The SSH protocol (aka Secure Shell) is used to establish secure and reliable communications between two hosts. It supports different ssh authentication methods and uses strong encryption to protect exchanged data. It is possible to use SSH-based communications instead of clear-text remote CLI protocols (telnet, rlogin) and unencrypted file transfer methods (such as FTP). It is also possible to use SSH for forwarding or tunneling a port, X forwarding, building VPN, as a SOCKS proxy and even secure local mounts of remote directories.
In this article we will understand different OpenSSH Authentication Methods available with some examples using RHEL/CentOS 7 and 8 Linux Server.
client
term for localhost node using which we will initiate SSH connection while server
term would refer to the target host to which you wish to connect. For example if I am initiating SSH connection from node1
towards node2
then node1
would be client while node2
will be server.In this article rhel-7.example.com
would be our client while rhel-8.example.com
would be server.
For the sake of this article I have disabled SELinux on both my Linux server.
OpenSSH Authentication Methods
Here is a list of supported configuration parameters to set up different OpenSSH authentications methods:
- Password authentication: Client will ask you to enter a password, will encrypt it and use it to authenticate itself to a server.
- Public key authentication: Each client uses a key pair to authenticate itself to a server. Server should find the key in the list of allowed keys.
- Host based authentication: This method is similar to public key authentication, but client should not only use correct key, but also must connect from correct host.
- Keyboard authentication: Server will use client to present zero or more prompts to client PC operator and request answers from operator.
- Challenge Response Authentication: Used to configure keyboard authentication. You should use specific backend send the challenges and check the responses.
- GSSAPI Authentication: GSSAPI is a IETF standard for strong encrypted authentication. OpenSSH uses GSSAPI and kerberos 5 code to authenticate clients.
It is possible to use specified parameters to configure both OpenSSH server and OpenSSH client. Please refer to appropriate man pages for additional information.
Let us cover all the available SSH Authentication Methods in Detail with Examples. I have used RHEL/CentOS 7 and 8 to verify these examples.
Password Authentication
This is the default SSH Authentication Method when openssh is installed. Here you must provide the user password to connect the server. Make sure below parameter is enabled in /etc/ssh/sshd_config
on your server.
[root@rhel-8 ~]# egrep ^PasswordAuthentication /etc/ssh/sshd_config PasswordAuthentication yes
Public key authentication
To improve the system security even further, generate SSH key pairs and then enforce key-based authentication by disabling password authentication. Change the PasswordAuthentication
option in /etc/ssh/sshd_config
as follows on the server side to only allow PubKeyAuthentication
:
[root@rhel-8 ~]# egrep ^'PasswordAuthentication|PubkeyAuthentication' /etc/ssh/sshd_config PasswordAuthentication no PubkeyAuthentication yes
Restart sshd service to activate the changes. Now I execute SSH from my client using verbose mode
[root@rhel-7 ~]# ssh -v rhel-8 .. debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa debug1: Trying private key: /root/.ssh/id_dsa debug1: Trying private key: /root/.ssh/id_ecdsa debug1: Trying private key: /root/.ssh/id_ed25519 debug1: No more authentication methods to try. Permission denied (publickey,gssapi-keyex,gssapi-with-mic). ..
Since we had not configured any Public Key based SSH Authentication Methods while we disabled Password Authentication, SSH has failed. Next I will configure Public Key Authentication using RSA key and re-attempt:
[root@rhel-7 ~]# ssh -v rhel-8 .. debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic .. debug1: Authentication succeeded (publickey). Authenticated to rhel-8 ([10.10.10.7]:22). ..
So our SSH Public Key based SSH Authentication Methods was successful.
If you wish to further secure your environment then you can completely disable Password based SSH Authentication Methods.
[root@rhel-8 ~]# egrep ^'PasswordAuthentication|PubkeyAuthentication' /etc/ssh/sshd_config PasswordAuthentication no PubkeyAuthentication yes
Restart sshd service to activate the changes
Host Based Authentication
This allows/denies the authentication based on rhosts
or shosts_equiv
along with a successful public key client host authentication. This host based authentication method is not considered in most environment as with this you enable password less authentication for all the users on the host which may not be safe and secure. Although there are other ways to get over it using Match directive with Host Based Authentication.
I have already enabled host based authentication in my environment:
[root@rhel-7 ~]# ssh -v rhel-8.example.com .. debug1: Next authentication method: hostbased debug1: userauth_hostbased: trying hostkey ecdsa-sha2-nistp256 SHA256:/r/FWD0IwFpOcuqEnFrkcNQZKI23vOzb94ZWjevwpMc debug1: Authentication succeeded (hostbased). Authenticated to rhel-8.example.com ([10.10.10.7]:22). .. debug1: Remote: Accepted for rhel-7.example.com [10.10.10.10] by /etc/ssh/shosts.equiv. .. Last login: Thu Nov 21 21:23:52 2019 from rhel-7.example.com [root@rhel-8 ~]#
Keyboard Authentication and ChallengeResponseAuthentication
This allows/denies the keyboard-interactive authentication. The default value of Keyboard Authentication is drawn from ChallengeResponseAuthentication
, which is usually set to yes
.
You can enable keyboard-interactive installation using below values in /etc/ssh/sshd_config
KbdInteractiveAuthentication yes ChallengeResponseAuthentication yes
People become confused by this because by default, "keyboard-interactive" authentication usually just implements password authentication in a single challenge-response cycle, which just prompts for a password, thus looking exactly the same as "password authentication". If you're not deliberately using both for different purposes, you may want to disable one or the other to avoid end-user confusion.
So to configure a basic keyboard authentication, you can disable all other authentication methods in /etc/ssh/sshd_config
on the server node and only enable Keyboard Authentication.
After doing the required config on server side (rhel-8
), I execute SSH from the client (rhel-7
)
[root@rhel-7 ~]# ssh -vvv rhel-8.example.com .. debug1: Authentications that can continue: keyboard-interactive debug3: start over, passed a different list keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: <-- Here since we have not enabled any other module for keyboard-interactive auth, it prompts for password .. debug1: Authentication succeeded (keyboard-interactive). Authenticated to rhel-8.example.com ([10.10.10.7]:22). ..
Similarly observe the logs on server node (rhel-8
). The logs can be under /var/log/sshd
, /var/log/secure
or /var/log/messages
depending upon your rsyslog configuration or alternatively you can use journalctl to view the logs
Nov 22 08:49:30 rhel-8.example.com sshd[8434]: Accepted keyboard-interactive/pam for root from 10.10.10.10 port 42180 ssh2
Nov 22 08:49:30 rhel-8.example.com systemd-logind[1057]: New session 38 of user root.
Nov 22 08:49:30 rhel-8.example.com systemd[1]: Started Session 38 of user root.
As you see we authenticated using keyboard-interactive method, but if you use Password Authentication for SSH connection then the logs would be something like below
Nov 22 08:53:15 rhel-8.example.com sshd[8482]: Accepted password for root from 10.10.10.10 port 42182 ssh2
Nov 22 08:53:15 rhel-8.example.com systemd-logind[1057]: New session 39 of user root.
keyboard authentication is intended primarily to accommodate PAM authentication on the server side. It provides for a multiple challenge-response dialog with the user in which the server sends a text query to the user, the user types in a response, and this process can repeat any number of times. So for example, you might configure PAM for SSH with a module which performs authentication using an RSA security token, or a one-time password scheme.
Below are some more options which can be used for Keyboard Authentication with SSH
- PAM → You can use Google Authenticator PAM Module to configure Two Factor Authentication
- Kerberos
- RSA SecureID
- RADIUS
GSSAPI Authentication
We configure single sign on using GSSAPI Authentication, so that we can login on one RHEL host and use ssh to connect to another RHEL host, without typing our passwords or use ssh keys. This requires that your Linux host is connected to Windows Active Directory or IPA Server. Further you can setup SSH to configure kerberos authentication.
Below two parameters are used for GSSAPI Authentication
- GssapiAuthentication: Specifies whether to enable GSSAPI authentication, through a successful key exchange (in this case Kerberos ticket exchange) or through password authentication. The default is
yes
. - GssapiKeyExchange: Specifies whether to enable GSSAPI authentication through key exchange.
Additional to enable GSSAPI Authentication for kerberos you will also need
KerberosAuthentication yes
in your /etc/ssh/sshd_config
file on your server node.
Lastly I hope this article to understand different SSH authentication methods in Linux was helpful. So, let me know your suggestions and feedback using the comment section.
Great article. Very helpful.
Please create article for ssh keyboard authentication using multple question & answers.
Thanks for your suggestion, I will add it to my TODO list
test