Re: [suse-security] Openssh + security
I was having a problem because 'UsePAM yes' I have: PasswordAuthentication no PermitRootLogin no PubKeyAuthentication yes but because of the option UsePAM this was overllaped... My question: When using PubKeyAuthentication only users that have .ssh/authorized_keys file can login, right? So no test, postgres, mysql, admin, guest, etc...
Hi Bruno, Sorry, I forgot that point. Yes, PAM overrides the other settings. That is described somewhere in the sshd_config comments. You are absolutely right. Only an user logging in from a machine where the private key is loaded can login. The machine you log into does not need to have a copy of the private key saved, only of the public key (for instance, the file id_dsa.pub). You only need a copy of the private key if you want to use a given machine as client, not as server. The challenge response authentication works in the following way: the server uses the public key to encrypt a random bit which it sends to you. If you posess the private key you are able to decrypt it and return the correct answer to the server. After the server has done this a sufficiently large number of times, it assumes that you are who you say you are, not based on what you know (a password) but on what you have (a token, i.e. a copy of the private key). The passphrase is never sent, encrypted or otherwise, it merely protects your private key on the client side. If you wish to use automatic logins with ssh, you can create a private key with an empty passphrase, but them you have to be very carefull with it. This is essentially the Diffie-Hellmann mechanism of challenge-response, if I am not mistaken, and it is a very, very clever concept. Note that you may forward the ssh-agent, which allows you to login in from your client to a server which has a copy of your public key, but not of your private key and from there to another server which also holds a copy of your public key. Also note that you may specify, when invoking the ssh command, on which file it should look for a copy of the private key (the default is ~/.ssh/id_dsa or ~/.ssh/id_rsa). That way, you may carry your private key on a diskette or USB-stick (which you may encrypt with say, pgp, if you are really paranoid :-) ). Best, Jaime. P.S. I do apologise for the verbose and slightly off topic answer :-) ...
Thanks Jaime for that clarification... On 12/13/05, Jaime Santos <jesantos@alexandre-santos.com> wrote:
Hi Bruno,
Sorry, I forgot that point. Yes, PAM overrides the other settings. That is described somewhere in the sshd_config comments.
You are absolutely right. Only an user logging in from a machine where the private key is loaded can login. The machine you log into does not need to have a copy of the private key saved, only of the public key (for instance, the file id_dsa.pub). You only need a copy of the private key if you want to use a given machine as client, not as server. The challenge response authentication works in the following way: the server uses the public key to encrypt a random bit which it sends to you. If you posess the private key you are able to decrypt it and return the correct answer to the server. After the server has done this a sufficiently large number of times, it assumes that you are who you say you are, not based on what you know (a password) but on what you have (a token, i.e. a copy of the private key). The passphrase is never sent, encrypted or otherwise, it merely protects your private key on the client side. If you wish to use automatic logins with ssh, you can create a private key with an empty passphrase, but them you have to be very carefull with it. This is essentially the Diffie-Hellmann mechanism of challenge-response, if I am not mistaken, and it is a very, very clever concept.
Note that you may forward the ssh-agent, which allows you to login in from your client to a server which has a copy of your public key, but not of your private key and from there to another server which also holds a copy of your public key. Also note that you may specify, when invoking the ssh command, on which file it should look for a copy of the private key (the default is ~/.ssh/id_dsa or ~/.ssh/id_rsa). That way, you may carry your private key on a diskette or USB-stick (which you may encrypt with say, pgp, if you are really paranoid :-) ).
Best, Jaime.
P.S. I do apologise for the verbose and slightly off topic answer :-) ...
Hi Bruno, Sorry, one thing I said is not correct. The server looks for a copy of your public key in the file ~/.ssh/authorized_keys. You copy your file id_dsa.pub or id_rsa.pub into there when you create a new key. Such a file can contain several different public keys and the possession of any of the corresponding private keys will allow an user to login using challenge-response. Obviously, it is questionable why one should possess more than one different key. They should be protected by different passphrases, otherwise there is no increased security, but them you have to manage those different passphrases. Moreover, you can have different copies of the same key protected by different passphrases. Suppose you want to login in automatically from a very secure machine. You change the passphrase of the resident private key to none in that machine. However, the copy of the key you carry in your laptop or diskette or USB-stick should still be protected by a strong passphrase. Hope this helps. Best, Jaime.
participants (2)
-
Bruno Cochofel -
Jaime Santos