Host-Based SSH Authentication – Security Boulevard

0

introduction
Are you a company managing or hosting a huge pool of resources on remote locations/servers? Well, the host-based permissions validation technique is the most suitable method to manage the access and control rights regarding your hardware and applications. Once implemented, this identity verification method applies to all users.
Don’t know much about this method? Do not worry. Detailed insights into the host-based process are provided below.

A quick look at host-based authentication


By definition, it refers to a single host or server’s standard validation method that prevents other users from verifying the individual details.

A host can initiate and complete the identity verification process requests on behalf of some or all hosts. Once that’s done, the rest of the server users don’t need a key or other credentials to be authorized to use a resource.

The host accounts to be verified in this process could be built either on a system or on the match directive driven subsets.

Most often, this mode is used to check access rights when there are large clusters of computing resources.

Some details about host-based type identity verification method are:

  • Occurs on both client and server side.
  • Could be called a near native RSA method by Rhosts. Administrators can set the configuration for locally hosted clients.
  • You must specify whether the process allows public-key authentication to be used for it. By default, the answer is set to “no”.
  • If it takes place on the client, two files (in the etc/ssh/ directory), ssh_known_hosts and ssh_config, should be prepared to complete the process.
  • If it is for the server side, besides the above two files, the etc/shosts.equiv file also needs to be properly prepared.

Comparison of Authentication Methods – Host vs. Public Key Based

These two methods differ primarily on one front, and that is how they are configured. The main differences are listed as follows:

Comparison of the script loaders Sentry and Datadog
host based Based on public keys
It applies to every user unless a restriction is imposed An individual public-private key pair is created for each user
Initiates on its default layer, i.e. the host layer. Works at the user level as specified in the default settings.
The public key is duplicated with ssh-keyscan The public key is duplicated with ssh-copy-id
The key location:
Private – ~/.ssh
Public – /etc/ssh/ssh.
The key location:
Private – /etc/ssh
Public – file “authorized_keys”.
/etc/ssh contains the public-private key pair ssh-keygen generates the key pair in this scenario
ssh-keysign is used to get local host key data A public-private key combination is used

So, that’s all about the differences between these two famous user identity verification techniques. However, apart from the differences mentioned above, these two authentication processes also have few similarities. For example, both can use the combination of public-private keys for additional security of connections.

Host-based SSH authentication

SSH is a well-known protocol intended for securing machines in remote environments and for hybrid networks. Designed for the client-server model, it has three layers to carry out its process:

    • transport layer – It is responsible for both data compression and caching. It takes care of secure data transactions between clients and servers.
    • The connection layer – The one responsible for continuing the information exchange or “conversations” after identity/rights verification.
    • authentication – The trustworthiness of the client is ensured on this layer.

SSH protocol is commonly used as it offers various authentication approaches backed by strong encryption. Because of its ability to maintain data integrity throughout the process, this protocol is considered a viable alternative to traditional and less secure login protocols and file transfer methods such as Telnet and FTP.

Aside from creating a secure ecosystem for remote resources to communicate with, SSH is responsible for other tasks like performing port forwarding and working as a proxy server when the situation calls for it.

The most common use of SSH is in data centers, where it takes on the task of securing all types of remote access privileges.

The simple functionality and numerous security implications have made SSH a good choice for barricading remote hosts, mirroring files via SFTP, tunneling data, etc. for the Windows environment.

Understand SSH from a security perspective

While thinking about how to implement the SSH protocol, understanding its security aspects is crucial. Luckily, this protocol is amazingly secure on the cybersecurity front. However, the API security Risks and vulnerabilities forced SSH users to remain a bit more aware of implementing proper security strategies.

In their absence, SSH servers are vulnerable to brute force attacks. In this type of attacker, threat actors use shared login input pairs to attack the large SSH server pools. Once granted access, they have admin-like control over root accounts and can consume the resources.

Another problem is that organizations or employees overlook the fact that SSH keys should be properly managed and stored with care. If not stored and managed in secure ecosystems, bad actors can use these Kyes and exploit the remote resource.

Finally, we uncovered SSH ports as a major security issue. Some notorious malware can attack devices via exposed SSH ports and consume the resources or damage the system.

The above threats force clients of the SSH protocol to adopt robust and workable security deployments.

Host-based authentication is a commonly used SSH verification process.

SSH users are guided to use authentication keys before connecting to remote servers. In addition, in this case only the permitted hosts are allowed to connect.

Key-based authentication example

How to implement SSH?

To start implementing host-based authentication on SSH, one needs to start by creating a specific configuration. Both the server and client-side computers would be part of this configuration change.

The required configuration on the client side is editing the /etc/ssh/sshd_config file. The lines to enter here are:

  • Host-based authentication yes
  • EnableSSHKeySign yes

To enable the authentication method server-side, three files should be modified. These files (in the etc > ssh folder) are:

  • shosts.equiv
  • ssh_known_hosts
  • sshd_config

In the sshd_config file you have to do the following:

  • Add the value for HostbasedAuthentication as “yes”.
  • Add the value for IgnoreRhosts as “no”.

After adding these two lines, the next step is to add the client PC’s hostname in the shosts.equiv file. The file is server-hosted.

The last word

By keeping the focus on the host and the host-based authentication method, cluster management of machines and computing devices becomes easier than ever. I hope this article helped you to understand this authentication method thoroughly.

The post Host-based SSH authentication appeared first wall arm.

*** This is a syndicated blog from Security Bloggers Network wall arm Written by Ferrisbuller. Read the original post at: https://lab.wallarm.com/ssh-host-based-authentication/

Share.

Comments are closed.