Ssh – What are the steps that occur during a ssh connection establishment on a machine that does use password based authentication

authenticationssh

I want to know what happens behind the scenes in establishing a ssh connection, i mean till we land on the shell in a Linux from a Linux machine. I know that password is not sent in plain text in a ssh connection. So what do they do to encrypt the connection. Here i am assuming that i have not generated my public/private keys. I use password for authentication. So i think there cant be a exchange of keys before securing the connection. I searched on google and in serverfault but no hits. The closest i got to in serverfault was this post What exactly does ssh send when performing key negotiation? .
The above post assumes the user is connecting via pubic key exchange. But i am looking for a case of securing the connection without the public/private keys. How does it encrypt the connection even before i enter the password. What does it use to secure the connection so that password is not send plain text ?

Best Answer

When you install SSH and start it for the first time, it will generate public and private keys for the machine, which are the same for every user. Upon connection, both machines will exchange their public key parts (in plain text) and use them to encrypt the communication between the hosts. After the key exchange, the communication will switch to encrypted mode.

In every users ~/.ssh/known_hosts file the keys will then be stored and compared against the one send upon the next connection. This is the reason you will get an error if you try to connect to a machine you have recently reinstalled: While doing so you have generated a new machine key pair, and this doesn't match the cached version, which also could mean an attempted attack.

Related Solutions

Windows – Is the password compromised because I forgot to hit Enter after ssh username

In short: yes.

# ssh 192.168.1.1 -l "myuser mypassword"
^C
# egrep "mypassword" /var/log/auth.log
Oct 19 14:33:58 host sshd[19787]: Invalid user myuser mypassword from 192.168.111.78
Oct 19 14:33:58 host sshd[19787]: Failed none for invalid user myuser mypassword from 192.168.111.78 port 53030 ssh2

Ssh – Encrypt temporary password using public ssh key

I finally found how to convert an OpenSSH public key to PEM format on a blog and was able to successfully encrypt and decrypt a string using my private/public key.

I've outlined the steps I used to perform the encryption and decryption.

To encrypt a string:

# convert public key to PEM format
ssh-keygen -f ~/.ssh/id_rsa.pub -e -m PKCS8  > ~/.ssh/id_rsa.pub.pem

# encrypt string using public key
echo "String to Encrypt" \
   | openssl rsautl -pubin -inkey ~/.ssh/id_rsa.pub.pem -encrypt -pkcs \
   | openssl enc -base64 \
   > string.txt

To decrypt a string (from file):

openssl enc -base64 -d -in string.txt \
    | openssl rsautl -inkey ~/.ssh/id_rsa -decrypt

Since my goal is to e-mail the password, I've written an extremely basic script to automate things a bit:

#!/bin/sh
if test "x${1}" == "x";then
   echo "Usage: ${0} <username>"
   exit 1
fi
SSHUSER=${1}
printf "Enter Password: "
read PASS1
echo ""
echo ""
ssh-keygen -f /home/${SSHUSER}/.ssh/id_rsa.pub -e -m PKCS8 \
    > /tmp/ssh-pubkey-${SSHUSER}.pem
echo 'cat << EOF |openssl enc -base64 -d |openssl rsautl -inkey ~/.ssh/id_rsa -decrypt'
echo "New Password: ${PASS1}" \
   | openssl rsautl -pubin -inkey /tmp/ssh-pubkey-${SSHUSER}.pem -encrypt -pkcs \
   | openssl enc -base64
echo "EOF"
echo ""
rm -f /tmp/ssh-pubkey-${SSHUSER}.pem

I can then send the output of the script in an e-mail for the user to decrypt.

The complete script is available on Github: https://gist.github.com/3078682

Best Answer

Related Solutions

Windows – Is the password compromised because I forgot to hit Enter after ssh username

Ssh – Encrypt temporary password using public ssh key

Related Topic