ssh-keysign

ssh-keysign

ssh-keysign is an internal helper program used by the ssh(1) client for host-based authentication. When a user attempts to connect to a remote host, and host-based authentication is enabled, ssh(1) needs to prove the identity of the the *local* host to the *remote* server.

To achieve this, ssh-keysign reads the host's private key (typically /etc/ssh/ssh_host_rsa_key or similar) and uses it to digitally sign a challenge sent by the remote sshd(8) server. This signature is then sent back to the server, which verifies it using the local host's public key (which it should already have in its known_hosts file or similar).

Because ssh-keysign needs to access sensitive host private keys, it is typically installed as a setuid root binary with highly restricted permissions. It is not intended for direct user invocation and is automatically called by ssh(1) when required. Its secure operation is crucial for the integrity of host-based authentication.

Not for Direct Use: ssh-keysign is an internal helper and should never be invoked directly by users. Its proper functioning relies on specific system permissions and internal protocol handling.

Security Critical: This program is typically installed as a setuid root binary, meaning it runs with root privileges to access sensitive host private keys. Due to this, it must be installed with very strict file permissions to prevent abuse. Any misconfiguration or vulnerability could lead to serious security compromises, potentially exposing the host's private key or allowing arbitrary file reads.

Host-Based Authentication Only: Its sole purpose is to facilitate host-based authentication in ssh(1), a specific and less common authentication method compared to public key or password authentication.

When ssh(1) determines that host-based authentication is applicable and enabled (via the HostbasedAuthentication yes option in ssh_config(5)), it executes ssh-keysign. The challenge sent by the remote sshd(8) is piped to ssh-keysign's standard input, and the resulting signature is returned via standard output to ssh(1) for transmission to the server. This design isolates the sensitive private key operations to a small, privileged program, reducing the attack surface of the main ssh client.

ssh-keysign is an integral part of the OpenSSH suite, which originated from the OpenBSD project. It was developed as part of the broader effort to create a free and open-source implementation of the SSH protocol, providing secure remote access and file transfer capabilities. Its role in host-based authentication has been consistent since its early inclusion in OpenSSH, evolving with the protocol but maintaining its core function as a secure private key signing helper for the local host.

ssh(1), sshd(8), ssh-agent(1), ssh-add(1)