6

As a background to troubleshooting various problems using SSH and rsync with key pairs, I wanted a straightforward overview of the sequence of events that takes place during SSH authentication, and how each of the several client and host files plays its part.

Google found many explanations at detailed level, with either a narrow scope, or whose broad scope was cluttered with those details. Not to mention many incorrect or confused explanations and forum posts.

I ended up creating a couple of diagrams to clarify two things:

  • What files and actions are involved in preparing for SSH communication using keys
  • What those files do during the process of establishing a connection.

I will post these in an answer below.

Improve this question
1
  • 2
    Using ssh -vvv can be a good starting point to understanding what happens. Commented Oct 16, 2018 at 7:43

1 Answer 1

Reset to default
13

The following answer explains the files needed to prepare for ssh authentication using public-private key pairs ("Public Key Infrastructure" or "PKI"), and how those files are used during an actual ssh session. Some specifics here use names and directories that apply to linux, but the principles apply across all platforms, which use programs and files parallel to these. The main features of interest are:

  • User machine
    • User key pair: Public and private, which the client-side user has to create using ssh-keygen, creating files with names such as:
      • ~/.ssh/id_rsa (private) and
      • ~/.ssh/id_rsa.pub (public)
      • In preparation, must be given to host's authorized_keys file
    • ~/.ssh/known_hosts
      • which receives the public key from the server, if user accepts it on first log in.
  • Host (server) machine
    • Host key pair: Public and Private
      • are automatically created at some point like installation of openssh on the server. Typical names:
      • /etc/ssh/ssh_host_rsa_key (private)
      • /etc/ssh/ssh_host_rsa_key.pub (public)
      • host offers the public key to the client-side user the first time the client-side user tries to connect with ssh. Client will store host's key in known_hosts
    • ~/.ssh/authorized_keys
      • In preparation, must be given the public key of each user who will log in.
  • Sequence of events in an actual SSH (or rsync) session, showing how the files are involved.

(Note that there are two different common signature algorithms, RSA and DSA, so where this discussion uses 'rsa', the string 'dsa' could appear instead.)

Configuration/preparation enter image description here

SSH connection and use enter image description here

I hope these diagrams will be helpful.

Improve this answer
5
  • 3
    Thank you. After much searching, this is the clearest explanation I've found that takes into consideration all the files involved. Commented Feb 21, 2020 at 23:57
  • 1
    This is the definitive crash course for OpenSSH/PKI configuration. You should copy/paste this to a hashnode or medium article Commented May 9, 2022 at 7:48
  • 1
    @NickMitchell your comment is encouraging :-) Commented May 10, 2022 at 11:25
  • Thank you. Just missing the supporting docs. However, after checking some documentation, yours seems a fair summary. Commented Jun 27, 2023 at 11:50
  • Returning to this after several years, I think there may be a mistake in the "SSH connection and use" diagram. Where I wrote "Message encrypted with client's (joe's) public key", I think it should say "Message encrypted with client's (fred's) public key". Ie: local fred's public key as previously OK'ed and stored in remote joe's authorized_keys. Commented Jun 28, 2023 at 6:39

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.