[SOLVED] key files and origin locations for passwordless ssh
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
key files and origin locations for passwordless ssh
Suppose I have a user "joe" who only exists on one machine, localhost. I want "joe" to be able to ssh onto localhost without a password. I can set up passwordless ssh because /home/joe/.ssh has a bunch of files that serve as keys. So when joe is logged into localhost, he has access to that directory and those keys, and he can ssh to localhost.
But "joe" is a common name. Suppose localhost is open to the Internet. I suppose anyone on the Internet could try to open up an ssh connection to localhost with the username 'joe.' In that event, the outsider wouldn't have access to the keys in /home/joe/.ssh, but the sshd process would probably be able to read those keys. Would ssh allow the outsider to log in as joe?
you need to understand that these keys come in pairs: the private key and corresponding public key. The outsider joe would need to be in possession of the private key corresponding to the public key listed in /home/joe/.ssh/authorized_keys file.
You can be sure that noone can get in without a key by setting "PasswordAuthentication" to "no" in /etc/ssh/sshd_config. That will make possession of a valid key a prerequisite for getting in. Just be sure you have your own keys working before making that change. It's getting to be recommended practice for any Internet-facing machine these days.
you need to understand that these keys come in pairs: the private key and corresponding public key. The outsider joe would need to be in possession of the private key corresponding to the public key listed in /home/joe/.ssh/authorized_keys file.
Evo2.
That's very cool and very interesting, but I've been looking at the basics of this public-key stuff for several days and the grand sum total of my discoveries is that public key crypto is really hard!
Edit: I mean, it's easy to unpack a utility and get it running, but my head starts to spin when I read the "basic" introductions to how this software works.
Wow.
I'm not giving up on learning about this stuff, but I have revised my plans for learning all about it in a few days. It's going to take some time and practice.
Thanks for the info.
---------- Post added 10-30-13 at 08:34 AM ----------
Quote:
Originally Posted by Turbocapitalist
You can be sure that noone can get in without a key by setting "PasswordAuthentication" to "no" in /etc/ssh/sshd_config. That will make possession of a valid key a prerequisite for getting in. Just be sure you have your own keys working before making that change. It's getting to be recommended practice for any Internet-facing machine these days.
That's a great suggestion. I just modified that as suggested. It's the first step on a long road to learning more. Thanks.
Last edited by nerdofdarkness; 10-29-2013 at 07:35 PM.
Re Public/Private keys; think of them as 2 halves of the same (composite) key if it helps.
Basically you need both halves, one at each end, to connect/login.
Also, each 'pair' is unique.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.