SSH Key Offloading

this section covers ssh key offloading to the {{k3}} by using pkcs #11 ssh overview ssh (secure shell) is a cryptographic network protocol that enables secure remote login from one computer to another the ssh protocol uses a client server architecture , which means that the connection is established by an ssh client connecting to an ssh server the ssh client drives the connection setup process and uses public key cryptography to verify the ssh server's identity after the setup phase, the ssh protocol uses strong symmetric encryption and hashing algorithms to ensure the privacy and integrity of the data exchanged between the client and server ssh client authentication methods you can use several methods to authenticate the ssh client to the ssh server the most commonly used are password and public key authentication password authentication with password authentication, an ssh client authenticates to an ssh server by using your password on the ssh server for example, an ssh client would attempt to establish an ssh connection by using the following command ssh username\@server com the ssh client would then be prompted for your password, assuming you are the remote user it's attempting to connect with if the password entered matches your password on the ssh server, the remote login session is established public key authentication you might prefer public key authentication over password authentication because it is more secure and allows for increased automation after you set it up, the ssh client no longer needs to enter a password whenever it connects configure public key authentication with the following steps generate an ssh key pair (public and private key) on the ssh client move the ssh client public key to the ssh server (through scp or sftp ) and add it to the / ssh/authorized keys file now, when the ssh client attempts to connect by using the ssh username\@server com command, the ssh server should not request your password as the remote user trying to connect instead, the following procedure shows what happens during the connection the ssh client sends the following command to connect to the ssh server ssh username\@server com the ssh server checks its / ssh/authorized keys file and finds your public key that the ssh client is attempting to connect with the ssh server then asks the ssh client to sign some arbitrary data using its ssh client private key to prove that the ssh client has the private key corresponding to the public key the ssh client then sends data signed with the private key back to the ssh server, which then attempts to decrypt the data using the public key it has for you (the user the ssh client is connecting with) if the decryption succeeds, the ssh server trusts the ssh client, establishing authentication how does the {{k3}} fit into the process? by default, when you create an ssh key pair by using the ssh keygen command on an ssh client machine, the private key is stored in a plaintext file in the / ssh directory this poses a security risk because anyone with access to that machine can view the private key and use it to authenticate to remote machines over ssh incorporating the {{k3}} into this process enables the system to store the ssh client private key within the confines of a fips 140 2 level 3 validated hardware security module ssh integrates with the {{k3}} through the pkcs #11 library with the {{k}} incorporated in this process, the ssh client sends the following command to connect to the ssh server, where fxpkcs11 module location is the location of the fxpkcs11 library file ( libfxpkcs11 so on linux and fxpkcs11 dll on windows) ssh i \[fxpkcs11 module location] client\@server com now, when the ssh client needs to sign data using its private key (steps 3 4 in the previous section), it is configured to point to the pkcs #11 library, which then automatically authenticates to the {{k}} with an identity and password set in the fxpkcs11 configuration file the {{k}} then signs some arbitrary data by using the private key corresponding to that identity and sends the signed data back to the ssh client, which forwards it to the ssh server