SSH Password v Public/Private Key Authentication

SSH allows communicate to be achieved between two computers (usually used to control a remote computer), there are two parts to a SSH connect and that is a SSH server located on the machine we wish to connect to and a SSH client which allows us to connect to the SSH server. We need authentication methods on a SSH server to stop unwanted users remotely logging in, SSH is normally used to connect to a remote computer through the internet and so we need to apply restrictions to stop anyone from just connecting and performing changes. To stop unauthorised access we create user accounts on the remote computer, when we first start a connection we are asked to provide the username we want to login with and then the password or a private key (depending on the authentication method used by the SSH server) corresponding to the selected user.

In this post I am going to explain the differences between password and private key authentication and why you should use private key authentication. I have written a previous post about SSH which can be found here.

Password Authentication
Password authentication is the process of logging in using a password which is associated with the selected user account, this is the easiest login method mainly due to passwords being used throughout the internet (online banking, shopping, eBay …..), this is also the default setting for a SSH server when first installed. It may seem secure but it does have its risks, to have a secure password it needs to consist of numbers, letters, capitals and symbols all in a random sequence making it incredibly hard to guess, but a password like this most probably isn’t easy to remember so will be written down somewhere (sticky note, notebook …) this is a security risk, even if the password isn’t written down there’s always the risk of a bruit force attack which will effectually if left long enough guess your password and once someone knows your password they can gain access immediately. Public key and private key authentication remove this issue and should always be used for that added security.

Good

  • Passwords can be easy to remember
  • Any user can login easily using a password

Bad

  • Subject to bruit force attacks
  • Passwords are easy to steal if written down
  • If password is known instant access can be achieved
  • Easy passwords can be guessed easy
  • A compromised account could compromise the whole system
  • Any computer can login with just the password

Public and Private Key Authentication
Key authentication works slightly different to password authentication you provide the username you wish to login with, then instead of a password the SSH server presents you with a public key, your SSH client then replies with the private key which corresponds with the public key and the server allows or disallows the login depending if the key was correct. No one can pass this stage without the correct private key which should be kept save and only issued to people who need to login using SSH, no login can be achieved without a matching key set stopping all bruit force password attempts. That is the 1st hurdle and a second one can be setup making it even harder to login, during the public and private key creation a password can be provided, this password encrypts the private key making it impossible to decrypt without the password. This type of private key is used in the exact same manner as a none pass worded key except when your SSH client goes to send the private key response it will ask for the password, without this password the key will not be decrypted and the SSH server will reject the login. This creates two hurdles which need to be passed to successfully login being the correct private key needs to be provided and if a password was setup then the password also needs to be provided. The whole world can know the password but without the private key no login can be achieved.

Good

  • The matching private key must be provided during login.
  • Only 1 private key is valid (can’t be faked).
  • Private key can be encrypted adding password authentication as a second defence
  • Each user account has a separate public and private key set.
  • The correct keys must be provided for the different users (can’t use 1 private key to login into all users).
  • Stops bruit force password attempts.
  • If password is known no login can be achieved without the private key if key was encrypted.

Bad

  • Can be harder for some users to setup the private key with their SSH client.
  • Lose your key you can’t gain access

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.