All About SSH Keys & It's files

List of Topics

1) Types of Authentication of SSH
2) Files for Host Based Authentication
3) Files for Key Based Authentication

4) Last method of authentication
5) What is known_hosts file

1) Types of Authentication in SSH

SSH has two types of Authentication mode, below are the types of authentication with its small description. 

Host based authentication is where the host (or server) is authenticated so users can just authenticate without the need of a key.

Key base authentication is where the user generates public and private key, where the public key need to copied to the remote server(i.e wherever the user has to login). By using this method we can login without password's.

2) Files for Host Based Authentication

Host-based authentication works as follows: If the machine the user logs in from is listed in /etc/hosts.equiv or /etc/ssh/shosts.equiv on the remote machine, and the user names are the same on both sides, or if the files ~/.rhosts or ~/.shosts exist in the userâs home directory on the remote machine and contain a line containing the name of the client machine and the name of the user on that machine, the user is considered for login.   Additionally, the server must be able to verify the clientâs host key (see the description of /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts, below) for login to be permitted.  This authentication method closes security holes due to IP spoofing, DNS spoofing, and  routing spoofing.  [Note to the administrator: /etc/hosts.equiv, ~/.rhosts, and the login/rsh protocol in general, are inherently insecure and should be disabled if security is desired.]

3) Files for Key Based Authentication

Key based authentication uses the following files  
~/.ssh/authorized_keys lists the public keys that are permitted for logging in.  When the user logs in, the ssh program tells the server which key pair it would like to use for thentication.

id_dsa, id_rsa, id_ecdsa -  if you use dsa protocol then these files will be created id_dsa.pub is for public key and without extension is for private key

The user creates his/her key pair by running ssh-keygen(1).  This stores the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol 2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user’s home directory.  The user should then copy the public key to ~/.ssh/authorized_keys in his/her home directory on the remote machine.  The authorized_keys file corresponds to the conventional ~/.rhosts file, and has one key per line, though the lines can be very long.  After this, the user can log in without giving the password.

3) What are id_dsa, id_rsa, id_ecdsa files

The user creates his/her key pair by running ssh-keygen(1).  This stores the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol 2 DSA), ~/.ssh/id_ecdsa (protocol 2 ECDSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in ~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), ~/.ssh/id_ecdsa.pub (protocol 2 ECDSA), or ~/.ssh/id_rsa.pub (protocol 2 RSA) in the user’s home directory.  The user should then copy the public key to ~/.ssh/authorized_keys in his/her home directory on the remote machine.  The authorized_keys file corresponds to the conventional ~/.rhosts file, and has one key per line, though the lines can be very long.  After this, the user can log in without giving the password.

4) Last method of authentication

Finally, if other authentication methods fail, ssh prompts the user for a password.  The password is sent to the remote host for checking; however, since all communications are encrypted, the password cannot be seen by someone listening on the network. ssh automatically maintains and checks a database containing identification for all hosts it has ever been used with.  

5) What is known_hosts file

Host keys are stored in ~/.ssh/known_hosts in the user’s home directory.  Additionally, the file /etc/ssh/ssh_known_hosts is automatically checked for known hosts.  Any new hosts are automatically added to the user’s file.  If a host’s identification ever changes, ssh warns about this and disables password authentication to prevent server spoofing or man-in-the-middle attacks, which could otherwise be used to circumvent the encryption.  The StrictHostKeyChecking option can be used to control logins to machines whose host key is not known or has changed.

6) Generating ssh keys

ssh key without pasphrase

# ssh-keygen -t rsa -N "" -f explore

To mention the private key file name while logging in

#ssh -i <PRIVATE_KEY_FILE>   <USER_NAME>@<HOSTNAME>

The StrictHostKeyChecking option can be used to control logins to machines whose host key is not known or has changed.