please decrypt your manuals

[Doru Georgescu]

I. most of ssh manual and all sshd manual present server and client as one machine, called host. All files mentioned are placed on one machine. This is incorrect, and makes the explanation unclear. For example, man sshd SSH_KNOWN_HOSTS FILE FORMAT suggests to copy keys from /etc/ssh/ssh_host_key.pub into /etc/ssh/ssh_known_hosts, as if those files are on the same machine. 

II. a general presentation of ssh workings is missing, and makes the decryption of those manuals even more difficult. i suppose, but i am not sure that: 

both encrypt their messages with the encryption keys in: 
/etc/ssh/ssh_host_[rd]sa_key
/etc/ssh/ssh_host_[rd]sa_key.pub

both can memorize known hosts' public encryption keys in /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts 

only the server is protected through authentication. this happens in two ways: 

1. server side: 
      a. the client provides an authentication key: 
         + public part in //server/~/.ssh/authorized_keys 
            with chmod 700 .ssh; chmod 600 authorized_keys 
         + private part in //client/~/.ssh/id_rsa 

      the authentication key is created with: 
      ssh-keygen -t rsa
      ll gives: 
      -rw-------    1 dave     dave          526 Nov  3 01:21 id_rsa
      -rw-r--r--    1 dave     dave          330 Nov  3 01:21 id_rsa.pub
      and can be copied with (just a direct copy from //client/~/.ssh/id_rsa.pub to //server/~/.ssh/authorized_keys, or append to preserve other keys): 
      ssh-copy-id username at host 

      b. the client provides its password 

2. client side: 
      the client verifies that it has the server's public encryption key: 
      a. with a stupid question to the unknowing human at the client's console 
      b. verifying the server's public encryption key against the lists of servers' public encryption keys in: 
         //client/etc/ssh/ssh_known_hosts and //client/~/.ssh/known_hosts 
      you can copy and paste the key from //server/etc/ssh/ssh_host_rsa_key.pub to //client/~/.ssh/known_hosts, minus username at server at the end, plus username at server at the beginning, with blanks as separators. ssh-keygen -H to hash names. 


//server/etc/ssh/ssh_known_hosts and //server/~/.ssh/known_hosts are not used habitually, because other authentication means are preferred. 

see mans ssh, sshd, ssh_config, sshd_config 


These few lines took me three frustating days of hard work, instead of two easy hours of learning, and I am still not sure I guessed rightly. I believe that this attitude makes Linux lose market in favour of Windows servers. I hope that the author of sshd manual will correct his writing. Please verify my "discoveries" above and publish them somewhere. 


Less important: 
I still don't know if the encryption keys can be regenerated, and I am not sure that every line sent from client to server is authenticated, as it should. Also, I was surprised to see that I can not limit the number of tries for passwords. That config option is about logging of tries, not limiting them.