6

As a background to troubleshooting various problems using SSH and rsync with key pairs, I wanted a straightforward overview of the sequence of events that takes place during SSH authentication, and how each of the several client and host files plays its part.

Google found many explanations at detailed level, with either a narrow scope, or whose broad scope was cluttered with those details. Not to mention many incorrect or confused explanations and forum posts.

I ended up creating a couple of diagrams to clarify two things:

  • What files and actions are involved in preparing for SSH communication using keys
  • What those files do during the process of establishing a connection.

I will post these in an answer below.

gwideman
  • 281
  • 2
  • 8

1 Answers1

12

The following answer explains the files needed to prepare for ssh authentication using public-private key pairs ("Public Key Infrastructure" or "PKI"), and how those files are used during an actual ssh session. Some specifics here use names and directories that apply to linux, but the principles apply across all platforms, which use programs and files parallel to these. The main features of interest are:

  • User machine
    • User key pair: Public and private, which the client-side user has to create using ssh-keygen, creating files with names such as:
      • ~/.ssh/id_rsa (private) and
      • ~/.ssh/id_rsa.pub (public)
      • In preparation, must be given to host's authorized_keys file
    • ~/.ssh/known_hosts
      • which receives the public key from the server, if user accepts it on first log in.
  • Host (server) machine
    • Host key pair: Public and Private
      • are automatically created at some point like installation of openssh on the server. Typical names:
      • /etc/ssh/ssh_host_rsa_key (private)
      • /etc/ssh/ssh_host_rsa_key.pub (public)
      • host offers the public key to the client-side user the first time the client-side user tries to connect with ssh. Client will store host's key in known_hosts
    • ~/.ssh/authorized_keys
      • In preparation, must be given the public key of each user who will log in.
  • Sequence of events in an actual SSH (or rsync) session, showing how the files are involved.

(Note that there are two different common signature algorithms, RSA and DSA, so where this discussion uses 'rsa', the string 'dsa' could appear instead.)

Configuration/preparation enter image description here

SSH connection and use enter image description here

I hope these diagrams will be helpful.

gwideman
  • 281
  • 2
  • 8
  • 3
    Thank you. After much searching, this is the clearest explanation I've found that takes into consideration all the files involved. – PatrickReagan Feb 21 '20 at 23:57
  • 1
    This is the definitive crash course for OpenSSH/PKI configuration. You should copy/paste this to a hashnode or medium article – Nick Mitchell May 09 '22 at 07:48
  • 1
    @NickMitchell your comment is encouraging :-) – gwideman May 10 '22 at 11:25
  • Thank you. Just missing the supporting docs. However, after checking some documentation, yours seems a fair summary. – rellampec Jun 27 '23 at 11:50
  • Returning to this after several years, I think there may be a mistake in the "SSH connection and use" diagram. Where I wrote "Message encrypted with client's (joe's) public key", I _think_ it should say "Message encrypted with client's (fred's) public key". Ie: local fred's public key as previously OK'ed and stored in remote joe's authorized_keys. – gwideman Jun 28 '23 at 06:39