Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
Re: SPAM: Re: [suse-security] Openssh + security
  • From: Bruno Cochofel <bruno.cochofel@xxxxxxxxx>
  • Date: Tue, 13 Dec 2005 11:58:08 +0000
  • Message-id: <101541880512130358y1e5c722dp19aca963b8ed5744@xxxxxxxxxxxxxx>
Thanks Jaime for that clarification...

On 12/13/05, Jaime Santos <jesantos@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Hi Bruno,
>
> Sorry, I forgot that point. Yes, PAM overrides the other settings. That
> is described somewhere in the sshd_config
> comments.
>
> You are absolutely right. Only an user logging in from a machine where
> the private key is loaded can
> login. The machine you log into does not need to have a copy of the
> private key saved, only of the public
> key (for instance, the file id_dsa.pub). You only need a copy of the
> private key if you want to use
> a given machine as client, not as server. The challenge response
> authentication works in the following way:
> the server uses the public key to encrypt a random bit which it sends to
> you. If you posess the private key
> you are able to decrypt it and return the correct answer to the server.
> After the server has done this a sufficiently
> large number of times, it assumes that you are who you say you are, not
> based on what you know (a password)
> but on what you have (a token, i.e. a copy of the private key). The
> passphrase is never sent, encrypted or otherwise, it
> merely protects your private key on the client side. If you wish to use
> automatic logins with ssh, you can create
> a private key with an empty passphrase, but them you have to be very
> carefull with it. This is essentially the
> Diffie-Hellmann mechanism of challenge-response, if I am not mistaken,
> and it is a very, very clever concept.
>
> Note that you may forward the ssh-agent, which allows you to login in
> from your client to a server which has
> a copy of your public key, but not of your private key and from there to
> another server which also holds a copy
> of your public key. Also note that you may specify, when invoking the
> ssh command, on which file it should look
> for a copy of the private key (the default is ~/.ssh/id_dsa or
> ~/.ssh/id_rsa). That way, you may carry your private
> key on a diskette or USB-stick (which you may encrypt with say, pgp, if
> you are really paranoid :-) ).
>
> Best, Jaime.
>
> P.S. I do apologise for the verbose and slightly off topic answer :-) ...
>
>
< Previous Next >