To SSH to a host using public key authentication the host needs to know your public key. Certificate authentication works the same way, but with an important twist that we’ll get to in a moment. This is an oversimplification, but it’s more or less how SSH public key authentication works. If I open a socket to you and send a random number, and you respond with a valid signature over that number, I must be talking to you. Simple authentication can be implemented by challenging someone to sign a big random number. Thus, if you can verify a signature, and you know who owns the private key, you know who generated the signature. Like a hash, it’s computationally infeasible to forge a signature. You can sign data with your private key and someone else can verify your signature with the corresponding public key. The magic of asymmetric cryptography is the special correspondence between a public and private key. Most SSH deployments use public key authentication, which uses asymmetric (public key) cryptography with a public / private key pair generated for each user & host to authenticate. SSH certificates deserve more press, and broader use. They’re not that hard to understand, and it’s well worth the effort. We’re convinced that SSH certificates are the right way to do SSH. Most people we asked hadn’t heard of them at all.
0 Comments
Leave a Reply. |