|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
> > You have to put the public part of your key up on the remote box and,
> > depending on the version of ssh, add that key to your authorized_keys or
> > authorized_keys2 file.
>
> So, my client that will be connecting to this host has to create a public
> key with their SSH client, and then copy that key to my host FIRST (in
> either the authorized_keys or authorized_keys2 file)? The problem I foresee
> is that the SSH client I'm using (Accuterm) doesn't ASK me to create a key.
You can set up your sshd daemon to only use public/private key authentication,
and to refuse password based authentication - in fact public/private key
auth is more secure than password based authentication by a large margin.
> There's no way to avoid having to copy the client's keys to the host FIRST?
As far as I understand it, and have done it, yes. An easy way to do that
is to scp it, or use gpg/pgp and have them email it. It's really a key
distribution issue - if you're going to use gpg to exchange secure email
with someone, you first need to have their public key so you can encrypt
stuff for them -- it's the same issue.
The the process basicly is:
The user first creates a public/private key pair. The private part of the
keypair is protected with the passphrase. The public part is...well, public.
The user puts the public key on any boxes where they want to be able to use the
private key to connect to (adding it to the authorized_keys file).
When the user connects to the box, the sshd daemon on that box looks at
the authorized_keys file in their ~/.ssh directory and sees that they have
one or more private keys in there - the daemon then encrypts a challenge
using the public key (this is why it needs the public part of the key) and
sends the challenge to the ssh client - the ssh client has the private part
of the key so it can decrypt the challenge and send it back to the sshd
daemon verifying that it has the private part of the key. If the client can
successfuly send back the challenge, then the sshd daemon knows that the
client is the owner of the public key.
Does this make sense?
Kyle
--
------------------------------------------------------------------------------
If you do not get it from yourself,
where will you go for it?
Zen Saying
mortis@voicenet.com http://www.voicenet.com/~mortis
------------------------------------------------------------------------------
______________________________________________________________________
Philadelphia Linux Users Group - http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion - http://lists.phillylinux.org/mail/listinfo/plug
|
|