please decrypt your manuals

Keisial keisial at
Thu Apr 22 01:22:42 EST 2010

Doru Georgescu wrote:
> Developers work without a good reference at hand, defining what was already done. One of them did not know that ~/.ssh/known_hosts can be used by the server under version 2 of the protocol. It is not his fault. 
Do not count me as a ssh developer. I am not.
I just happen to know a little more than you, but you should still take
my opinions on how it works with a grain of salt.

> The encryption keys are regenerated during communication (~R in man ssh, RekeyLimit in man ssh_config). 
They are generated at the beginning, and may be regenerated during
communication. It is worth to make explicit that it is different than
the authentication key mentioned below.

> The authenticated machine's (usually the server) host authentication keys are used to authenticate it in front of other machines or user accounts. These keys are memorized on the authenticated machine: 
> /etc/ssh/ssh_host_[rd]sa_key
> /etc/ssh/ssh_host_[rd]
> ssh-keygen - authentication key generation and management 
> The authenticating machine or user account (usually the client) can memorize known machines' public host keys in /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts. 
> Authentication of the server machine in front of the client user account: 
>     the client verifies that the server's public host key is known: 
>     a. with a stupid question to the unknowing human at the client's console 
>     b. verifying the server's public host key against the lists of servers' public host keys in: 
>         //client/etc/ssh/ssh_known_hosts and //client/~/.ssh/known_hosts 
Step b done before a.

>      the authentication key is created on the client with: 
>      ssh-keygen -t rsa
>      ll gives: 
>      -rw-------    1 dave     dave          526 Nov  3 01:21 id_rsa
>      -rw-r--r--    1 dave     dave          330 Nov  3 01:21
>      and can be copied from the client with (just a direct copy from //client/~/.ssh/ to //server/~/.ssh/authorized_keys, or append to preserve other keys): 
>      ssh-copy-id username at server 

ssh-keygen -t rsa generates a rsa key. Other acceptable values for -t
are rsa1 and dsa. I would just note that they are created by ssh-keygen,
and let people check

ssh-keygen(1) for more information.

More information about the openssh-unix-dev mailing list