SecureBlackbox 16: SSH Authentication Methods


Introduction

SSH (Secure Shell) is an invention of a private company, aiming to provide secure access to a remote host's console and other network services (such as file transfer or the remote execution of processes). SSH is mostly popular in the Unix/Linux world, although servers for the Windows platform also exist.

One part of the SSH protocol family is the SSH authentication protocol. This protocol was created to allow client software to verify a server's authenticity and also to authenticate itself. The SSH authentication protocol offers various authentication methods corresponding to different types of clients, such as automated scripts or human operators.

The SecureBlackbox SSH/SFTP client components support all of the following methods of authentication through the AuthenticationTypes property. The following sections provide additional background on SSH and information on how to configure the components for each authentication type.

Public Key Authentication

This is the major form of authentication. The public key authentication method is the only method that both client and server software are required to implement. This method expects each client to have a key pair. (A key pair is a pair of keys, properly generated using an asymmetric encryption algorithm, either RSA or DSA.)

The public key authentication process begins when the client sends the public key to the server. If the server finds the key in the list of allowed keys, the client encrypts a certain data packet using the private key and sends the packet to the server together with the public key.

In the SSH/SFTP client components, you use the TElSSHMemoryKeyStorage class to perform public key authentication. This class is a storage for keys, represented by the TElSSHKey class. The application needs to add a key, which contains both the public and private parts, to the storage and attach KeyStorage to ElSSHClient or another SSH/SFTP component via this component's KeyStorage property.

Password Authentication

This is the simplest form of authentication. The user needs to have only one set of credentials for authentication. The user specifies the username and the corresponding password. (On Unix/Linux systems the username is usually the system-wide username as specified in /etc/password.)

To use password authentication with the SSH/SFTP client components, set the UserName and Password properties.

Host-Based Authentication

Host-based authentication is used to restrict client access only to certain hosts. This method is similar to public key authentication; however, the server maintains a list of hosts and their public keys, so using the public key on another host will not authenticate the client. As with public key authentication, you use the TElSSHMemoryKeyStorage class.

Keyboard Authentication

Keyboard authentication is the advanced form of password authentication, geared specifically for the human operator as a client. During keyboard authentication, zero or more prompts (questions) are presented to the user. The user provides the answer to each prompt. The number and the content of the questions are virtually unlimited, enabling certain types of automated logins.

The SSH/SFTP client components support keyboard authentication via the OnAuthenticationKeyboard event. The client application fills the Responses parameter of this event with the replies to the questions contained in the Prompts parameter. The Echo parameter specifies if the response should be displayed on the screen or masked as the user types it. The number of responses must equal the number of prompts.

Receiving Notification of the Result of Authentication

Once the server has authenticated the client, or failed to do so, the event is fired by the SSH/SFTP client component. If the authentication is successful, the OnAuthenticationSuccess event is fired; otherwise, the OnAuthenticationFailure event is fired.

Authentication of Servers

The SSH protocol generally doesn't operate with an analogue to the secure server authentication of the SSL protocol, which uses X.509 certificates. Although some SSH servers support X.509 authentication, the certificates are only used as containers for the keys. The server only has a key pair. The server sends the public key to the client software and the client should decide if he trusts the key.

The SSH/SFTP client components support the validation process using the OnKeyValidate event. The client can show the key's hash to the user, check the key database, or perform some other action to decide if the key is valid.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.