The two widely used methods of SSH authentication for secure remote access are:
In password-based authentication, after establishing secure connection with remote servers, SSH users usually pass on their usernames and passwords to remote servers for client authentication. These credentials are shared through the secure tunnel established by symmetric encryption. The server checks for these credentials in the database and, if found, authenticates the client and allows it to communicate.
In Public key-based authentication, after the client establishes a connection with the remote server, the client informs the server of the key pair it would like to authenticate itself with. The server verifies the existence of this key pair in its database and then sends an encrypted message to the client. The client decrypts the message with it’s private key and generates a hash value which is sent back to the server for verification. The server generates its own hash value and compares it with the one sent from the client. When both the hash values match, the server is convinced of the client’s authenticity and allows it to communicate with the server.
Passwords have been the traditional enforcers of security for decades and are used by millions of people and organizations worldwide for secure access. However, evolving attack tactics have proven time and again that passwords are no longer effective in securing access and, on the contrary, are becoming highly vulnerable to cyberattacks, such as, phishing, credential stuffing, and man-in-the-middle attacks.
Poor password hygiene is one of the prime contributors to passwords becoming an easy target for hackers. Setting weak passwords, reusing the same password across multiple applications, not changing passwords regularly, and sharing passwords are some of the reasons why passwords are no longer considered safe.
As the digital footprint expands and the remote workforce grows, authentication is required at all the different access points to ensure only authorized people are allowed network access. Naturally, the number of usernames and passwords will increase. Although organizations use password managers and single sign-on to store, manage and protect passwords, it requires significant investment of time and money. Even so, it is challenging to protect passwords as hackers have become more skilled at stealing passwords from central repositories.
When it comes to secure remote access, one of the major drawbacks of password-based SSH authentication is that passwords are shared over the wire. Although passwords are encrypted, this process is not entirely safe because attackers have been able to crack passwords in the past with brute force attacks. If an SSH password gets compromised, attackers can get root access to critical systems, which can lead to disastrous consequences.
A recommended and safer alternative to passwords is to switch to passwordless authentication. SSH helps implement this through public key-based authentication, in which case, the private key of the client is never shared with the remote server at any stage of the communication. As the private key never leaves the user’s system (unlike passwords), there is no question of it being stolen in transit, which minimizes the risk of exposure or a data breach.
Private keys are the heart of PKI-based authentication, which is why they are stored in highly secure locations such as HSMs (Hardware Security Module) and vaults, eliminating the possibility of hackers getting access to them. Replacing passwords with secure private keys also removes the need for users to remember or use passwords. The process requires no manual intervention, which reduces security risk to a great extent. In addition, logins are fast and seamless, which improves user experience.