6 ssh authentication methods to secure connection (sshd_config)

The SSH protocol (aka Secure Shell) is used to establish secure and reliable communications between two hosts. It supports different ssh authentication methods and uses strong encryption to protect exchanged data. It is possible to use SSH-based communications instead of clear-text remote CLI protocols (telnet, rlogin) and unencrypted file transfer methods (such as FTP). It is also possible to use SSH for forwarding or tunneling a port, X forwarding, building VPN, as a SOCKS proxy and even secure local mounts of remote directories.

 

In this article we will understand different OpenSSH Authentication Methods available with some examples using RHEL/CentOS 7 and 8 Linux Server.

In this article rhel-7.example.com would be our client while rhel-8.example.com would be server.

For the sake of this article I have disabled SELinux on both my Linux server.

 

OpenSSH Authentication Methods

Here is a list of supported configuration parameters to set up different OpenSSH authentications methods:

  • Password authentication: Client will ask you to enter a password, will encrypt it and use it to authenticate itself to a server.
  • Public key authentication: Each client uses a key pair to authenticate itself to a server. Server should find the key in the list of allowed keys.
  • Host based authentication: This method is similar to public key authentication, but client should not only use correct key, but also must connect from correct host.
  • Keyboard authentication: Server will use client to present zero or more prompts to client PC operator and request answers from operator.
  • Challenge Response Authentication: Used to configure keyboard authentication. You should use specific backend send the challenges and check the responses.
  • GSSAPI Authentication: GSSAPI is a IETF standard for strong encrypted authentication. OpenSSH uses GSSAPI and kerberos 5 code to authenticate clients.

It is possible to use specified parameters to configure both OpenSSH server and OpenSSH client. Please refer to appropriate man pages for additional information.

Let us cover all the available SSH Authentication Methods in Detail with Examples. I have used RHEL/CentOS 7 and 8 to verify these examples.

 

Password Authentication

This is the default SSH Authentication Method when openssh is installed. Here you must provide the user password to connect the server. Make sure below parameter is enabled in /etc/ssh/sshd_config on your server.

[root@rhel-8 ~]# egrep ^PasswordAuthentication /etc/ssh/sshd_config
PasswordAuthentication yes
NOTE:

If you get blank output then it is possible this argument is not defined, by default this param is enabled but still it is recommended to add this entry if you wish to use Password based SSH authentication method followed by restart of sshd service.

 

Public key authentication

To improve the system security even further, generate SSH key pairs and then enforce key-based authentication by disabling password authentication. Change the PasswordAuthentication option in /etc/ssh/sshd_config as follows on the server side to only allow PubKeyAuthentication:

[root@rhel-8 ~]# egrep ^'PasswordAuthentication|PubkeyAuthentication' /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes

Restart sshd service to activate the changes. Now I execute SSH from my client using verbose mode

[root@rhel-7 ~]# ssh -v rhel-8
..
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Trying private key: /root/.ssh/id_ed25519
debug1: No more authentication methods to try.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
..

Since we had not configured any Public Key based SSH Authentication Methods while we disabled Password Authentication, SSH has failed. Next I will configure Public Key Authentication using RSA key and re-attempt:

[root@rhel-7 ~]# ssh -v rhel-8
..
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic
..
debug1: Authentication succeeded (publickey).
Authenticated to rhel-8 ([10.10.10.7]:22).
..

So our SSH Public Key based SSH Authentication Methods was successful.

If you wish to further secure your environment then you can completely disable Password based SSH Authentication Methods.

[root@rhel-8 ~]# egrep ^'PasswordAuthentication|PubkeyAuthentication' /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes

Restart sshd service to activate the changes

 

Host Based Authentication

This allows/denies the authentication based on rhosts or shosts_equiv along with a successful public key client host authentication. This host based authentication method is not considered in most environment as with this you enable password less authentication for all the users on the host which may not be safe and secure. Although there are other ways to get over it using Match directive with Host Based Authentication.

I have already enabled host based authentication in my environment:

[root@rhel-7 ~]# ssh -v  rhel-8.example.com
..
debug1: Next authentication method: hostbased
debug1: userauth_hostbased: trying hostkey ecdsa-sha2-nistp256 SHA256:/r/FWD0IwFpOcuqEnFrkcNQZKI23vOzb94ZWjevwpMc
debug1: Authentication succeeded (hostbased).
Authenticated to rhel-8.example.com ([10.10.10.7]:22).
..
debug1: Remote: Accepted for rhel-7.example.com [10.10.10.10] by /etc/ssh/shosts.equiv.
..
Last login: Thu Nov 21 21:23:52 2019 from rhel-7.example.com
[root@rhel-8 ~]#

 

Keyboard Authentication and ChallengeResponseAuthentication

This allows/denies the keyboard-interactive authentication. The default value of Keyboard Authentication is drawn from ChallengeResponseAuthentication , which is usually set to yes.

You can enable keyboard-interactive installation using below values in /etc/ssh/sshd_config

KbdInteractiveAuthentication yes
ChallengeResponseAuthentication yes

People become confused by this because by default, "keyboard-interactive" authentication usually just implements password authentication in a single challenge-response cycle, which just prompts for a password, thus looking exactly the same as "password authentication". If you're not deliberately using both for different purposes, you may want to disable one or the other to avoid end-user confusion.

So to configure a basic keyboard authentication, you can disable all other authentication methods in /etc/ssh/sshd_config on the server node and only enable Keyboard Authentication.

After doing the required config on server side (rhel-8), I execute SSH from the client (rhel-7)

[root@rhel-7 ~]# ssh -vvv rhel-8.example.com
..
debug1: Authentications that can continue: keyboard-interactive
debug3: start over, passed a different list keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:   <-- Here since we have not enabled any other module for keyboard-interactive auth, it prompts for password
..
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to rhel-8.example.com ([10.10.10.7]:22).
..

Similarly observe the logs on server node (rhel-8). The logs can be under /var/log/sshd, /var/log/secure or /var/log/messages depending upon your rsyslog configuration or alternatively you can use journalctl to view the logs

Nov 22 08:49:30 rhel-8.example.com sshd[8434]: Accepted keyboard-interactive/pam for root from 10.10.10.10 port 42180 ssh2
Nov 22 08:49:30 rhel-8.example.com systemd-logind[1057]: New session 38 of user root.
Nov 22 08:49:30 rhel-8.example.com systemd[1]: Started Session 38 of user root.

As you see we authenticated using keyboard-interactive method, but if you use Password Authentication for SSH connection then the logs would be something like below

Nov 22 08:53:15 rhel-8.example.com sshd[8482]: Accepted password for root from 10.10.10.10 port 42182 ssh2
Nov 22 08:53:15 rhel-8.example.com systemd-logind[1057]: New session 39 of user root.

keyboard authentication is intended primarily to accommodate PAM authentication on the server side. It provides for a multiple challenge-response dialog with the user in which the server sends a text query to the user, the user types in a response, and this process can repeat any number of times. So for example, you might configure PAM for SSH with a module which performs authentication using an RSA security token, or a one-time password scheme.

Below are some more options which can be used for Keyboard Authentication with SSH

 

GSSAPI Authentication

We configure single sign on using GSSAPI Authentication, so that we can login on one RHEL host and use ssh to connect to another RHEL host, without typing our passwords or use ssh keys. This requires that your Linux host is connected to Windows Active Directory or IPA Server. Further you can setup SSH to configure kerberos authentication.

Below two parameters are used for GSSAPI Authentication

  • GssapiAuthentication: Specifies whether to enable GSSAPI authentication, through a successful key exchange (in this case Kerberos ticket exchange) or through password authentication. The default is yes.
  • GssapiKeyExchange: Specifies whether to enable GSSAPI authentication through key exchange.

Additional to enable GSSAPI Authentication for kerberos you will also need

KerberosAuthentication yes

in your /etc/ssh/sshd_config file on your server node.

 

Lastly I hope this article to understand different SSH authentication methods in Linux was helpful. So, let me know your suggestions and feedback using the comment section.

 

Leave a Comment

Please use shortcodes <pre class=comments>your code</pre> for syntax highlighting when adding code.