LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-02-2007, 03:23 PM   #1
taduser
LQ Newbie
 
Registered: Apr 2007
Posts: 2

Rep: Reputation: 0
need help with SSH private/public key


Hello Folks:

I been using SSH for a while now but never really did take the time to understand how it works, and it is true that ignorance is bliss.

Ok please keep in mind that most of the following questions revolve around NOT using password authentication and only using the private/public key authentication (SSH2).

So i use keygen to generate my rsa key on the client which creates my private id_rsa and my public key id_rsa.pub. I know I am supposed to keep the private key with me at all times and the public key should be distributed to all the systems to which I want to remotely log in TO. correct so far? So lets call my work PC ( where i will be logging in FROM) PC#1 and my home server (where i will be longing in TO) PC#2.

Q1 - Since PasswordAuthentication is set to 'no' on my sshd_config file in my server at home and I am doing strict public/private key logins then I read on the man pages that the public key should be copied to the file $HOME/.ssh/authorized_keys on my server machine. Does this mean that the user that I am logged in as on PC#1 has to match the user that I will be login in as on PC#2? does it have to be the same user name? I ask this because i don't see what other way SSH would what user i want to log in as. For instance, lets say that on PC#1 at work i have a user called 'workuser' and i want to ssh in to PC#2 as my regular non-root user 'myuser' how does SSH make the connection between those 2 users if PC#2 at home has 10 other users that also log in using their RSA keys? how would SSH know that 'workuser's ~/.ssh/id_rsa corresponds to the public key found in PC#2's /home/myuser/.ssh/authorized_keys? Does SSH check all of the existing users' authorized_keys files until it finds a match? how does that work?

Q2 - So if the encryption works in the way that anyone with my public key can encrypt me a message but only i can decrypt it (since i have the private key) then i can see how the communication from the server to ME is encrypted or safe in that manner but how is the communication FROM me to the server encrypted since all the server has is the public key?

Q3 - I read that while using ssh-keygen you can make it so that you use a passphrase to further protect your private key. But if you do this then what is the advantage of using RSA authentication since at login time you will still have to provide a passphrase or password it will no longer be an automated login process. If this is the case then wouldn't it be safer to turn enable PasswordAuthentication on the sshd_config of the remote SSH server since now a hacker wont just have to guess a passphrase/password but also a username to login. You can also further restrict this by only allowing certain users to log in to the SSH server. I guess i just dont see the point of using a passphrase for this kind of authentication since it no longer becomes an automated login process. why bother with a RSA authentication whilst using a passphrase instead of regular username/password logins?

Q4 - When you do decide to use a passphrase to protect the private key and an SSH session with the remote host is initialized who requests the passphrase is it the client or the server? I would think that since the client is the one that has the private key that it would be the one requesting it but i just want to make sure.

Q5 - How does the ~./ssh/known_hosts file fit into this equation when using private/public key authentication? and does it only reside on the client and not the server?

Q6 - When PasswordAuthentication is enabled and you have to enter in your user credentials (username/password) I have also noticed that I get prompted to save an RSA key for this connection. What RSA key is this? is this a public key? and if it is then shouldn't this be the other way around. that the client has to give the server the public key? why is the server passing it on to me? and where is the private key in this case? when and where did these keys get generated and by whom?

Q7 - I noticed on my home server PC#2 that in my /etc/ssh/ directory reside the following files ssh_host_rsa_key, ssh_host_rsa_key.pub. ssh_host_dsa_key, and ssh_host_dsa_key.pub. What are these files? and when are they used? I read the man for sshd_config and it states that the HostKey variable (which points to these files) "Specifies a file containing a private host key used by SSH" but what are these private host keys in relation to? what uses them and where are they used?

I realize there are alot of questions there but i would appreciate anyone that would be able to give me some clarification. thanx!
 
Old 04-02-2007, 05:16 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 327Reputation: 327Reputation: 327Reputation: 327
Quote:
Originally Posted by taduser
Hello Folks:

I been using SSH for a while now but never really did take the time to understand how it works, and it is true that ignorance is bliss.

Ok please keep in mind that most of the following questions revolve around NOT using password authentication and only using the private/public key authentication (SSH2).

So i use keygen to generate my rsa key on the client which creates my private id_rsa and my public key id_rsa.pub. I know I am supposed to keep the private key with me at all times and the public key should be distributed to all the systems to which I want to remotely log in TO. correct so far? So lets call my work PC ( where i will be logging in FROM) PC#1 and my home server (where i will be longing in TO) PC#2.

Q1 - Since PasswordAuthentication is set to 'no' on my sshd_config file in my server at home and I am doing strict public/private key logins then I read on the man pages that the public key should be copied to the file $HOME/.ssh/authorized_keys on my server machine. Does this mean that the user that I am logged in as on PC#1 has to match the user that I will be login in as on PC#2? does it have to be the same user name? I ask this because i don't see what other way SSH would what user i want to log in as. For instance, lets say that on PC#1 at work i have a user called 'workuser' and i want to ssh in to PC#2 as my regular non-root user 'myuser' how does SSH make the connection between those 2 users if PC#2 at home has 10 other users that also log in using their RSA keys? how would SSH know that 'workuser's ~/.ssh/id_rsa corresponds to the public key found in PC#2's /home/myuser/.ssh/authorized_keys? Does SSH check all of the existing users' authorized_keys files until it finds a match? how does that work?
You ssh with the syntax 'ssh user@host' or specify the login user in your GUI ssh client. The same userid as the source is only implied if you do not specify a login userid.

Quote:
Q2 - So if the encryption works in the way that anyone with my public key can encrypt me a message but only i can decrypt it (since i have the private key) then i can see how the communication from the server to ME is encrypted or safe in that manner but how is the communication FROM me to the server encrypted since all the server has is the public key?
Keys are exchanged under an initial encryption to allow bidirectional communication.

Quote:
Q3 - I read that while using ssh-keygen you can make it so that you use a passphrase to further protect your private key. But if you do this then what is the advantage of using RSA authentication since at login time you will still have to provide a passphrase or password it will no longer be an automated login process. If this is the case then wouldn't it be safer to turn enable PasswordAuthentication on the sshd_config of the remote SSH server since now a hacker wont just have to guess a passphrase/password but also a username to login. You can also further restrict this by only allowing certain users to log in to the SSH server. I guess i just dont see the point of using a passphrase for this kind of authentication since it no longer becomes an automated login process. why bother with a RSA authentication whilst using a passphrase instead of regular username/password logins?
Passphrases can be long strings, making them more secure than passwords. In addition, the passphrase provides access to your key. So you need both, the key and the passphrase ("something you have and something you know") to gain access, making it even more secure.

Quote:
Q4 - When you do decide to use a passphrase to protect the private key and an SSH session with the remote host is initialized who requests the passphrase is it the client or the server? I would think that since the client is the one that has the private key that it would be the one requesting it but i just want to make sure.
The client requests the passphrase.

Quote:
Q5 - How does the ~./ssh/known_hosts file fit into this equation when using private/public key authentication? and does it only reside on the client and not the server?
Once you've logged into a host, the client stores the host key. If this key changes, it warns you (the client) that there may be a man-in-the-middle attack in progress. Unless you know that the host key has been regenerated, you should disconnect in this case. The known_hosts resides only on the client.

Quote:
Q6 - When PasswordAuthentication is enabled and you have to enter in your user credentials (username/password) I have also noticed that I get prompted to save an RSA key for this connection. What RSA key is this? is this a public key? and if it is then shouldn't this be the other way around. that the client has to give the server the public key? why is the server passing it on to me? and where is the private key in this case? when and where did these keys get generated and by whom?
This is the known_host key, as above.

Quote:
Q7 - I noticed on my home server PC#2 that in my /etc/ssh/ directory reside the following files ssh_host_rsa_key, ssh_host_rsa_key.pub. ssh_host_dsa_key, and ssh_host_dsa_key.pub. What are these files? and when are they used? I read the man for sshd_config and it states that the HostKey variable (which points to these files) "Specifies a file containing a private host key used by SSH" but what are these private host keys in relation to? what uses them and where are they used?
These are your hosts public and private RSA and DSA keys used for encrypting the other side of the communication.

Quote:
I realize there are alot of questions there but i would appreciate anyone that would be able to give me some clarification. thanx!
You may be interested in this book.

Last edited by macemoneta; 04-02-2007 at 05:19 PM.
 
Old 04-02-2007, 07:07 PM   #3
taduser
LQ Newbie
 
Registered: Apr 2007
Posts: 2

Original Poster
Rep: Reputation: 0
thank-you very much mace...it helped clear some stuff up.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH with passwordless public/private key not working on another account on server infocom Linux - Server 14 12-27-2010 05:09 AM
SSH - trouble authenticating private/public key Micro420 Linux - Networking 5 01-23-2007 01:08 PM
SSH public / private key authentication problems thronh Linux - Security 7 06-14-2006 11:21 AM
SSH public/private key authentication with GnuPG keys? thinksincode Linux - Security 1 02-25-2005 02:33 PM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM


All times are GMT -5. The time now is 11:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration