With the rise of remote work in the age of the epidemic, exposure to remote desktop (RDP) and secure shell (SSH) has increased; Edgescan Reported a 40% increase in 2020 only. Password-free SSH promises to make SSH more secure by eliminating the use of weak or cumbersome passwords. Let’s learn a little more about SSH authentication without a password
Secure socket casing, often called secure casing or SSH, was written by Tattoo will lament In 1995 and has since evolved into OpenSSH and other products. SSH is a network protocol that helps create a secure communication channel between two open network devices (i.e., the Internet).
SSH is almost inevitable whether you are a network administrator, DevOps engineer or Chief Information Security Officer (CISO). It is available on Unix, Linux and Mac systems. However, traditionally this involves manually entering a username and password of an admin to authenticate to gain access to the server. Using a weak password that is easy to guess leaves your organization and its data at risk for rough power attacks and closing credentials. This is where SSH authentication without a password can help.
But what is SSH without a password? And what are the five SSH password-free authentication methods to keep in mind for your organization? Here is our look at the topic …
What is SSH without a password?
As the name implies, SSH without a password refers to the process of proving your identity to your server (authentication) using a secure shell without the use of a password. This approach circumvents the need to create complex passwords that are difficult to remember and avoids the issue of relying on the weak ones that may be harmed.
You see, SSH authentication can be achieved using several different methods, the two main ones being passwords or cryptographic key pairs:
- The traditional method involves manually entering your username and password (i.e., a secret) to prove your identity. It validates you and allows you to have authorized access to secure resources.
- Password-free SSH allows you to authenticate by displaying a cryptographic key on your device through your SSH client instead of entering your username and password. Of course, this private key may require you to enter a password for the first activation connection, but you will not have to do it again for subsequent activations.
We’ll talk more about how everything works a little later in the area. But the main finding from this section is that SSH password-free authentication gives you access to your account (and all that it entails) using cryptographic keys, so you do not have to type a password every time.
Why is SSH used without a password?
SSH is the primary method for remote access and Linux server management. As such, SSH is used by organizations of all sizes to manage web servers and other servers that they do not manage through direct physical access. Because Almost 80% of the internet runs on Unix (According to W3Techs), this makes SSH a very common protocol.
Examples of these server-related activities include:
- Transferring files via SSH using the SSH file transfer protocol (FTP) or FTP via SSH
- Database access and management,
- Installation or updating of server software and web applications,
- Performing backups to servers,
- Executing remote terminal commands and / or GUI programs, and
- Troubleshoot servers.
The two devices that communicate using the SSH protocol are the client and the user’s server. A client can access the server by entering a username and password in the system.
SSH is meant to be secure, but bad players do not have to break the protocol to launch an attack; They can just break the password to protect it. Group IB Lists the distributed coarse force attacks on remote access interfaces, including RDP and SSH, as one of the looming threats coming in 2020-21.
True, longer passwords (or, better yet, password phrases) help, but do you know which is better? Password-free environment for transferring your data. This is why the company is moving towards SSH without a password. With an SSH connection without a password, the user does not have to enter the password again and again to gain access – it saves you valuable time as a developer or administrator.
How does SSH work without a password?
Password-free SSH works on the principles of asymmetric encryption or public key cryptography. It uses a set of two cryptographic keys – a public key and a private key. The private key is a long string of random characters stored in the SSH client’s memory. As the name implies, the private key is kept private or confidential. The public key is derived from the private key (but the private key can not be created from the public key) and can be shared with everyone, with both the client and the server having access to it.
The steps for customer authentication and the creation of a secure communication channel for the transmission of detailed data are as follows:
- An SSH client sends a request to the server to log in with its username and public key.
- The server responds with a random message encrypted in the client’s public key.
- The client decrypts the message sent by the server using its private key.
- The client sends the decrypted message to the server to prove that it has access to the private key.
- The server checks the message to make sure it is compatible. If it is compatible, it validates the client and allows the server to confirm his request to connect.
- A secure connection has been established, and the server and client can now communicate securely using SSH.
Why SSH keys are more secure than SSH passwords
There are a number of main reasons (sorry for the pun) why using SSH-based authentication is more secure than using traditional SSH passwords:
- SSH keys are more secure. Using the key also avoids the problem of users creating and relying on weak passwords. SSH keys are long and complex, making it difficult to guess or rough power.
- They offer comfort without compromising security. You do not have to remember a password to type, which could be listed, hacked or stolen.
- SSH keys do not require transmission to the server. Because the public key is stored on your server, you do not have to worry about it being transmitted over an insecure network. And because your private key stays with you, it is never sent to the server. On the other hand, a password will have to be sent to the server, which puts it at risk of being stolen or compromised.
How to configure SSH without a password
Now that we know what SSH is without a password and why it’s important, let’s see how you can run this process within your organization. To set up SSH without a password within your IT environment, it requires you to perform three main steps:
Create your own SSH keychains
In this process, you have the option to create a password phrase for additional security, but it is not required. By default, your key will be stored in your ~ / .ssh directory, usually in a file /id_rsa.pub. To create your keychain, use the following command to specify the key algorithm and key size:
ssh-keygen -t [algorithm] -b [keysize]
So it will look something like this if you choose to use the RSA algorithm:
ssh-keygen -t rsa -b 4096
For added security, you can also link your email address to a developer as a comment using the following modified command:
ssh-keygen -t rsa -b 4096 -C “email@example.com”
Upload the public key to the host (that is, the server you want to access remotely)
By completing this step, you provide the server with the tools it needs to identify you as a legitimate user when you log in using your key instead of a password. To upload your authorized public key and ID, use the following command:
So it will look something like this:
3. Check the server login process to make sure everything is working properly
After completing these other steps, it is time to make sure that the key does work as planned. To test the functionality of the key, log in to the server through your SSH client using the username and the new key embedded using the following command:
So it will look something like this:
Advantages and disadvantages of using SSH without a password
Like anything else in life, password-free authentication – including that for SSH – has its pros and cons. However, if you know these before you start using this verification method, it is much easier to deal with the potential risks before they can become problems. Let’s look at both.
- Makes secure SSH authentication simple
- Allows you to connect faster than traditional SSH authentication methods
- Provides better security against coarse force attacks than password-based SSH authentication
- Allows you to create a list of permissions on the server side of authorized IP addresses
- Allows the user to restrict access rights to the customer
- Allows access to the device whether it is manned or not
- Enables automatic and interactive file transfer securely
- Private keys will be stacked if you do not follow Best practices for SSH key management
- Proper key management is another administrative task (and therefore can create additional expense)
- Password-free authentication can lead to middle person attacks if keys are stolen or otherwise damaged (which is why key management is so important)
- It becomes tedious to add and delete user keys once they are no longer needed
Completion of SSH study without password
SSH without a password is a network security protocol that authenticates the user and creates a secure communication channel between server and client. It does this with the help of public key infrastructure or asymmetric encryption. Despite being a widely used protocol, SSH has several areas of vulnerability in use in practical life. If these vulnerabilities are handled carefully and follow best practices, it can become an almost perfect network protocol.