SSH authentication sequence and key files : explain

ssh pki ssh-keys

As a background to troubleshooting various problems using SSH and rsync with key pairs, I wanted a straightforward overview of the sequence of events that takes place during SSH authentication, and how each of the several client and host files plays its part.

Google found many explanations at detailed level, with either a narrow scope, or whose broad scope was cluttered with those details. Not to mention many incorrect or confused explanations and forum posts.

I ended up creating a couple of diagrams to clarify two things:

  • What files and actions are involved in preparing for SSH communication using keys
  • What those files do during the process of establishing a connection.

I will post these in an answer below.


The following answer explains the files needed to prepare for ssh authentication using public-private key pairs ("Public Key Infrastructure" or "PKI"), and how those files are used during an actual ssh session. Some specifics here use names and directories that apply to linux, but the principles apply across all platforms, which use programs and files parallel to these. The main features of interest are:

  • User machine
    • User key pair: Public and private, which the client-side user has to create using ssh-keygen, creating files with names such as:
      • ~/.ssh/id_rsa (private) and
      • ~/.ssh/id_rsa.pub (public)
      • In preparation, must be given to host's authorized_keys file
    • ~/.ssh/known_hosts
      • which receives the public key from the server, if user accepts it on first log in.
  • Host (server) machine
    • Host key pair: Public and Private
      • are automatically created at some point like installation of openssh on the server. Typical names:
      • /etc/ssh/ssh_host_rsa_key (private)
      • /etc/ssh/ssh_host_rsa_key.pub (public)
      • host offers the public key to the client-side user the first time the client-side user tries to connect with ssh. Client will store host's key in known_hosts
    • ~/.ssh/authorized_keys
      • In preparation, must be given the public key of each user who will log in.
  • Sequence of events in an actual SSH (or rsync) session, showing how the files are involved.

(Note that there are two different common signature algorithms, RSA and DSA, so where this discussion uses 'rsa', the string 'dsa' could appear instead.)

Configuration/preparation enter image description here

SSH connection and use enter image description here

I hope these diagrams will be helpful.

Related

Connecting two buildings, 250 meters, heavy snow country, high lighting risk
systemctl stops Tomcat service immediately after start
How can IPv6 clients find servers such as NTP, SIP
Shrinking a preallocated VMDK
What is Edge to Edge Routing?
Journalctl and syslog: How does it actually work? [closed]
ReFS with or without hardware RAID? With or without storage spaces?
Is there any possibility to migrate vm from Redhat Virtualization to Hyper-V?
How to choose between Elastic Container Service (ECS) or Elastic Container Registry (ECR), Elastic Beanstalk, and Lambda?
ISCSI and Windows Server 2019
How does DKIM work when sending emails from multiple sources/servers?
Hardening a file-serving Windows Server 2019 instance