SSH Host Based Authentication – Security Boulevard

0

introduction
Are you an organization that manages or hosts a huge pool of resources in remote sites/servers? Well, host-based authority validation technique is the most suitable way to manage access and control rights related to your hardware and applications. Once implemented, this identity verification method applies to all users.
Not familiar with this method? No problem. Detailed information about the host-based process is provided below.

A Quick Overview of Host-Based Authentication


By definition, it refers to the default validation method of a single host or server preventing other users from going to check individual details.

A host can initiate and complete identity verification process requirements on behalf of some or all hosts. Once this is done, other users on the server will not need a key or other proof to be authorized to use a resource.

The host accounts to be checked in this process can be created on a system or subsets driven by the Match directive.

Most often, this mode of checking access rights is used when there are large clusters of computing resources.

Some details about the host-based type identity checking method are:

  • Occurs on both client side and server side.
  • Could be called a close native to the RSA method of Rhosts. Admins can set its configuration for locally hosted customers.
  • You must specify whether the process will allow the use of public key authentication for it. By default, the answer is set to “no”.
  • When it takes place on the client, two files (in the etc/ssh/ location), ssh_known_hosts and ssh_config, must be prepared to complete the process.
  • When it comes to the server side, besides the above 2 files, the etc/shosts.equiv file should also be properly prepared.

Comparison of Authentication Methods – Host Vs. Public Key Based

These two methods differ mainly on one front, namely their configuration method. The main differences are listed below:

Comparison of Sentry and Datadog script loaders
Host based Based on public key
This is for each user, unless a restriction is imposed An individual public-private key pair is created for each user
Initiates to its default layer, i.e. the host layer. Works at the user level, as specified in its default settings.
Public key is duplicated using ssh-keyscan Public key is duplicated using ssh-copy-id
The key storage location:
Private – ~/.ssh
Public – /etc/ssh/ssh.
The key storage location:
Private – /etc/ssh
Public – authorized keys file
/etc/ssh contains the public-private key pair ssh-keygen generates the key pair in this scenario
ssh-keysign is used to retrieve localhost key data Public-private key combination is used

There are therefore differences between these 2 famous techniques for verifying the identity of users. However, keeping the above-mentioned differences aside, these two authentication processes also bear little resemblance. For example, both can use the combination of public-private keys for increased connection security.

SSH host-based authentication

SSH is a well-known and trusted protocol for securing machines in remote environments and for hybrid networks. Designed for the client-server model, it has three layers to carry out its process:

    • Transport Layer – It is responsible for data compression as well as caching. It supports secure data transactions between clients and servers.
    • The connection layer – The one responsible for continuing the exchange of information or “talks” after the validation of the identity/rights.
    • Authentication – Client reliability is ensured at this layer.

SSH protocol is widely used because it offers various authentication approaches, backed by strong encryption. Due to its ability to preserve data integrity throughout the process, this protocol is considered the suitable alternative to the usual and less protected connection protocols and file transfer procedures like telnet and FTP.

Besides creating a safe ecosystem for remote resources to communicate, SSH is responsible for other tasks such as port forwarding and working as a proxy server, when the situation calls for it.

The most common use of SSH is in data centers where it handles the job of securing all types of remote access rights.

The simple functionality and numerous security implications have made SSH a good choice for barricading remote hosts, mirroring files via SFTP, tunneling data, and more. for the Windows environment.

Understanding SSH from a security perspective

When thinking about implementing the SSH protocol, understanding its security aspects is crucial. Fortunately, this protocol is incredibly secure on the cybersecurity front. However, the increase API Security the risks and vulnerabilities have forced SSH users to stay a little more aware of implementing proper security policies.

Without them, SSH servers are prone to Brute Force attacks. In this type of attacker, hackers use common login entry pairs to target large pools of SSH servers. Once they gain access, they are allowed administrator-like control over root accounts and can consume the resources.

Another problem is that organizations or employees miss out on the fact that SSH keys need to be managed properly and stored with care. If not registered and managed in secure ecosystems, malicious actors can use these keys and exploit the remote resource.

Finally, we exposed SSH ports as a major security issue. Some notorious malware can attack devices using exposed SSH ports and consume resources or corrupt the system.

The above dangers require SSH clients to adopt robust and viable security deployments.

Host-based authentication is a commonly used SSH verification process.

SSH users are guided to use authentication keys before connecting to remote servers. Also, only authorized hosts should connect in this case.

Key-Based Authentication Example

How to implement SSH?

To start implementing host-based authentication over SSH, you must first create a specific configuration. Server and client side machines would be part of this configuration change.

The configuration needed on the client side is editing the /etc/ssh/sshd_config file. The lines to enter here are:

  • Host based authentication yes
  • EnableSSHKeySign yes

To enable the server-side authentication method, three files must be modified. These files (in the etc > ssh folder) are:

  • shosts.equiv
  • ssh_known_hosts
  • sshd_config

In the sshd_config file, do this:

  • Add the value for HostbasedAuthentication as “yes”
  • Add the value for IgnoreRhosts as ‘no’

After adding these two lines, the next step is to add the hostname of the client PC in the shosts.equiv file. The file is hosted on the server.

The last word

Keeping the focus on the host, the host-based authentication method is here to make managing clusters of computing machines and devices easier than ever. I hope this article has helped you to fully understand this authentication method.

The post office SSH host-based authentication appeared first on wall weapon.

*** This is a syndicated blog from the Security Bloggers Network of wall weapon written by ferrisbuller. Read the original post at: https://lab.wallarm.com/ssh-host-based-authentication/

Share.

Comments are closed.