Understanding server ssh keys
Trying to better understand server ssh keys, and have a few questions.
Thank you Code:
michael@pi:/etc/ssh $ ls -l |
#10 is a bad idea.
#11 -N is allowing you to specify a (new) passphrase. Personally, I don't use any passphrases - maybe some people would have issues with this??? Don't use the default port 22 for ssh. |
Quote:
#11 I accidentally read the MAN incorrectly, and thought it had something ports. Sorry. |
Essentially, if you put your private key on multiple machines, you lose security.
Your host is going to get confused about the client machine and can't be warned that someone appears to have seized control of your private key. Why not write a script to setup your SSH keys after the install? |
The reason I originally started looking into this is to find a way to ssh into a host which is located behind a firewall where the firewall doesn't allow incoming communication. To do so, on the machine behind the firewall, I would do the following:
Code:
ssh -R 2222:localhost:22 sshtunnel@192.168.1.10 Code:
ssh -p 2222 sshtunnel@localhost |
If you want to have an incoming connection, surely you need to allow an incoming communication of some kind?
You would want a host that doesn't allow incoming connections to actually not allow incoming connections!! :twocents: For example, you could open port 2222 for SSH communication from just your list of approved devices.... (More ingenious packet blocking strategies are possible). |
Quote:
|
Quote:
Quote:
You can retrieve a server's public key(s) manually using ssh-keyscan If a training language is easier to read than C, you can check this project to see the actual process the client uses to verify the server's authenticity: https://karla.io/2016/04/30/ssh-for-fun-and-profit.html Quote:
If you are talking about the private keys that you are keepig on your client, only the private key is considered a secret. The public key is, well, public information. Quote:
Quote:
See "man ssh-keygen" Quote:
But as far as identifiying an exiting key goes, it is done by the "delimter" as you call it. If you have the source for OpenSSH-portable, look in the file named PROTOCOL.key for the details. Quote:
Quote:
The public key has whatever restrictions and comments you did or didn't add. See the manual page "man sshd" in the section "AUTHORIZED_KEYS FILE FORMAT" for your full set of options. Quote:
Quote:
|
Thanks Turbocapitalist,
These keys have always been a mystery to me, however, spending a little time learning about them has really helped. Maybe "encrypted" was not the right world, but it is definitely not text. The ssh_host_key/ssh_host_key.pub pair is only on one of the devices (not pi2). Is ssh_host_key a client key, and are client keys stored in the same /etc/ssh directory? If so, I don't recall what I might have done to gain this client key. Quote:
Quote:
Code:
michael@pi2:/etc/ssh $ ls -l Code:
michael@pi:/etc/ssh $ ls -l |
Hmm. That's not part of any key normally generated or used by OpenSSH. Furthermore, it appears to be some kind of binary. Perhaps you can see what the file utility has to say about identifying it:
Code:
file /etc/ssh/ssh_host_key Code:
dpkg -S /etc/ssh/ssh_host_key The files normally seen in /etc/ssh/ are : and, on outdated systems also:
|
Quote:
Code:
michael@pi:~ $ sudo file /etc/ssh/ssh_host_key |
Quote:
I hope it is set to use only protocol 2: Code:
$ sudo grep -i '^protocol' /etc/ssh/sshd_config |
Yes, protocol 2.
That's really old or really odd? Hope just old! How do I determine if anything is using it? Should I just delete them? |
Here are a few answers to a few of the OP questions . . .
(1) Host keys / User keys: (good explanation here) When two parties want to communicate securely, both parties must possess a means of identifying each other. Not only does the host machine need to verify that you are authorized to access it, but your machine must be able to verify that it is talking to the expected host. When you connect to a server for the first time, you'll be presented with that key and must approve it. You'll subsequently be notified if the host key changes. All keys are pairs, with a private (secret ...) key, and a public (not-secret ...) key that can only be generated by a possessor of the (secret) private key. - - - (2) The Need for Uniqueness: In any public-key cryptosystem, the private key should always be distinct. In this way, it uniquely identifies a particular user, or a particular machine. There should be no other extant copies of any machine's private key, except securely upon that machine. - - - (3) Key Content / Identifying Keys: As you see, each key file begins (and maybe, ends) with a human-readable identifier. It is this identifier which cues the system as to what to expect. But, if anything is "out of the ordinary," the software will detect it and raise an alarm. Within their content, keys contain not only "key material" but also certain "metadata." The metadata is only for descriptive purposes, to assist in identifying and managing the file. Furthermore, both the key material and the metadata are protected from alteration, so you can always be confident that the metadata has not been altered and that it is the correct metadata for the accompanying key material. |
All times are GMT -5. The time now is 06:17 AM. |