Everywhere I read they say ssh key pair authentication is more secure then simple password authentication because signature send to the server is always different . So if someone get my signature he cannot use it next time to login on my behalf .
Now my question is how this signature is unique ?
Does server send some random string first to which my computer sign it with my private key and send it back . Because this is the only way I see signature to be unique everytime . But everywhere on the web they say client send signature FIRST (as this is the first step) but I think server should send random string first !!
For key authentication, your private key is never revealed to the server (and therefore not to the attacker), only your public key. Likewise, the server’s private key is never revealed to you (or the attacker), only the public key.
Diffie-Hellman is used to derive two keypairs (one for each party) that are then used to send application data back and forth, whether authentication is done using a simple password or using public-key authentication.
In the case of password authentication, the session keypairs are calculated before the user/password is sent across the wire. This prevents simple eavesdropping but of course does not prevent attackers from trying to connect and guess the user/password combination directly. And of course, many users choose poor passwords.
In the case of public-key authentication, the session keypairs are calculated, then a simple conversation (typically a math question/answer) is done using RSA or a similar algorithm to verify the declared user matches the public key. This conversation cannot be faked without guessing one of the private keys. When done correctly, this is much harder to do than for even the strongest passwords. Even if there is a weakness in public-key authentication, such as in the random number generator, the resulting weak public-key authentication can still be much stronger than for password authentication.