How SSH certificate-based authentication works?

Reading time: 5 minutes.

SSH stands for Secure Shell or Secure Socket Shell. It is a cryptographic network protocol that allows users and sysadmins to access computers over an unsecured network such as the Internet. It is used to log in to a remote server, execute commands, and transfer data from one machine to another.

Where do we use SSH?

SSH is used to replace unprotected remote login protocols like Telnet, rlogin, rsh, and others, as well as insecure file transfer protocols like FTP. Network administrators extensively utilize its protection capabilities. We can use SSH protocol in various scenarios, such as:

• Enabling secure access for users and automated processes
• Performing interactive and automated file transfers
• Issuing remote commands
• Managing network infrastructure and other mission-critical system components

How does SSH work?

The SSH protocol works on a client-server architecture, so an SSH client establishes a secure connection to an SSH server. The SSH client drives the connection establishment process and uses public key infrastructure (PKI) to verify the authenticity of the SSH server. Once configured, the SSH protocol uses strong symmetric encryption and hashing algorithms to ensure the confidentiality and integrity of data exchanged.

What are the different types of authentication?

Key-based authentication

The most commonly used form of SSH deployment is public key authentication. It is preferred over simple passwords because of enhanced security. Key-based authentication provides unmatched cryptographic strength, which is even more than that offered by very long passwords. SSH greatly increases security through public key authentication, eliminating users’ need to remember complex passwords.

In addition to security, public key authentication improves usability. This allows the user to implement single sign-on across the SSH servers he connects to. Key-based authentication also enables automated passwordless logins, a key feature of the myriad of secure automated processes running in corporate networks worldwide.

This type of authentication generates a key pair (public and private key).

• The public key is copied to the SSH server and, by default, added to the ~/.ssh/authorized_keys file. Anyone who has a copy of the public key can encrypt data that can only be read by those who have the corresponding private key.
• The private key remains (only) with the user. Only a user whose private key corresponds to the server’s public key can authenticate successfully. Private keys should be stored and handled carefully, and copies of private keys should not be distributed.

Disadvantages of key-based authentication

• Poor SSH key management can pose a great risk to organizations.
• Misuse of SSH keys can lead to confidential or privileged information access.
• Since keys are trusted permanently, it increases the chances of an attack.

Certificate-based authentication

This type of authentication does not need key approval and distribution. Instead of distributing public keys across static files, we can use certificates to bind public keys to names. A certificate contains data such as a public key, a name, and additional data such as expiration dates and permissions. This data is signed by a certification authority (CA).

To enable certificate authentication, configure clients and hosts to verify certificates using your CA’s public key (i.e., trust certificates issued by your CA).

On each host, edit /etc/ssh/sshd_config, specifying the CA public key for verifying user certificates, the host’s private key, and the host’s certificate.

On each client, add a line to ~/.ssh/known_hosts specifying the CA public key for verifying host certificates.

Advantages of certificate-based authentications

• It is simple to use as a trust on first use (TOFU) warnings are not displayed because certificate authentication uses certificates to communicate public key bindings, allowing clients to authenticate at all times.
• It streamlines operations by eliminating the key approval and distribution process. It also reduces the operational cost of monitoring and maintaining current infrastructure for adding, removing, synchronizing, and auditing static public key files.
• It promotes good security hygiene as compared to key-based authentication. The chances of a compromised private key going unnoticed for a long time is quite likely; however, certificates, on the other hand, expire, which means in case of theft, misuse, etc., it will automatically expire, thereby making it fail-secure.

Conclusion

Certificate-based authentication has many benefits, such as improving usability, enhancing security, streamlining operations, etc. If implemented, it will help organizations reduce complexities of key approval and distribution, improper key management-related risks, and much more.