please decrypt your manuals

Doru Georgescu headset001 at
Tue Mar 30 01:23:35 EST 2010

I. most of ssh manual and all sshd manual present server and client as one machine, called host. All files mentioned are placed on one machine. This is incorrect, and makes the explanation unclear. For example, man sshd SSH_KNOWN_HOSTS FILE FORMAT suggests to copy keys from /etc/ssh/ into /etc/ssh/ssh_known_hosts, as if those files are on the same machine. 

II. a general presentation of ssh workings is missing, and makes the decryption of those manuals even more difficult. i suppose, but i am not sure that: 

both encrypt their messages with the encryption keys in: 

both can memorize known hosts' public encryption keys in /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts 

only the server is protected through authentication. this happens in two ways: 

1. server side: 
      a. the client provides an authentication key: 
         + public part in //server/~/.ssh/authorized_keys 
            with chmod 700 .ssh; chmod 600 authorized_keys 
         + private part in //client/~/.ssh/id_rsa 

      the authentication key is created with: 
      ssh-keygen -t rsa
      ll gives: 
      -rw-------    1 dave     dave          526 Nov  3 01:21 id_rsa
      -rw-r--r--    1 dave     dave          330 Nov  3 01:21
      and can be copied with (just a direct copy from //client/~/.ssh/ to //server/~/.ssh/authorized_keys, or append to preserve other keys): 
      ssh-copy-id username at host 

      b. the client provides its password 

2. client side: 
      the client verifies that it has the server's public encryption key: 
      a. with a stupid question to the unknowing human at the client's console 
      b. verifying the server's public encryption key against the lists of servers' public encryption keys in: 
         //client/etc/ssh/ssh_known_hosts and //client/~/.ssh/known_hosts 
      you can copy and paste the key from //server/etc/ssh/ to //client/~/.ssh/known_hosts, minus username at server at the end, plus username at server at the beginning, with blanks as separators. ssh-keygen -H to hash names. 

//server/etc/ssh/ssh_known_hosts and //server/~/.ssh/known_hosts are not used habitually, because other authentication means are preferred. 

see mans ssh, sshd, ssh_config, sshd_config 

These few lines took me three frustating days of hard work, instead of two easy hours of learning, and I am still not sure I guessed rightly. I believe that this attitude makes Linux lose market in favour of Windows servers. I hope that the author of sshd manual will correct his writing. Please verify my "discoveries" above and publish them somewhere. 

Less important: 
I still don't know if the encryption keys can be regenerated, and I am not sure that every line sent from client to server is authenticated, as it should. Also, I was surprised to see that I can not limit the number of tries for passwords. That config option is about logging of tries, not limiting them. 


More information about the openssh-unix-dev mailing list