LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-22-2007, 04:47 PM   #1
mmn357157
LQ Newbie
 
Registered: May 2007
Location: Bangalore
Distribution: RHEL
Posts: 20

Rep: Reputation: 0
Post SSH Public Key Encryption Mechanism


hi friends,
i have some doubts about ssh public key encryption mechanism. please read out the following scenario and answer me to the following questions.

i have newly installed an ssh rpm on my redhat server. i have also installed same ssh rpm on one another redhat machine and i just triend connecting to ssh server. i tried as user 'mmn' from client to the same user account on server. everything was fine, i could connect. but the ssh was newly installed on server and client and i didn't make any ~/.ssh directory or didn't generate any public/private key pair for user 'mmn'. even after connecting successfully, there was no ~/.ssh directory created.

1) which was the default key-pair used by my ssh client to connect to the server? where is it located?

when you connect to an ssh server for the first time, the client will add the servers public key into its known_hosts file.

2) according to the above scenario, where it will be stored in the client machine?

3) is server storing any information while connecting to a client for the first time?

4) give me a sample command to generate a new ssh-server key-pair using ssh-keygen command. to where it should be copied in server?

thanks in advance
mmn
 
Old 05-22-2007, 05:47 PM   #2
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Rep: Reputation: 30
mmn357157

Hi! mmn, you need to run the ssh-keygen command. This will create the public and private keys. For example ssh-keygen -t rsa will generate a pair of rsa keys. You then need to copy the rsa.pub or public key to the host you want to have password-less logins to. On the that host you would issue a cat rsa.pub into a file called authorized_keys, and chmod it to 600. This will allow you to login to your second pc without passwords. Once you issue the ssh-keygen command it will create a .ssh subdirectory in the directory you currently are in. For your example you are in /home/mmn and run ssh-keygen -t rsa it would create a .ssh subdirectory in /home/mmn/.ssh.

[root@pc1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
24:d6:ae:a1:cf:f4:bf:b1:09:c0:f9:3b:ee:4f:f0:4c root@localhost.localdomain
[root@pc1 ~]# cd .ssh
[root@pc1 .ssh]# ls -la
total 20
drwx------ 2 root root 4096 May 20 03:05 .
drwxr-x--- 4 root root 4096 May 20 03:05 ..
-rw------- 1 root root 883 May 20 03:05 id_rsa
-rw-r--r-- 1 root root 236 May 20 03:05 id_rsa.pub --> copy this file to your second PC


On PC2

root@pc2 .ssh]# cat id_rsa.pub > authorized_keys

Last edited by keysorsoze; 05-22-2007 at 06:00 PM.
 
Old 05-22-2007, 05:50 PM   #3
jtshaw
Senior Member
 
Registered: Nov 2000
Location: Seattle, WA USA
Distribution: Ubuntu @ Home, RHEL @ Work
Posts: 3,892
Blog Entries: 1

Rep: Reputation: 67
The key's used by the server are stored in /etc/ssh typically. You should probably have a couple files called ssh_host_dsa_key, ssh_host_dsa_key.pub, ssh_host_rsa_key and ssh_host_rsa_key.pub.

You can create new ssh kegs by doing an ssh-keygen -t rsa (or dsa). It will ask you a few questions and generate the key for you. Look at the man page if you would like to know what other options it supports.

The ~/.ssh directory should be created on the client machine when it connects to the server. It may be possible to configure your machine to put that stuff in a different place (man ssh_config could probably tell you that).
 
Old 05-22-2007, 06:06 PM   #4
dxqcanada
Member
 
Registered: Sep 2006
Location: Canada
Distribution: Gentoo
Posts: 702

Rep: Reputation: 43
SSH always uses encryption.

Do not get confused with the three methods of authentication that SSH supports.
SSH can support Password, Keyboard-Interactive, and Key Exchange authentication.

The .ssh directory you are referring to is th location of a User's private/public keys that are only used if Key Exchange authentication is used with SSH.

By default most SSH server's enable both Keyboard-Interactive and Key Exchange authentication methods.

This is why you connected without having any User keys.
The SSH server's host public key can be stored in memory for the duration of the connection ... or can be saved in the ~/.ssh/known_hosts file.

You should read up more on the SSH protocol ... man sshd

By editing the /etc/ssh/sshd_conf file you can restrict only Key Exchange.
 
Old 05-23-2007, 01:43 AM   #5
mmn357157
LQ Newbie
 
Registered: May 2007
Location: Bangalore
Distribution: RHEL
Posts: 20

Original Poster
Rep: Reputation: 0
Question

ok guys, thank you very much all.

still i didn't get something. please give me exact answers to the remaining questions.

1) which will be the default key-pair used by my ssh client to connect to the server for the very first time?
(please note there was no .ssh directory in the appropriate users home directory when it was trying for the first time. so i think the ssh client should use a default key-pair.)

(note : when you connect to an ssh server for the first time, the client will add the servers public key into its known_hosts file.)

2) according to this, where it will be stored in the client machine?
(will the first attempt create a .ssh directory and store the servers public key in ~/.ssh/known_hosts file in the client. if no, where it will store instead?)

3) is server storing any information (about client)while connecting to a client for the first time?
 
Old 05-23-2007, 10:23 AM   #6
mmn357157
LQ Newbie
 
Registered: May 2007
Location: Bangalore
Distribution: RHEL
Posts: 20

Original Poster
Rep: Reputation: 0
can anybody help me out?

Thanks.
____________________________
mmn
 
Old 05-29-2007, 07:02 PM   #7
dxqcanada
Member
 
Registered: Sep 2006
Location: Canada
Distribution: Gentoo
Posts: 702

Rep: Reputation: 43
The SSH client is given the SSH Server's host public key.
Using this asymmetric key, the client will then encrypt the rest of the negotiation ... negotiate authentication ... eventually to negotiate the symmetric key.

When the client is given the SSH Server's host public key, SSH will compare it with the keys in the known hosts file ... if the client does not have a matching key then SSH will prompt the user what to do (if strict host checking is disabled ... usually this is the default) ... continue and save the key (in known_hosts), continue and don't save, or do not connect.

If key exchange is configured on the client (the client has a public/private asymmetric key pair ... usually found in ~/.ssh) then SSH will attempt to use them for authentication.

If no key pair exists then SSH will go to keyboard exchange or password authentication.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
open-ssh vs. commercial ssh (tru64), public-key auth not possible? cf050 Linux - Networking 8 03-28-2012 11:15 AM
ssh public key authentication teacup Linux - Networking 4 11-27-2011 11:27 PM
public key encryption dsids Linux - Security 8 08-01-2006 01:48 AM
ssh using public key jkmartha Linux - Networking 1 05-04-2005 02:52 AM
RSA public key encryption/private key decription koningshoed Linux - Security 1 08-08-2002 07:25 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration