Detailed Explanation of SSH Public Key Authentication and Private Key Protection Mechanisms
1. Description
SSH public key authentication is an asymmetric encryption-based identity verification method used to replace password login, improving security and convenience. Its core principle is that the client generates a key pair (public and private keys), uploads the public key to the server, and verifies the client's identity through digital signatures during login. The secure protection of the private key is crucial to this mechanism, involving file encryption, cryptographic hardware (e.g., HSM), and other measures.
2. Complete Public Key Authentication Process
Step 1: Key Pair Generation
- The client uses a tool (e.g.,
ssh-keygen) to generate an asymmetric key pair:- Private Key (e.g.,
id_rsa) remains on the client and must be kept strictly confidential. - Public Key (e.g.,
id_rsa.pub) can be publicly distributed and needs to be uploaded to the server's~/.ssh/authorized_keysfile.
- Private Key (e.g.,
- Example generation command:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"-t rsa: Specifies the RSA algorithm;-b 4096: Key length is 4096 bits.
Step 2: Deploy Public Key to Server
- Append the public key content to the server user's
authorized_keysfile:ssh-copy-id -i ~/.ssh/id_rsa.pub user@server_ip - Note file permissions for manual deployment:
~/.sshdirectory permissions should be700(drwx------).authorized_keysfile permissions should be600(-rw-------).
Step 3: Authentication Process
- The client initiates an SSH connection request.
- The server generates a random challenge, encrypts it with the client's public key, and sends it to the client.
- The client uses the private key to decrypt the challenge and generates a signature, which is returned to the server.
- The server verifies the signature using the public key. If it matches, authentication succeeds.
3. Private Key Protection Mechanisms
(1) Private Key File Encryption (Passphrase Protection)
- A passphrase can be set when generating the key to symmetrically encrypt the private key (e.g., AES-128-CBC).
- The passphrase must be entered to decrypt the private key for use, preventing immediate exploitation if the private key is leaked.
- Example:
ssh-keygen -p -f ~/.ssh/id_rsa # Add/modify passphrase for an existing private key
(2) ssh-agent Key Agent
- Temporarily stores the decrypted private key in memory to avoid repeatedly entering the passphrase:
eval "$(ssh-agent -s)" # Start the agent ssh-add ~/.ssh/id_rsa # Add private key (requires entering the passphrase once) - Security risk: If an attacker gains server access, they might steal the private key from memory via the SSH_AUTH_SOCK environment variable.
(3) Hardware Security Module (HSM) or Smart Card
- The private key is stored in hardware devices, and signing operations are performed within the device; the private key never leaves the device.
- Supports standards such as PKCS#11 or FIDO2 (e.g., YubiKey).
4. Common Attacks and Defenses
- Private Key Leakage:
- Risk: An attacker can impersonate the user after obtaining the private key file.
- Defense: Encrypt the private key with a passphrase and restrict private key file permissions (600).
- Man-in-the-Middle Attack:
- Risk: Accepting a malicious server's public key fingerprint during the first connection.
- Defense: Verify the server fingerprint (obtained through a trusted channel) or use SSH certificate authentication instead of public key authentication.
- ** authorized_keys Tampering**:
- Risk: An attacker adds a malicious public key to the file.
- Defense: Set
authorized_keysto read-only and enable log monitoring.
5. Advanced Practice: Certificate Authentication
- Similar to HTTPS certificates, client certificates are issued by a CA, and the server only needs to trust the CA's public key to verify all clients.
- Advantage: No need to deploy public keys on each server, suitable for large-scale environments.
Through the above steps, public key authentication strikes a balance between convenience and security, and private key protection is the core to ensuring the mechanism remains uncompromised.