 We said that The server authentic authenticates the client the client authentication common way is using password based So an example of that Again, I secure shell into ICT and we're not log in. We'll just run a command and First problem my client cannot authenticate the server It received the public key, but it doesn't know if it's a correct public key I must manually verify so what I would do is go to the server and find this Fingerprint see if it matches if it matches I type yes if it doesn't matches match. I'll type no Now for the server to verify the client it asks for a password and I type in the password So that's the client authentication step password based the user Supplies their password and the server lets them in if it's correct That was on ICT Let's do it on a different server. It's coming. Okay password less authentication again no password I connected to this server and Ran a command and I didn't supply a password So how does the server know it's someone who's allowed to access the server if I'm not supplying a password How does the server authenticate? It's it's someone who's allowed to access What form of client authentication can we perform if we don't use a password? We can use keys Public-private keys. So the other approach of authentication is key-based authentication so what I've set up in advance is that my client has a public-private key pair and and My public key is loaded into the server The server knows my public key. So when I contact that server I Encrypt a message using my private key and The server verifies that using my public key To confirm that it's actually me because the only person who could encrypt using my private key is me So this is key-based authentication You don't need a password to log in But it requires some setup in advance. What was the setup? First on the client on the client we said that the client has its own RSA key pair It's RSA public key and it's RSA private key. I'll show you my public key Not my private key There it is encoded in a way to save in a text file, but that's my RSA public key What I've done in advance is copied that to the server Let's check. So I'll log into the server. So in advance on the server There's a file called authorize keys This file lists on the server the public keys of clients which are authorized to access this server and Inside there may be many Not sure There are multiple there one of them if you look closely will correspond to my laptops So the idea with key-based authentication or password less authentication with secure shell the client has its own be specific RSA in this case public and Private key pair and The server knows the client's public key. How does it know it? I manually copied it there in advance and that must be done in a secure manner So it must be done in a trustworthy manner, but there are commands that do that But if we manually load that RSA public key of the client then when the client tries to access the server in one of the messages and I don't have a capture for that in One of the messages the client sends Some message which is encrypted with the RSA private key and What's encrypted? It doesn't matter. It's just assigned essentially some data Some known data. Okay, so this is in the key exchange at the start and The server knows it's the correct client and it verifies it decrypts Let's say This is some value x that we receive It decrypts that x value With the RSA public key of the client That is the client signs a message when it sends to the server. It's signed with the private key of the client If it successfully verifies with the public key of the client then that message must have came from that client and Because the server's already approved anyone that contacts me with this corresponding private key it can log in Then now the server verifies. Ah, this is the correct client. It's not someone pretending to be this client Let them log in No need to ask for for a password So we can use key-based authentication to do log ins to remote servers Yep, so in this case, how does the server really know that RSA PUC is the public key of the client? Same question as when we authenticate the server How does the client know that the RSA public key of the server is that of the server? We don't unless we have some manual verification All right, so we need to load this public key onto the server We need to do that in a secure manner or in a mate manner in which we trust it That is we could be have access to both computers via some other means and and read the value and check the fingerprint Yeah, we could use certificates, but that would require some authority to be set up and in a secure shell We generally don't use Require some authorities because it's not them So convenient to use that when we're accessing different servers So usually it's sufficient to manually transfer it or to verify That is verify with at first using a username and password and then verify are that's the correct one and Therefore we trust this public key. So that's password less log ins or key-based or client authentication