Difference between known_hosts and authorized_keys file in SSH - Linux
source link: https://javarevisited.blogspot.com/2024/03/difference-between-knownhosts-and.html#axzz8TuRoECFW
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Difference between known_hosts and authorized_keys file in SSH - Linux
If you have used SSH to login into remote host in Linux, you might have come across these two files stored under the .ssh directory in your home directory e.g. ~/.ssh. Both files are used in the login process for authentication, but the main difference between known_hosts and authorized_keys files are that, known_host is used for server authentication, while authorized_keys are used for client or user authentication. SSH allows login using both password and private keys, you might have heard about trusted SSH connection between two host to download files without entering password, this is achieved using public and private keys.
Now, some of you might be wondering, what is the need here to confirm the identity of Server? isn't it we given IP address to connect to the server? If IP address is correct then we must be connecting to the right server.
On the other hand authorized_keys are used to authenticate clients connecting to the server. This file holds a list of authorized public keys for hosts. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file.
When you connect to a new host using SSH, you receive following message:
]$ ssh dev2323pgm
The authenticity of host 'dev2323pgm (10.62.32.22)' can't be established.
RSA key fingerprint is 6a:64:e6:4e:23:42:dd:e6:ca:d5:99:96:43:6a:eb:76.
Are you sure you want to continue connecting (yes/no)?
If you say yes, then public key of this host will be added into your .ssh/known_hosts file and next time when you do SSH to this host, it will not print this message. This is part of server authentication, first time, you manually authenticate the server by verifying its RSA key fingerprint, which is a short sequence of bytes used to identify a longer public key.
Warning: Permanently added 'dev2323pgm,110.62.32.22' (RSA) to the list of known hosts.
You can verify that by checking the .ssh/known_hosts file as shown below:
$ cat ~/.ssh/known_hosts
dev2323pgm,110.62.32.22 ssh-rsa MIGfMA0565GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0
FPqri0cb2JZfXJ/DgYSF6vUpwmJG8wV3QZKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/
3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp40GbMJDyR4e9T04ZZwIDAQAB
Next time when you will login to same host using same user, SSH will not ask you to verify the identity of the server again, instead it will directly point you for password. You can even do SSH login without password if public key of your machine is added into authorized_key file of server for the same user.
Important points about known_hosts and authorized_key in SSH
Here are few more important things which you should know and remember1) In public key cryptography, there are a pair of keys, public keys and private key. The public key is something a user or host can share with third-party but he must keep the private key secret to himself. Since public key can be shared with third-party it is often used to authenticate the user.
2) Private key is usually longer then public key. You can share public keys to others but you must keep private key secret with you. Third-party can encrypt a message intented for you by using your public key which means that message can only be opened by you, by using your private key.
3) The SSH protocol allows you to both login using a password or public-private keys.
4) The known_hosts files stores list of servers which you have logged in from that hosts. It stores host, ip, and the public key of server as shown below:
dev2323pgm,110.62.32.22 ssh-rsa MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCqGKukO1De7zhZj6+H0qtjTkVxwTCpvKe4eCZ0
FPqri0cb2JZfX9J/DgYSF6vUpwmJG8wVQZkKjeGcjDOL5UlsuusFncCzWBQ7RKNUSesmQRMSGkVb1/
3j+skZ6UtW+5u09lHNsj6tQ51s1SPrCBkedbNf0Tp0GbMJDyR4e9T04ZZwIDAQAB
If an host is already exists in this file then SSH doesn't ask you to confirm its identity. Usually when you first login to a server from another server, you see that mesage, once you accept and move on, you don't see that message again because public key of that server is added on known_hosts file.
5) The authorized_key file is used to authenticate client connection. If a key corresponding to the client hosts exists in this file then server sends messages encrypted using public key of client host and then client can use its private key to decrypt those message.
6) You can logging into a remote server by using private key and SSH. The ssh command allows you to specify your identity file using the -i option as shown below:
$ ssh -i private_key.txt [email protected]
7) If you don't have a pair of keys then you can also generate them using the ssh-keygen command in Linux as shown below:
$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user1/.ssh/id_rsa): mykey
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in mykey.
Your public key has been saved in mykey.pub.
The key fingerprint is:
b3:6f:c9:e2:59:d0:81:af:11:4d:08:a2:f8:17:7f:c6 [email protected]
After executing command you will see two files in your .ssh folder:
mykey.pub
The first file contains the private key for you and second file contains the public key for you. You can use any encryption algorithm, RSA is default but by using $ ssh-keygen -t you can specify encryption algorith e.g. RSA or DSA.
If you want to enable password-less login from host A/user A to host B/user B then you must not enter a passphrase, when ssh-keygen command ask for it. Just leave it empty. If you don't provide any name then it will by default create an id_rsa and id_rsa.pub file in the host.
You can also add public key of a server into your known host by using $ ssh-keygen -R demo.com
/home/user1/.ssh/known_hosts updated.
Original contents retained as /home/user1/.ssh/known_hosts.old
This command will add the public key of host 192.237.248.66 into known_hosts file.
8) You can also copy the public key of client into server by using the ssh-copy-id command e.g. ssh-copy-id user@server
Preparing for Java Developer Interviews?
We respect your privacy. Unsubscribe at any time.
About Author
Javin Paul is a Programmer, Author, and Blogger sharing his knowledge on Java since 2010. Javin has more than 18 years of Java experience working on server-side technologies, FIX Protocol, and other Java-related technologies. He has a passion for teaching and helping people and has done 1-to-1 and classroom teaching before. He has authored multiple books, notably Grokking the Java Interview and Grokking the Spring Boot Interview.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK