cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Trevor
Commander Commander
Commander
2 weeks ago
  • 169 Views

SSH Authentication

Key-based authentication is a popular method used for SSH. 

Is there an authentication method, supported on RHEL, that is
more secure for SSH?

Trevor "Red Hat Evangelist" Chandler
Join the discussion
4 Replies
Blue_bird
Starfighter Starfighter
Starfighter
a week ago
  • 145 Views

Disable password authentication. Use of public key authentication is preferred.

Optionally add MFA for stronger security. Enterprises can also integrate with Kerberos.

Thanks

Chetan_Tiwary_
Community Manager
Community Manager
a week ago
  • 120 Views

@Trevor Yes. You can have :

1. Certificate based authentication - similar to key based just generate user and host CA like this 

ssh-keygen -t rsa -b 4096 -f host_ca -C host_ca

ssh-keygen -t rsa -b 4096 -f user_ca -C user_ca

 

use HostCertificate in sshd_config.

 

2. using PAM

3. GSSAPI based : Instead of a password, this method works by leveraging your existing Kerberos ticket, a digital credential you already have on your system. The entire process happens automatically in the background: when you try to connect via SSH, your machine and the server perform a secure handshake. Your SSH client forwards your Kerberos credentials, and the server validates them against its Kerberos infrastructure.

use KerberosAuthentication yes in sshd_config

https://gist.github.com/ashrithr/4767927948eca70845db 

4. MFA :  integrating SSH with MFA providers like Google Authenticator and hardware tokens.

 

Trevor
Commander Commander
Commander
a week ago
  • 106 Views

Chetan, I can see these being more secure than key-based authentication.  

I wanted to ask a follow-up question as to why these methods have not supplanted key-based authentication.  However, with the need to have Kerberos involved with GSSAPI, and Google Authenticator for MFA, I can see that being some heavy lifting that some organizations may not want to engage.  

Regarding PAM, with it being readily available in the RHEL environment, it's interesting that it doesn't get more usage/publicity.  Maybe it being a little bit more involved to setup than key-based authentication might have something to do with that.

Lastly, on your Certificate-based authentication response, is that CA an external CA?

Trevor "Red Hat Evangelist" Chandler
Chetan_Tiwary_
Community Manager
Community Manager
a week ago
  • 83 Views

@Trevor It can be be both external or internal.

You are right about heavy lifting and that is why key based authentication is the most widely used - bcz it is simpler , familiar and sufficient. 

Join the discussion
You must log in to join this conversation.
Red Hat Learning Community

Red Hat

Learning Community

A collaborative learning environment, enabling open source skill development.

Red Hat Inc. Copyright ?2025 Red Hat, Inc. Privacy policy Terms of use