please decrypt your manuals
Doru Georgescu
headset001 at yahoo.com
Tue Mar 30 01:23:35 EST 2010
I. most of ssh manual and all sshd manual present server and client as one machine, called host. All files mentioned are placed on one machine. This is incorrect, and makes the explanation unclear. For example, man sshd SSH_KNOWN_HOSTS FILE FORMAT suggests to copy keys from /etc/ssh/ssh_host_key.pub into /etc/ssh/ssh_known_hosts, as if those files are on the same machine.
II. a general presentation of ssh workings is missing, and makes the decryption of those manuals even more difficult. i suppose, but i am not sure that:
both encrypt their messages with the encryption keys in:
/etc/ssh/ssh_host_[rd]sa_key
/etc/ssh/ssh_host_[rd]sa_key.pub
both can memorize known hosts' public encryption keys in /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts
only the server is protected through authentication. this happens in two ways:
1. server side:
a. the client provides an authentication key:
+ public part in //server/~/.ssh/authorized_keys
with chmod 700 .ssh; chmod 600 authorized_keys
+ private part in //client/~/.ssh/id_rsa
the authentication key is created with:
ssh-keygen -t rsa
ll gives:
-rw------- 1 dave dave 526 Nov 3 01:21 id_rsa
-rw-r--r-- 1 dave dave 330 Nov 3 01:21 id_rsa.pub
and can be copied with (just a direct copy from //client/~/.ssh/id_rsa.pub to //server/~/.ssh/authorized_keys, or append to preserve other keys):
ssh-copy-id username at host
b. the client provides its password
2. client side:
the client verifies that it has the server's public encryption key:
a. with a stupid question to the unknowing human at the client's console
b. verifying the server's public encryption key against the lists of servers' public encryption keys in:
//client/etc/ssh/ssh_known_hosts and //client/~/.ssh/known_hosts
you can copy and paste the key from //server/etc/ssh/ssh_host_rsa_key.pub to //client/~/.ssh/known_hosts, minus username at server at the end, plus username at server at the beginning, with blanks as separators. ssh-keygen -H to hash names.
//server/etc/ssh/ssh_known_hosts and //server/~/.ssh/known_hosts are not used habitually, because other authentication means are preferred.
see mans ssh, sshd, ssh_config, sshd_config
These few lines took me three frustating days of hard work, instead of two easy hours of learning, and I am still not sure I guessed rightly. I believe that this attitude makes Linux lose market in favour of Windows servers. I hope that the author of sshd manual will correct his writing. Please verify my "discoveries" above and publish them somewhere.
Less important:
I still don't know if the encryption keys can be regenerated, and I am not sure that every line sent from client to server is authenticated, as it should. Also, I was surprised to see that I can not limit the number of tries for passwords. That config option is about logging of tries, not limiting them.
More information about the openssh-unix-dev
mailing list