Mailinglist Archive: opensuse-security (138 mails)

< Previous Next >
SPAM: Re: [suse-security] Openssh + security
  • From: Jaime Santos <jesantos@xxxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 13 Dec 2005 11:52:36 +0100
  • Message-id: <439EA7F4.1020609@xxxxxxxxxxxxxxxxxxxx>
Hi Bruno,

Sorry, I forgot that point. Yes, PAM overrides the other settings. That
is described somewhere in the sshd_config
comments.

You are absolutely right. Only an user logging in from a machine where
the private key is loaded can
login. The machine you log into does not need to have a copy of the
private key saved, only of the public
key (for instance, the file id_dsa.pub). You only need a copy of the
private key if you want to use
a given machine as client, not as server. The challenge response
authentication works in the following way:
the server uses the public key to encrypt a random bit which it sends to
you. If you posess the private key
you are able to decrypt it and return the correct answer to the server.
After the server has done this a sufficiently
large number of times, it assumes that you are who you say you are, not
based on what you know (a password)
but on what you have (a token, i.e. a copy of the private key). The
passphrase is never sent, encrypted or otherwise, it
merely protects your private key on the client side. If you wish to use
automatic logins with ssh, you can create
a private key with an empty passphrase, but them you have to be very
carefull with it. This is essentially the
Diffie-Hellmann mechanism of challenge-response, if I am not mistaken,
and it is a very, very clever concept.

Note that you may forward the ssh-agent, which allows you to login in
from your client to a server which has
a copy of your public key, but not of your private key and from there to
another server which also holds a copy
of your public key. Also note that you may specify, when invoking the
ssh command, on which file it should look
for a copy of the private key (the default is ~/.ssh/id_dsa or
~/.ssh/id_rsa). That way, you may carry your private
key on a diskette or USB-stick (which you may encrypt with say, pgp, if
you are really paranoid :-) ).

Best, Jaime.

P.S. I do apologise for the verbose and slightly off topic answer :-) ...
< Previous Next >
References