[SOLVED] key files and origin locations for passwordless ssh

nerdofdarkness · 10-23-2013, 07:57 PM

Suppose I have a user "joe" who only exists on one machine, localhost. I want "joe" to be able to ssh onto localhost without a password. I can set up passwordless ssh because /home/joe/.ssh has a bunch of files that serve as keys. So when joe is logged into localhost, he has access to that directory and those keys, and he can ssh to localhost.

But "joe" is a common name. Suppose localhost is open to the Internet. I suppose anyone on the Internet could try to open up an ssh connection to localhost with the username 'joe.' In that event, the outsider wouldn't have access to the keys in /home/joe/.ssh, but the sshd process would probably be able to read those keys. Would ssh allow the outsider to log in as joe?

Thanks.

evo2 · 10-23-2013, 08:08 PM

Hi,

you need to understand that these keys come in pairs: the private key and corresponding public key. The outsider joe would need to be in possession of the private key corresponding to the public key listed in /home/joe/.ssh/authorized_keys file.

Evo2.

Turbocapitalist · 10-25-2013, 02:25 AM

You can be sure that noone can get in without a key by setting "PasswordAuthentication" to "no" in /etc/ssh/sshd_config. That will make possession of a valid key a prerequisite for getting in. Just be sure you have your own keys working before making that change. It's getting to be recommended practice for any Internet-facing machine these days.

nerdofdarkness · 10-29-2013, 07:33 PM

Quote:

Originally Posted by evo2

Hi,

you need to understand that these keys come in pairs: the private key and corresponding public key. The outsider joe would need to be in possession of the private key corresponding to the public key listed in /home/joe/.ssh/authorized_keys file.

Evo2.

That's very cool and very interesting, but I've been looking at the basics of this public-key stuff for several days and the grand sum total of my discoveries is that public key crypto is really hard!

Edit: I mean, it's easy to unpack a utility and get it running, but my head starts to spin when I read the "basic" introductions to how this software works.

Wow.

I'm not giving up on learning about this stuff, but I have revised my plans for learning all about it in a few days. It's going to take some time and practice.

Thanks for the info.

---------- Post added 10-30-13 at 08:34 AM ----------

Quote:

Originally Posted by Turbocapitalist

You can be sure that noone can get in without a key by setting "PasswordAuthentication" to "no" in /etc/ssh/sshd_config. That will make possession of a valid key a prerequisite for getting in. Just be sure you have your own keys working before making that change. It's getting to be recommended practice for any Internet-facing machine these days.

That's a great suggestion. I just modified that as suggested. It's the first step on a long road to learning more. Thanks.

chrism01 · 11-01-2013, 06:19 AM

Re Public/Private keys; think of them as 2 halves of the same (composite) key if it helps.
Basically you need both halves, one at each end, to connect/login.
Also, each 'pair' is unique.

Reuti · 11-01-2013, 06:49 AM

Quote:

Originally Posted by nerdofdarkness

It's the first step on a long road to learning more. Thanks.

Even with an SSH-key I always use a passphrase and an SSH-agent. I really like the explanations on this webpage: ssh-agent-forwarding.