please decrypt your manuals
Doru Georgescu
headset001 at yahoo.com
Wed Apr 21 21:49:59 EST 2010
I include my current knowledge of ssh.
The //server/ and //client/ notations are wrong, I kept them for convenience only.
I use the word "machine" instead of "host" in a few places. This is wrong. Please get over it.
Some file permissions are restricted too much, but still functional. This is not important right now.
The information is very incomplete, but it covers most used authentication techniques.
Please tell me if you agree with it.
ssh is the client
sshd is the server
Communication is fully encrypted and authenticated in both directions.
The encryption keys are regenerated during communication (~R in man ssh, RekeyLimit in man ssh_config).
The authenticated machine's (usually the server) host authentication keys are used to authenticate it in front of other machines or user accounts. These keys are memorized on the authenticated machine:
/etc/ssh/ssh_host_[rd]sa_key
/etc/ssh/ssh_host_[rd]sa_key.pub
ssh-keygen - authentication key generation and management
The authenticating machine or user account (usually the client) can memorize known machines' public host keys in /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts.
Authentication of the server machine in front of the client user account:
the client verifies that the server's public host key is known:
a. with a stupid question to the unknowing human at the client's console
b. verifying the server's public host key against the lists of servers' public host keys in:
//client/etc/ssh/ssh_known_hosts and //client/~/.ssh/known_hosts
you can copy and paste the key from //server/etc/ssh/ssh_host_rsa_key.pub to //client/~/.ssh/known_hosts, minus username at server at the end, plus username at server at the beginning, with blanks as separators. ssh-keygen -H to hash names.
Authentication of the client user account in front of the server machine:
a. the client provides its password
b. the client provides an authentication key:
+ private part in //client/~/.ssh/id_rsa
+ public part in //server/~/.ssh/authorized_keys
with chmod 700 .ssh; chmod 600 authorized_keys
the authentication key is created on the client with:
ssh-keygen -t rsa
ll gives:
-rw------- 1 dave dave 526 Nov 3 01:21 id_rsa
-rw-r--r-- 1 dave dave 330 Nov 3 01:21 id_rsa.pub
and can be copied from the client with (just a direct copy from //client/~/.ssh/id_rsa.pub to //server/~/.ssh/authorized_keys, or append to preserve other keys):
ssh-copy-id username at server
see mans ssh, sshd, ssh_config, sshd_config
More information about the openssh-unix-dev
mailing list