SSH Key Offloading
SSH (Secure Shell) is a cryptographic network protocol that enables you to securely log in remotely from one computer to another.
The SSH protocol uses a client-server architecture, which means that the connection is established by an SSH client connecting to an SSH server. The SSH client drives the connection setup process and uses public key cryptography to verify the SSH server identity. After the setup phase, the SSH protocol uses strong symmetric encryption and hashing algorithms to ensure the privacy and integrity of the data exchanged between the client and server.
You can use the methods in this section to authenticate an SSH client to the SSH server. The most common methods are password and public key authentication.
With password authentication, an SSH client authenticates to an SSH server by using the password of a user on the SSH server. For example, an SSH client might try to establish an SSH connection by using the following command:
The system then prompts the SSH client for the password of the remote user it's attempting to connect with. If the password entered matches the password of the remote user on the SSH server, the remote login session is established.
The public key authentication method is often preferred over password authentication because it is more secure and allows for increased automation. After you set up public key authentication, the SSH client no longer needs to enter a password every time it connects.
Perform the following steps to set up public key authentication:
- Generate an SSH key pair (public key and private key) on the SSH client.
- Move the SSH client public key to the SSH server (for example, by using SCP or SFTP) and add it to the ~/.ssh/authorized_keys file.
Now, when the SSH client attempts to connect by using the ssh [email protected] command, the system should not prompt it for the remote user's password. Instead, the follow process occurs in the background during the connection:
- The SSH client sends the following command to connect to the SSH server:
- The SSH server checks its ~/.ssh/authorized_keys file and finds a public key for the user that the SSH client is attempting to connect with.
- The SSH server then asks the SSH client to sign some arbitrary data using its SSH client private key to prove that the SSH client has the private key corresponding to the public key.
- The SSH client then sends data signed with the private key back to the SSH server, which then attempts to decrypt the data by using the public key it has for the user the SSH client is connecting with.
- If the decryption succeeds, the SSH server trusts the SSH client, establishing authentication.
By default, when you use the ssh-keygen command on an SSH client machine to create an SSH key pair, the process stores the private key in a plaintext file in the ~/.ssh directory. This poses a security risk because anyone accessing that machine can view the private key and use it to authenticate to remote machines over SSH.
Incorporating the into this process allows you to store the SSH client private key within the confines of a FIPS 140-2 Level 3-validated HSM. SSH integrates with through the PKCS #11 library.
With incorporated in this process, the SSH client can send the following command to connect to the SSH server, where FXPKCS11_MODULE_LOCATION is the location of the FXPKCS11 library file (libfxpkcs11.so on Linux and fxpkcs11.dll on Windows):
Now, when the SSH client needs to sign data by using its private key (steps 3-4 in the previous section), its configuration points to the PKCS #11 library, which then automatically authenticates to the with an identity and password set in the FXPKCS11 configuration file. then signs some arbitrary data by using the private key corresponding to that identity and sends the signed data back to the SSH client, which forwards it to the SSH server.