SSH Public Key Encryption Mechanism
 

hi friends,
i have some doubts about ssh public key encryption mechanism. please read out the following scenario and answer me to the following questions.

i have newly installed an ssh rpm on my redhat server. i have also installed same ssh rpm on one another redhat machine and i just triend connecting to ssh server. i tried as user 'mmn' from client to the same user account on server. everything was fine, i could connect. but the ssh was newly installed on server and client and i didn't make any ~/.ssh directory or didn't generate any public/private key pair for user 'mmn'. even after connecting successfully, there was no ~/.ssh directory created.

1) which was the default key-pair used by my ssh client to connect to the server? where is it located?

when you connect to an ssh server for the first time, the client will add the servers public key into its known_hosts file.

2) according to the above scenario, where it will be stored in the client machine?

3) is server storing any information while connecting to a client for the first time?

4) give me a sample command to generate a new ssh-server key-pair using ssh-keygen command. to where it should be copied in server?

thanks in advance
mmn

mmn357157

Hi! mmn, you need to run the ssh-keygen command. This will create the public and private keys. For example ssh-keygen -t rsa will generate a pair of rsa keys. You then need to copy the rsa.pub or public key to the host you want to have password-less logins to. On the that host you would issue a cat rsa.pub into a file called authorized_keys, and chmod it to 600. This will allow you to login to your second pc without passwords. Once you issue the ssh-keygen command it will create a .ssh subdirectory in the directory you currently are in. For your example you are in /home/mmn and run ssh-keygen -t rsa it would create a .ssh subdirectory in /home/mmn/.ssh.

[root@pc1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
24:d6:ae:a1:cf:f4:bf:b1:09:c0:f9:3b:ee:4f:f0:4c root@localhost.localdomain
[root@pc1 ~]# cd .ssh
[root@pc1 .ssh]# ls -la
total 20
drwx------ 2 root root 4096 May 20 03:05 .
drwxr-x--- 4 root root 4096 May 20 03:05 ..
-rw------- 1 root root 883 May 20 03:05 id_rsa
-rw-r--r-- 1 root root 236 May 20 03:05 id_rsa.pub --> copy this file to your second PC


On PC2

root@pc2 .ssh]# cat id_rsa.pub > authorized_keys

The key's used by the server are stored in /etc/ssh typically. You should probably have a couple files called ssh_host_dsa_key, ssh_host_dsa_key.pub, ssh_host_rsa_key and ssh_host_rsa_key.pub.

You can create new ssh kegs by doing an ssh-keygen -t rsa (or dsa). It will ask you a few questions and generate the key for you. Look at the man page if you would like to know what other options it supports.

The ~/.ssh directory should be created on the client machine when it connects to the server. It may be possible to configure your machine to put that stuff in a different place (man ssh_config could probably tell you that).

SSH always uses encryption.

Do not get confused with the three methods of authentication that SSH supports.
SSH can support Password, Keyboard-Interactive, and Key Exchange authentication.

The .ssh directory you are referring to is th location of a User's private/public keys that are only used if Key Exchange authentication is used with SSH.

By default most SSH server's enable both Keyboard-Interactive and Key Exchange authentication methods.

This is why you connected without having any User keys.
The SSH server's host public key can be stored in memory for the duration of the connection ... or can be saved in the ~/.ssh/known_hosts file.

You should read up more on the SSH protocol ... man sshd

By editing the /etc/ssh/sshd_conf file you can restrict only Key Exchange.

ok guys, thank you very much all.

still i didn't get something. please give me exact answers to the remaining questions.

1) which will be the default key-pair used by my ssh client to connect to the server for the very first time?
(please note there was no .ssh directory in the appropriate users home directory when it was trying for the first time. so i think the ssh client should use a default key-pair.)

(note : when you connect to an ssh server for the first time, the client will add the servers public key into its known_hosts file.)

2) according to this, where it will be stored in the client machine?
(will the first attempt create a .ssh directory and store the servers public key in ~/.ssh/known_hosts file in the client. if no, where it will store instead?)

3) is server storing any information (about client)while connecting to a client for the first time?

can anybody help me out?

Thanks.
____________________________
mmn

The SSH client is given the SSH Server's host public key.
Using this asymmetric key, the client will then encrypt the rest of the negotiation ... negotiate authentication ... eventually to negotiate the symmetric key.

When the client is given the SSH Server's host public key, SSH will compare it with the keys in the known hosts file ... if the client does not have a matching key then SSH will prompt the user what to do (if strict host checking is disabled ... usually this is the default) ... continue and save the key (in known_hosts), continue and don't save, or do not connect.

If key exchange is configured on the client (the client has a public/private asymmetric key pair ... usually found in ~/.ssh) then SSH will attempt to use them for authentication.

If no key pair exists then SSH will go to keyboard exchange or password authentication.