Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-14-2006, 04:36 AM
|
#1
|
LQ Newbie
Registered: Sep 2006
Posts: 8
Rep:
|
Newbie's question abou ssh
Hello,
I've learned linux just for 3 weeks, and now encountered a confusion with ssh.
I have a server running Fedora 4, mine machine is running Fedora 5. When I look at /etc/ssh/ I saw the following:
ssh_host_dsa_key
ssh_host_dsa_key.pub
ssh_host_key
ssh_host_key.pub
ssh_host_rsa_key
ssh_host_rsa_key.pub
I knew that ssh_host_key and its .pub is for sshv1, so no need to care. But about the rest, could anyone show me the difference between dsa and rsa keys, and how important they are, or when do we you dsa keys, and when is rsa.
Another issue, when I first ssh to my server, it asked:
The authenticity of host 'my server' can't be established.
RSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)?
Why do we need RSA key figerprint, and where it's stored in the machine?
Next issue, after successfully login to my server. In theory, the public key of my machine is sent to the server and vice versa (not sure which key it is, rsa or dsa). So I checked for ~/.ssh/known_hosts in my machine, it showed the correct pub key of the server, but when I look at the same file in the server, it does not have the entry for my machine public key.
Therefore, I'm just wondering where it stored my public key to decrypt my packets during ssh commmunication, or does it store it in memory and discarded it after ssh communication is terminated?
I'm idiot enough, and hope to have a light out of my brain.
SG.
|
|
|
11-14-2006, 04:56 AM
|
#2
|
Member
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310
Rep:
|
Hi Starghost,
Welcome to linuxquestions.org
rsa and dsa are encryption algorithms used to create signatures among other uses.
Quote:
Originally Posted by starghost
So I checked for ~/.ssh/known_hosts in my machine, it showed the correct pub key of the server, but when I look at the same file in the server, it does not have the entry for my machine public key.
|
Server does not store the clients keys
Aniruddha
|
|
|
11-14-2006, 05:06 AM
|
#3
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
DSA (Digital Signiture Algorithm) and RSA (Rivest-Shamir-Adleman algorithm) keys are used for digital signing and authentication. RSA is older and faster than DSA, but weaker in terms of security. However, DSA can only be used for signitures, whereas RSA can be used for encryption as well. Think of them as competing brand names - some folk like on and others prefer t'other. A server needs to know about them both - most likely - unless you want to deliberately exclude one brand that is.
OpenSSH only uses these for the authentication stage.
It can help to search the forums:
http://www.linuxquestions.org/questi...ad.php?t=12593
|
|
|
11-14-2006, 10:38 AM
|
#4
|
LQ Newbie
Registered: Sep 2006
Posts: 8
Original Poster
Rep:
|
Quote:
Originally Posted by Simon Bridge
OpenSSH only uses these for the authentication stage.
|
Thanks for your response. As you said, OpenSSH only uses those keys (DSA or RSA) for Authentication, but I thought that the main idea of using public and private keys is for encryption. So what is used for encryption?
Thanks,
SG.
|
|
|
11-14-2006, 10:44 AM
|
#5
|
Member
Registered: Sep 2006
Location: Canada
Distribution: Gentoo
Posts: 702
Rep:
|
Server's public key is given to the client so it can encrypt data going to the Server.
The server and client use this asymmetrical key to encrypt the data to exchange a symmetric key that will be use to encrypt the data for the rest of the session.
(I think ?!?)
|
|
|
11-14-2006, 11:45 PM
|
#6
|
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
|
|
|
|
11-15-2006, 03:15 AM
|
#7
|
LQ Newbie
Registered: Apr 2004
Posts: 2
Rep:
|
Regarding the question regarding "The authenticity of host 'my server' can't be established." and also what goes in known_hosts, it's important to understand there is no central authority concept in SSH as you get with PKI (e.g. accessing an SSL site, where a certificate has been signed by an authority such as Verisign).
The first time a SSH client connects to a SSH server, the server will present its public key to the client as part of the authentication process. Because the client has never seen that public key before it asks you to verify it by displaying the fingerprint of the key, which you could in theory pass to people out-of-band (e.g. via an e-mail, printout, etc.). Once you accept the fingerprint, the client then stores the public key in ~/.ssh/known_hosts.
|
|
|
All times are GMT -5. The time now is 08:16 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|