please decrypt your manuals

Doru Georgescu headset001 at yahoo.com
Wed Apr 21 21:49:59 EST 2010 

I include my current knowledge of ssh. 

The //server/ and //client/ notations are wrong, I kept them for convenience only. 
I use the word "machine" instead of "host" in a few places. This is wrong. Please get over it. 
Some file permissions are restricted too much, but still functional. This is not important right now. 
The information is very incomplete, but it covers most used authentication techniques. 

Please tell me if you agree with it. 

ssh is the client 
sshd is the server 

Communication is fully encrypted and authenticated in both directions. 

The encryption keys are regenerated during communication (~R in man ssh, RekeyLimit in man ssh_config). 

The authenticated machine's (usually the server) host authentication keys are used to authenticate it in front of other machines or user accounts. These keys are memorized on the authenticated machine: 
/etc/ssh/ssh_host_[rd]sa_key
/etc/ssh/ssh_host_[rd]sa_key.pub
ssh-keygen - authentication key generation and management 

The authenticating machine or user account (usually the client) can memorize known machines' public host keys in /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts. 

Authentication of the server machine in front of the client user account: 

    the client verifies that the server's public host key is known: 

    a. with a stupid question to the unknowing human at the client's console 
    b. verifying the server's public host key against the lists of servers' public host keys in: 
        //client/etc/ssh/ssh_known_hosts and //client/~/.ssh/known_hosts 

     you can copy and paste the key from //server/etc/ssh/ssh_host_rsa_key.pub to //client/~/.ssh/known_hosts, minus username at server at the end, plus username at server at the beginning, with blanks as separators. ssh-keygen -H to hash names. 

Authentication of the client user account in front of the server machine: 

    a. the client provides its password 

    b. the client provides an authentication key: 
        + private part in //client/~/.ssh/id_rsa 
        + public part in //server/~/.ssh/authorized_keys 
           with chmod 700 .ssh; chmod 600 authorized_keys 

     the authentication key is created on the client with: 
     ssh-keygen -t rsa
     ll gives: 
     -rw-------    1 dave     dave          526 Nov  3 01:21 id_rsa
     -rw-r--r--    1 dave     dave          330 Nov  3 01:21 id_rsa.pub
     and can be copied from the client with (just a direct copy from //client/~/.ssh/id_rsa.pub to //server/~/.ssh/authorized_keys, or append to preserve other keys): 
     ssh-copy-id username at server 


see mans ssh, sshd, ssh_config, sshd_config

More information about the openssh-unix-dev mailing list