Reputation: 2858
How does SSH public key authentication work (picking up right keys)
As far as I know about SSH authentication and according to many of explanations with Alice and Bob, there is some major steps:
- Client generates a pair of public/private keys and publishes public key to a server.
- When server receives a public key authentication request, it generates a random data, encrypts it with client's public key and sends it to client.
- Client decrypts this data with the private key and sends it back as a proof of authenticity.
I hope some of you help me to understand how then GitHub server knows which public key to pick in step 2 when I clone arbitrary repository over SSH protocol? It has millions of user public keys to choose from. And a user could have installed a number of private keys on his machine.
Upvotes: 6
Views: 4632
Answers (2)
Reputation:
To understand how the SSH authentication works, it may be necessary to read all five RFCs related to SSH 2.0: RFC4250, RFC4251, RFC4252, RFC4253, and RFC4254.
There are four pieces of information that help ensure the SSH authentication works: session ID, server public key, client public key, and the user name on the server.
Session ID is created during the key exchange (KEX) after TCP connection is established and before the client is authenticated. Session ID is kept on both the client and server. When the client authenticates against the server by sending SSH_MSG_USERAUTH_REQUEST message, it provides the user name on the server, the client public key and a signature that contains the session ID when decrypted using the client public key. It shall be sufficient to match the user name with the session ID and then establish a secure session and subsequently a secure channel for executing remote git commands.
The server public key is provided to the client during the key exchange. It is stored in the ~/.ssh/known_hosts file. When the server signature changes, the SSH client will show a warning about server credential change and stop the authentication process.
Upvotes: 0
Reputation: 13250
The protocol is bit a more involved than you think. The manpage describes that the client tells the server which key it wants to use:
The file ~/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs in, the ssh program tells the server which key pair it would like to use for authentication. The client proves that it has access to the private key and the server checks that the corresponding public key is authorized to accept the account.
The relevant SSH rfc details that the client actually sends the whole public key with a SSH_MSG_USERAUTH_REQUEST request.
With the public key github should be able to look the corresponding user in the majority of cases. I don't know what happens when two accounts share a key, though.
Upvotes: 4
Related Questions
- GitHub SSH access using public key
- How does ssh server know which public key to match the ssh private key?
- SSH authentication process
- I don't understand why in ssh public/private key authentication, public key goes on server
- Understanding SSH private and public keys with PuTTYgen
- Finding Corresponding Public SSH Key
- ssh passwordless login, public key authentication only (whats going on behind the curtains)
- How does the GitHub authentification work?
- understanding the ssh login using PKI
- SSH Key Authentication [Hesitance?]