ssh passwordless login, public key authentication only (whats going on behind the curtains)

Question

In ssh, it is possible to set up passwordless logins to a remote user, using only public key authentication. Out of curiosity, what is actually going on code-wise, when passwordless login has been set up?

Is the ssh-server daemon storing user passwords, and then applying them automatically, when they have authenticated a public key, or can the ssh-server, using some system-call magic, circumvent the password authentication procedure of a user account entirely?

Answer 1

The ssh server daemon is typically running as root (or another privileged user), and can thus simply spawn a login session running as whichever user is required. No password involved.

Other things that work in a similar manner are the -u flag for sudo , and the su command when already running as root.

Answer 2

sshd （SSH守护程序）进程在您的服务器（例如root）上运行特权，因此在成功完成身份验证后，它会在用户登录时生成登录shell。

Answer 3

You are starting from the point of assuming a password is a requirement for authentication. But it is really only one way there. On modern Linux the PAM subsystem controls authentication and authorization. You could make a PAM module that allowed you to login if you answered three questions correctly. Or know the right number. Or to be even more outlandish your "password" could be a music sequence entered over a MIDI device :-)

Something needs to tie your entered name with a Unix UID and then match that to an authentication mechanism. SSH is doing this by:

1. taking the name you provide and getting the "password entry" for it via PAM
2. using the "password entry" to locate the $HOME of the user
3. validate the SSH key in $HOME/.ssh/authorized_keys against the key sent in the authentication
4. If all of the above works, start a shell as the UID of the user

As you can see this process is not going around password authentication. Password authentication is simply one of the ways in the door. We are accustomed to this method via 'login' or ssh exposing a password prompt. But there are many ways. The core requirement is the program performing the authentication has root privileges.

Answer 4

Everyone already mentioned that sshd runs as a privileged daemon.

So how does passwordless public key authentication works?

When a user connects to sshd , by default unless configured otherwise, sshd will require the remote connection to present a key. In the absence of the key, sshd will attempt to ask for other methods of proof of identity of the remote user, one of which is interactive password.

Before one can start using passwordless public key authentication, one must register his public key. This usually involves copying public key to user's .ssh/authorized_keys file. There is a cli ssh-copy-id that can do exactly this.

How does private/public key authentication works then? When a user connects to ssh daemon , the ssh client will read the user's private key, usually stored in .ssh under different filenames such as id_rsa or identity or id_dsa . The ssh client will generate the public key from the private key and present the public key to sshd . The sshd daemon will compare the received public key against the user's authorized_keys . If a match is found, the connection is allowed. Then sshd will spawn a process and a shell and will drop the provileges to the user's privilege.