Authentication Methods

 » Table of Contents

 » Glossary

 » Index

Before it makes a connection, the SSH server determines the authentication methods that it will use by looking in the server configuration file. For the SSH client to connect to the SSH server, it must find the same authentication method in the client configuration file. Therefore, each of these methods requires configuration on both the SSH client and server.

After the SSH client makes a connection request to a remote SSH server, the server sends the client its permitted authentication methods. Depending on the agreed upon authentication method, the SSH server may require the client to pass multiple authentication tests before connecting.

To configure the SSH client to use an authentication method, specify the authentication method in the client configuration file in either the systemwide client configuration file (TCPIP$SSH_DEVICE:[TCPIP$SSH.SSH2]SSH2_CONFIG.) or the user-specific client configuration file ([username.SSH2]SSH_CONFIG.). The authentication methods can be specified as arguments to the following configuration parameters in the SSH server configuration file:

  • AllowedAuthentications

  • AccountingAuthentications

  • AllowedAuthentications

  • IntrusionAuthentications

  • IntrusionIdentMethod

  • IntrusionIdentSSH

  • LogfailAuthentications

The following SSH authentication methods are available:

  • Password authentication. This method requires that you supply a password to the client, which transmits the password encrypted to the server over the network. Then the SSH server performs authorization, verifying the supplied password using the OpenVMS native password-authentication mechanism.

  • Host-based authentication. This method allows you to avoid specifying any secret information about the SSH client. Host-based authentication method trusts the relationships between hosts and does not require you to prove your identity.

    The SSH server host authenticates by verifying the following:

    • The identity of the client host using the client's host public key file, which the system manager maintains in the known hosts database. The directory [TCPIP$SSH.SSH2.KNOWNHOSTS] contains public keys for all client hosts that use the host-based authentication method to connect to the server.

    • That the client host belongs to the trusted hosts list, which the system manager maintains on the server. This list of trusted hosts enables you to log in to the server without proving your identity.

    • Optionally, you can restrict users to only certain user names on the client host.

    If any of these authentication checks fail, the connection is refused. An advantage of this method is that it does not require the client to type a password or passphrases or to generate, distribute, and maintain keys. This is convenient for batch processing. One disadvantage, however, is a reliance on the identification of the host.

    This method requires that the server manager maintain two pieces of information:

    • The known hosts database, which contains the public key files of remote hosts.

    • A trusted hosts file, which lists the trusted hosts (and, optionally, the user names).

  • Public-key authentication. This method uses public-key cryptography to verify the client's identity and requires two pieces of data: your private-public key pair, and, optionally, a passphrase to encode this key for saving it in a file. This method is flexible because it allows additional control over authorization by providing multiple keys and by applying restrictions to each key.

    Public-key authentication requires management actions on both ends of an SSH connection. Both the user on the client host and the system manager on the server host must create and maintain keys on the client, copy public keys from the client to the server hosts, and provide passphrases.

You can also specify Kerberos authentication methods, as described in Chapter 6.