look at six OpenSSH authentication methods.

1. Password Authentication

With this type of authentication, the Client machine will request a password from the user, then use this password to authenticate itself to the remote device (server).

2. Public Key Authentication

In public key authentication, the Client machine uses a key pair to authenticate itself to the server. The server will verify the keys by checking the allowed keys in the .ssh folder in the /home directory.

3. Host-based Authentication

This type of authentication is not very different from public-key authentication, and the client uses a key pair to authenticate itself to the server. However, the connection needs to come from a device in the allowed host list on the server.

4. Keyboard Based Authentication

That is a more advanced form of password authentication method. The server sends prompts to the Client who should provide the correct response.

5. Challenge-Response Authentication

This type of authentication is responsible for setting up the Keyboard-based authentication method. A specific backend system sends the challenges to the client’s PC and verifies the response.

6. GSSAPI Authentication

OpenSSH can also use Kerberos authentication to authenticate client machines to the server using the GSSAPI.

Steps of OpenSSH Authentication

To establish a secure connection between the client and the server, OpenSSH follows the steps below.

  • Create a secure TCP connection between the client and the remote machine (server)
  • Check the OpenSSH versions in both devices to ensure compatibility
  • The two machines exchange encryption keys using the Diffie-Hellman algorithm
  • The two systems agree on which mode of authentication will be used to establish a connection.
  • The client system authenticates itself to the server, establishing a secure connection.

Up to this point, we know the different OpenSSH authentication methods we can use to establish a secure connection. Let’s now look at each of them in detail and how to set it up.

1. Password Authentication

Password auth is the default set authentication method upon installing OpenSSH. It might be a little different with cloud providers who will always prompt you to choose the mode of authentication you wish to use before setting up your Cloud service (usually between Password authentication and public key authentication).

The user needs to enter a password to connect to the remote server with this type of authentication, as shown below.

word image 1

Note: Please make sure the PasswordAuthentication parameter is set to YES on the server. You can confirm that by running the command below.

sudo egrep ^PasswordAuthentication /etc/ssh/sshd_config

If you get an output of PasswordAuthentication Yes, as shown below, you are good.

word image 2

However, if you get an empty result, you need to edit the /etc/ssh/sshd_config file. Run the command below and uncomment (remove the # sign) in front of the PasswordAuthentication line as shown below.

sudo nano /etc/ssh/sshd_config

When done, execute the command below to restart the sshd service.

sudo systemctl restart sshd

word image 3

2. Public Key Authentication

Public-key auth is one of the most used and recommended authentication methods. One of the main reasons is that it’s not vulnerable to Bruteforce attacks like the password authentication method.

With this type of authentication, two long strings of characters are generated – the public key and the private key. The public key is placed on the server, and the client uses the private key to connect to the server. The server will verify the client’s private key with the public key before allowing a connection.

You can enhance the security further by providing a passphrase for the private key. To generate a key pair, run the command below on your client machine.

ssh-keygen -t ed25519

You will see a prompt to enter a location to save the generated key pairs. If you don’t provide one, they will be saved in the default .ssh directory. Next, you will see a prompt to set up a passphrase. If you don’t wish to set up one, just leave it empty.

word image 4

Now, run the command below to upload the public key to the server.

ssh-copy-id <server-username>@<server-IP>

e.g

ssh-copy-id [email protected]

word image 5

Now, we can log in to our remote server by executing the command, and we won’t be prompted to enter an authentication password.

ssh [email protected]

3. Host-based Authentication

To enable Host-based authentication, you will need to perform unique configurations on both the Client machine and the server. On the client-side, edit the /etc/ssh/sshd_config and uncomment/add the lines below.

/etc/ssh/sshd_config
EnableSSHKeySign yes
HostbasedAuthentication yes

You will need to modify at least three files on the server to enable host-based authentication.

  • /etc/ssh/shosts.equiv
  • /etc/ssh/ssh_known_hosts
  • /etc/ssh/sshd_config

Open the /etc/ssh/sshd_config and uncomment/add the two lines below.

/etc/ssh/sshd_config
HostbasedAuthentication yes
IgnoreRhosts no

Once done, you will need to add your Client PC hostname in the /etc/ssh/shosts.equiv file on the server. In our case, the hostname of our client machine is ‘debian.’

word image 6

4/5. Keyboard Based and Challenge-Response Authentication

In OpenSSH, we use the ChallengeResponseAuthentication variable in the /etc/ssh/sshd_config file to enable/disable Keyboard-based Interactive authentication. By default, this value is always set to Yes. However, this authentication mode can be quite confusing to the end-user since it uses a single challenge-response cycle that requires the client to enter a password.

Therefore, it won’t look very much different from the PasswordAuthentication method. To configure Keyboard-based Authentication, uncomment/add the lines below in the /etc/ssh/sshd_config file on the remote machine (server).

/etc/ssh/sshd_config
KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes

Remember to reload the sshd service by executing the command below.

sudo systemctl restart sshd

word image 7

To connect to our Linux machine, we will include the -vvv parameter to see what is happening in the background. Below is a sample of the Terminal output.

ssh [email protected]

word image 8

From the image above, even though we are using Keyboard authentication, you can see we are prompted to enter a password since we have not enabled any other module for keyboard-interactive authentication.

6. GSSAPI Authentication

GSSAPI Authentication enables you to log in to the remote server and use SSH to log in to another remote server without using Password authentication or public-key authentication. With this type of authentication, you will need to set up an IPA server or an Active Directory with Windows. There are two main parameters used with GSSAPI authentication:

  • GssapiAuthentication
  • GssapiKeyExchange

Conclusion

That’s it! Those are six Authentication methods we can use with OpenSSH. Do you have any questions or comments? Please, feel free to leave a comment below.

12 Shares:
Subscribe
Notify of
guest
Receive notifications when your comment receives a reply. (Optional)
Your username will link to your website. (Optional)

0 Comments
Inline Feedbacks
View all comments
You May Also Like