SSH is a valuable tool, used to access a shell on a remote machine. The SSH shell is designated “secure” because all network traffic between the client station and the SSH server is encrypted, which stops eavesdroppers on the network from capturing traffic and reading its contents.
SSH can use passwords and Kerberos for authentication, as well as a form of public-key encryption that calls for key pairs. Key-pair authentication enables you to log in to an SSH server without having to supply a password, and can be more secure than password authentication.
The key-pair method requires that you have the private-key file and know the password that lets you access that key file. Password authentication alone can be compromised without needing a private-key file.
Note P Don’t confuse key-pair authentication with Kerberos authentication, which takes place for the SSH service if you are using an Open Directory user account and have already logged in. A valid Kerberos ticket also will let you log in without supplying a password.
Here is how the process works:
1 A private and a public key are generated by the user. Each key pair is associated with a user name to establish that user’s authenticity. When a user attempts to log in, the user name is sent to the remote computer.
2 The remote computer is sent the user’s public key by the client SSH program.
3 A challenge is then sent by the SSH server to the user based on that individual’s public key.
4 Using the private portion of the key pair to decode the challenge, the user verifies his or her identity.
5 Once the challenge is decoded, the remote computer logs in the user without requiring a password.