Ssh works by the exchange and verification of information, using public and private keys, to identify hosts and users. It then provides encryption of subsequent communication, also by the use of public/private key cryptography.
SSH is designed to provide a secure method of authentication and data transport. This is accomplished via three main stages during the connection setup: SSH-TRANS, SSH-AUTH, and SSH-CONN.
As a user, you generate an “identity” on the client system by running the ssh-keygen program. This program creates a subdirectory $HOME/.ssh and inserts in it two files named identity and identity.pub which contain your private and public keys for your account on the client system. This latter file can then be appended to a file $HOME/.ssh/authorized_keys that should reside on any/all servers where you will make ssh connections.
As a system administrator, you generate a public and private key pair for the system itself. By use of this information contained within the system itself, the possibility of someone spoofing the system’s identity by faking IP addresses or munging up DNS records that associate IP addresses and domain names is removed. You would have to break into the system and steal its private key in order to sucessfully pretend to be that system. This is a big improvement in security.
Once you generate your public/private key on your local system you can place your public key in the authorized_keys of the server so you can bypass the login procedure and directly login into the server without the password.
When you ssh to a machine by the following command :
ssh -l admin -p 78 svrxx.domain.com
The first step performed is authentication of the server to the client and client to the server i.e first the server checks whether its publci key is contained in the file $HOME/.ssh/known_hosts this procedure is known as host validation if the key is present in the known_hosts file it will proceed with the subsequent authentication.
Else if it is not matching or not present will display the following message :
The authenticity of host ’svrxx.domain.com (188.8.131.52)’ can’t be established.
RSA key fingerprint is bd:e7:14:30:13:ba:74:77:47:b3:2a:b3:a1:07:2e:7a.
Are you sure you want to continue connecting (yes/no)?
Once you say yes then the public key of the server will be placed in the known_hosts file and you will not see this message again.
And once the host validation is complete the subsequent communcication will be encrypted using the private key that was generated from ssh-keygen command.