[SOLVED] Difference between .ssh/known_hosts and .ssh/authorized_keys

shivaa · 10-29-2012, 10:36 PM

Hello everyone!
I am trying to access a server "saturn" from my machine "mars", using ssh protocol. Infact, I am running a script from saturn on mars, and script contain a line:
ssh root@mars.org.com
To enable a password-less login for root on mars from saturn, I generated my rsa keys on saturn and now want to append that in /.ssh/authorized_keys file on mars. But there's no such file existing.
But there (on mars) exists a file named known_hosts, which I am not sure how works!
What's difference between authorized_keys and known_hosts files? How to use known_hosts if there's no authorized_keys exists?
Thanks in advance!

cbtshare · 10-29-2012, 11:05 PM

you need to generate the keys then http://www.laubenheimer.net/ssh-keys.shtml

then

Quote:

]$ cd .ssh
]$ touch authorized_keys
]$ chmod 600 authorized_keys

then add the remote machine public key to the file

shivaa · 10-30-2012, 01:28 AM

Thanks for your reply. Although I am aware about the process to add keys to authorized_keys file, but the question is, what "known_hosts" file doing there? As I can see some encypted keys inside that known_hosts file, and I think those keys belong to different hosts who connect on "saturn" without a password.
So is there any difference of appending ssh keys into authorized_keys and known_hosts? What difference does it make? Will adding ssh keys to known_hosts work same as authorized_keys do? Please explain anybody. Thanks a lot.

cbtshare · 10-30-2012, 01:46 AM

Quote:

Originally Posted by shivaa

Thanks for your reply. Although I am aware about the process to add keys to authorized_keys file, but the question is, what "known_hosts" file doing there? As I can see some encypted keys inside that known_hosts file, and I think those keys belong to different hosts who connect on "saturn" without a password.
So is there any difference of appending ssh keys into authorized_keys and known_hosts? What difference does it make? Will adding ssh keys to known_hosts work same as authorized_keys do? Please explain anybody. Thanks a lot.

/.ssh/known_hosts file is a local user database. This is used for
server authentication.The client checks this file for the remote machine's entry to
authenticate the server as a host that has connected to the server before.so to answer your question, no, you don't add, keys to the known host file, just to authorized_keys file, it will make a difference.The difference is makes is ssh via keys wont work lol.

descendant_command · 10-30-2012, 01:52 AM

It stores the fingerprint of the servers you connect to, from that client machine.
So if you connect to a server you have previously visited and the fingerprint is different, you get warned that it could be a different machine or the ssh server has been altered and may not be "trustworthy" any more.

shivaa · 10-30-2012, 06:39 AM

Alright! The exact situation is, many other user's are also run their scripts from their local systems on the remote server i.e. saturn, & they also connect to the server through ssh password-less login. So if there's no authorized_keys file existing then how others are using ssh over there & connecting to that server without supplying a password? I think they are somewhere using known_hosts file... ain't they? However, I just want to understand what other's are doing, so it would make my work little easy rather than creating a authorized_keys file.

wpeckham · 10-30-2012, 11:34 AM

If the earlier explanation did not do it for you....

The user can manipulate the authorized_keys file to set up authentication by keys. The known_hosts file is NOT for the user to administrate, the application populates it for you. The only time you need to access it might be to remove a record when teh signature of a host has changed.

For authorized_keys you can add records, never remove records except to dis-allow a connection. For known_hosts you never add a record directly, and only remote one to enable a changed connection.

IF you need more detail than that, I suggest you search out and read the OpenSSH documentation.

BTW: I prefer to test access with password first, then use ssh-copy-id to populate the remote authorized_keys file with proper permissions etc in a single step.

shivaa · 10-30-2012, 12:54 PM

Well, I've got something interesting over Internet. There're two types of authentication:-
1. Key pairs and host-based authentication:- A method a discussed above. Generate rsa keys & add it to authorized_keys...
2. Host-Based authentication:- In trusted-host authentication, the SSH server does not directly authenticate a user based on something he knows or has (e.g. password or private key). Rather, it authenticates the client host, and then trusts that host to say who the user is (i.e., which client-side account he has already been authenticated to use). It then consults server-side configuration to determine which account names on the client host are allowed access to which server accounts. ~/.ssh/known_hosts files contain host public keys for all known hosts.
I think it would be better to go with authorized_keys, rather than any host based authentication.
I will make a try & let you know in case of any pb.
Thanks everyone for your responses!