Tutorial on configuring the SSH client

Back Home Next
 

Topic Topic 1 - Information required for public key authentication

Public key authentication of the SSH client requires a user id and a public-private key pair.

The user id must correspond to an actual user id on the host on which the SSH server resides.

The public-private key pair is a symmetrical pair of encryption keys. "Symmetrical" means that a message encrypted using the public key can be decrypted using the private key, and vice versa.

The image below illustrates how the public and private keys are used to configure the SSH server and SSH client. This image shows the general process for any system (not the exact process for Host On-Demand).

Public-private key pair

Not used for encrypting message traffic after the SSH session has started

In the SSH protocol, the public-private key pair that is used for client authentication is not also used for encrypting data after the SSH session has started. Instead, the SSH server separately generates keys for encrypting data.

Client authentication when a session is started

When the end user starts a session using SSH, client authentication occurs as follows:

  1. The SSH client notifies the host that it intends to use public key authentication, and sends to the SSH server:

  2. The SSH server checks its configuration and determines that it has been configured with a public key matching the one just received.

  3. The SSH server verifies the signature using the public key. (For example, the SSH server could encrypt the known value and compare it to the encrypted value just received from the SSH client, or could unencrypt the encrypted value just received from the SSH client and compare it to the known value.)

Back Home Next