Written by: David Supuran
Contact me: email@example.com
Verification in SSHD with RSA vs. passwords
RSA is an encryption scheme using a public/private key system. A public key is used to encrypt data, and a private key is used to decrypt data. Each key can only be
used for the one specified crypt which makes it a worthy encryption scheme compared to single key algorithms which enable you to encrypt/decrypt data with one key in certain circumstances. I will explain this
As passwords are a widely used verification system. You may enter a password and send it over the internet. When it travels over the internet it passes through multiple routers/computers
at any given time which is why any important data should be well encrypted that travels over the internet. If SSHD is allowing plain text passwords to be sent (and it is set so on generally every box I've
seen in production) over the internet there is a risk your password might be viewed by a 3rd party. This is where the public/private key encryption scheme of RSA comes into play. A user will generate their
RSA key pair by running ssh-keygen(1) storing the private key in ~/.ssh/identity and the public key in ~/.ssh/identity.pub where ~ is the user's home directory. The private key (~/.ssh/identity) will be
needed on the user's account he wishes to login from, then the public key (~/.ssh/identity.pub) is placed on the remote account in ~/.ssh/authorized_keys. Only one public key can be placed per line in
~/.ssh/authorized_keys, so please make sure you do not wrap the lines. At this time a user will be able to login from the account with the private key to the account with the public key without being
prompted for a password.
This all sounds nice, but I still don't understand how RSA is more secure
than passwords. With RSA your private key is never transmitted over the
internet, or used in an
insecure manner. SSHD will check to see if a authorized_key belongs to you by using the public key to encrypt a random string, then asking the client to decrypt this encrypted string with it's private key and
send back the plain text. With this way of verification no password is sent over the internet making it more secure.
If you wish to read more on the subjects I suggest ssh(1), ssh-agent(1), sshd(8),
and the readme files included with the SSHD.