What is SSH and its Authentication Methods: Usage and Troubleshooting

Overview:

The Secure shell, also called the SSH protocol, is used to make reliable and secure communication between two servers connected to a local or public network. The SSH protocol supports various authentication methods and uses strong encryption to protect exchanged data on the network. It is highly recommended to use SSH-based communication instead of clear-text communication protocols (rlogin, rsh, telnet) and unencrypted file transfer protocol (FTP). SSH protocol can also be used for X forwarding, tunneling a port, forwarding a port, as SOCKS proxy, VPN, and secure remote mounts.

Steps of SSH authentication:

Following steps are taken by server and client to establish a secure connection.

  • Create a TCP-based connection between server and client.
  • Check the compatibility of server and client SSH versions.
  • Use the Diffie-Hellman algorithm to exchange encryption keys.
  • Client systems inform the server system of the username and password it will use to authenticate itself.
  • The client system verifies the server’s public key to protect itself from MITM attacks.
  • Server and client systems agree on common methods of client authentication.
  • The client system authenticates, and a secure communication line is established between the server and the client system.

SSH authentication methods:

There are different authentication methods in SSH protocol.

Password authentication:

The client requests a password from the user, and encrypts this password, and uses this to authenticate itself to the server.

Public Key authentication:

The client system uses a key pair to authenticate itself to the server. The server looks for the key in file authorized_keys in ~/.ssh folder.

Host-based authentication:

In this authentication method, the client uses a key and should be in the list of allowed hosts on the server to authenticate.

Keyboard-based authentication:

In this method, on the client system, the server presents certain text and requires an answer from the user.

OpenSSH authentication methods:

PasswordAuthentication:

This OpenSSH parameter is used to configure password authentication.

PubkeyAuthentication:

This OpenSSH configuration parameter is used to configure public key authentication.

GSSAPIAuthentication:

GSSAPI configuration parameter is an IETF standard for strongly encrypted authentication. OpenSSH uses GSSAPI and Kerberos 5 code to authenticate clients.

HostbasedAuthentication:

This configuration parameter is used to configure host-based authentication.

ChallengeResponseAuthentication:

This is used to configure keyboard-based authentication. A specific backend is used to send the challenges and check the responses.

You may use a sequence of authentication methods or change priorities of preferred authentication methods with preferredAuthentications configuration parameter.

Troubleshooting:

How to confirm SSH service on the Server:

To troubleshoot SSH connections, make sure there is no firewall on both server and client systems. Also, confirm that SSH is up and running and waiting for incoming connections on the correct port (default is 22). Ping server from the client and make sure there are no routing issues between source and destination servers. You can install telnet on the client and use it to test if SSH daemon is running on the server end,

telnet compute.seimaxim.com 22
Trying 18.108.18.2...
Connected to 18.108.18.2.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.4
^]

If you are connected to an SSH server and the above information is displayed on your console then use ctrl+] and quit the ssh connection.

How to troubleshoot password authentication error:

Perform the following troubleshooting steps if you get the error “Permission denied, please try again” after entering the password.

Make sure the password is correct.

If you are trying to log in as root, make sure PermitRootLogin value is set to yes in /etc/ssh/sshd_config file.

Check if your server configuration if the server allows passwords to authenticate incoming connections.

Check if your password is correct. You must have an account on the server end.

How to troubleshoot pubkey authentication error:

Check file and directory permissions of SSH configuration on server and client end.

Client system:
~/.ssh/id_* permissions should be 600
~/.ssh/config permissions should be 600

Server system:
~/.ssh/authorized_keys permissions should be 600
~/.ssh permissions should be 700
~/.ssh/authorized_keys should be owned by your account
~/.ssh should be owned by your account

Secondly, make sure PubkeyAuthentication the configuration parameter is enabled on the server and it supports Public Key authentication.

Webconn Shared Hosting with SSH Secure Shell:

We offer SSH-enabled cPanel accounts on our fast and secure shared hosting server. You can use our shared hosting infrastructure to host your websites, use SSH for development, communication, or learning purpose.

Leave a Reply