Understanding how Password Authentication works
 

I learned how to set up passwordless SSH authentication last year, and while I got it to work, I honestly am not sure that I understand exactly how it works. (And after reading a lot of stuff online, I'm not sure a lot of other people understand how it works either!) :)

I would appreciate it if I can walk through the steps and have you guys fill in the gaps in my knowledge so I can truly understand how all of this works.

Here is what my notes said that I did...

1.) In Terminal, I navigated here...

2.) Then I ran this code...
My understanding is that ssh-keygen creates a public-private key pair. The -t switch is for the type of key to use, "rsa" is the key type I chose. The -b switch is is the number of bits to use, and I chose 2048.


3.) When I run this command I get the message...
I hit <enter>, and then get...
I chose a passphrase and hit <enter>

Terminal then says...
So apparently I now have a Public and a Private Key, right?


4.) Next, on my server in cPanel, under "Security", I choose "SSH Shell Access". Then "Manage SSH Keys". And then "Import Key".

On this page I see 4 input fields:
I entered "id_rsa".

Q-1: What, if anything, should go in the field above?

I left this blank.

I left this blank.

On my MacBook, using TextWrangler, I opened ~/.ssh.id_rsa.pub and copied the entire Public Key and then pasted it into the last field above. Then I chose "Import".

cPanel said...
Next I chose the "Back to Manage Keys" button. Under the "Public Keys" section, I choose "Manage Authorization". From there I chose the "Authorize" button. Then I chose "Go Back"

Q-2: What exactly is going on here?

Q-3: What is the purpose of installing my Public-Key onto my server?


5.) The next thing I did was to call my web host and ask them to provide me with the Fingerprint for my Server.

In order for them to provide this, my understanding is that my web host would have to run this command against my server...
Q-4: Is this correct?

Q-5: Is it correct that the (Server) Fingerprint is an "abbreviated" version of the (Server's) Pubic Key?

Q-6: Is it correct that the (Server) Fingerprint would be created when the server is built/started and remain until it is reset?

I have lots more questions, but this is a goods topping place for now!

Thanks,


Rob

OK, when you generate a key pair it isn't very usable until you put them on keyrings, or import them. Q. 1, A: just some descriptive name. Q. 2 A: The key was added to the keyring, so the application can use it. Q. 3 A: Others use your public key to encrypt a key that is only then available by your private key. Public key encryption allows you to give one key to the public to encrypt to you. But the public key cannot decrypt the messages it encrypts. The private key is required for that.

Q. 4 A: I can't quite figure out how your web host gets involved here. There must be some added security they're providing. Q. 5 A: a fingerprint, or signature is a one-way hash of a private key. Q. 6 A: I'm not completely familiar with what you're asking exactly. But typically a digital fingerprint remains the same until it's changed

Re QN 3:
There are (basically) 2 kinds of encryption:
1. symmetric : both ends know/use the same(!) key,
2. asymmetric (aka public key) where there are 2 different keys that form a pair, one private, one public.
(NB: this is not the same as hashes eg *nix stores passwd hashes, it does NOT encrypt your passwd)

Think of asymmetric encryption as 2 halves of one conjoined key if it helps. (its really more of a set/matched pair actually)
Basically a given private key will only match/work with the public key it was created with.
So, you put the public key on the server (which may or may not be under your control), and keep the private key on your client (ie under your control).
You then tell ssh to use keys instead of passwords and it matches the 2 keys (ie 2 halves of the pair) to let you in.

To install the public key, you are using CPanel GUI, but on the cmd line, you'd use the ssh-copy-id cmd if your distro supports it, otherwise you'd probably use scp (with passwd).

There is lots about this on the net, but that's the basics.

You could try wikipedia or https://gnupg.org/documentation/index.html if you want to read up.
I can also highly recommend http://simonsingh.net/books/the-code-book/the-book/ - very readable.

HTH

PS: re your title " Password Authentication "; that's where *nix hashes the plaintext passwd you give it and matches it to the recorded hash in the /etc/shadow file.
This is separate from ssh-keys above.

The ssh fingerprint is a way to identify a server and help prevent man in the middle attacks. With strict host checking enabled when you login to a ssh server for the first time you should see an unknown host with the fingerprint displayed. If the fingerprint displayed matches the one that you got when you called your host then you are assured you are connecting to your server. Once you enter or click yes to continue that fingerprint is stored in your known_hosts file. If you ever login and the fingerprints do not match then something could be amiss. Yes the command you posted will display the server's fingerprint and yes it is generated when ssh was installed and should not change.

I asked about passwordless SSH authentication. You are talking about a completely different topic.


Then you don't understand how to set up passwordless SSH authentication.

Okay, that makes sense.

Following that logic, I could technically put my Private Key on the Server and leave my Public Key on my laptop, right?


As per Q-1, does it matter what I put in that field? Based on the form, I assume cPanel is asking me what I want to call the Public Key?

And per Q-2, what hapepns when I "authorize" the Public Key that I just put into the form?


That is a type-o. The title of this thread should say "Understanding how Password-less Authentication works"

**Could an admin please fix this to avoid any confusion?

Thanks.

Thanks, but I know what the purpose of the Server's Fingerprint is. That isn't what I asked about in Q-5 and Q-6.


As far as I know that is wrong. The fingerprint is not stored in "known_hosts" - the Public Key should be stored there.


Okay.

My mistake

No problem.

Could you please change the title of this thread to: "Understanding how Password-less Authentication Works"

(I left out an important word when I created the thread title!)

Thanks.

My mistake. I momentarily confused ssh and ssl.

@RobInRockCity: actually changing the title would invalidate my comment(s) & possibly confuse new readers.
Qns often take on new twists anyway.
However, it's up to the Mods to make that decision.
(Maybe you could add a note to your 1st post ?)

Re cPanel: never used it I'm afraid; I'm a cli guy. Hopefully a cPanel guy will chip in.

Re key locations: its entirely up to you, but in practical terms you'd normally put the pub key on the "server" and the pvt key on the "client".
You'll notice that the actual ssh programs etc installed are different for server and client.
Given that you can scp/sftp in either direction, this is not a problem, but you'd ssh from the client to the server.

I don't think you want to put your private key on a server. Anyone who gets your private key gets everything. That key needs to be guarded, and if it's ever compromised you need to revoke it immediately and generate a new one. If it's on a server, it's compromised.

Who said anything about putting the Private Key on the sever?

And could we get back to answering the questions in my OP...

On my cPanel page at the bottom is the note:
You don’t have to import both keys. It is perfectly acceptable to just import a public OR private key if that is all you need on the server.

Q-1: What, if anything, should go in the field above?
The name you want to assign to your private key file if you need to use it on the server. Private keys are stored in separate files while public keys go in a single file i.e authorized_keys

Q-2: What exactly is going on here?
Q-3: What is the purpose of installing my Public-Key onto my server?
How keys work was explained in previous posts.

Q-4: Is this correct?
Yes

Q-5: Is it correct that the (Server) Fingerprint is an "abbreviated" version of the (Server's) Pubic Key?
Yes

Q-6: Is it correct that the (Server) Fingerprint would be created when the server is built/started and remain until it is reset?
Yes

Do you have additional questions?

Actually that field also applies to the Public-Key in my case.



Sure do! ;)

So I copy the contents of my User Public-Key into cPanel and use Field-1 to give it a name. Then cPanel create a Public-Key on my Server.

Q-7: This new Public-Key on my Server would still be called the User (client) Public-Key, right? (After all, all I did was "share" it with the Server.)


Q-8: It appears that this new Public-Key on the Server is located here: ~/.ssh/id_rsa.pub Correct?


So, now I have the User (client) Private-Key on my local machine, and the User (client) Public-Key on the server located at: ~/.ssh/id_rsa.pub

The User (client) Private-Key and the User (client) Public-Key[/b] form a User (client) Key-pair...

Q-9: What does the User (client) Key-pair allow to happen? Does it allow the Client to speak with the Server? Or does it allow the Server to speak with the Client?