Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've done some research into setting this up. I've found many helpful articles but a few (probably very basic) things still elude me. Here is my understanding of things.
So basically (bear with me here):
- I generate a key pair and store my public key on the server.
- When I connect to the server, I have to send it something encrypted with my private key, which I'll be calling 'the message'.
- I hash the (encrypted by my private key) message using MD5 of SHA. The hashed thingy is called a message digest.
- Then I encrypt my already encrypted message + the message digest using the servers public key. I'll call this 'the package'.
- The server decrypts the package using its private key, hashes my (still encrypted) message and compares this to the digest I sent it.
- If that checks out it tries to decrypt my message using my public key.
I assume I'm correct so far, please correct me if you find any mistakes. I do already have questions
- What is the password protection that can be applied to my private key? =>>I'm guessing AES or any other symmetric encryption algorithm?
- Why don't I have to store the server's public key since it is storing mine. How else can I sent it the encrypted package?
- Why aren't certificates used? I understand they are used to automate the public key exchange?
A whole mouthful to read. I hope it made some sense
Regards,
Jeroen
Last edited by Jeroen1000; 09-02-2009 at 06:44 AM.
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,197
Rep:
A bit confusing. What is it you are trying to do? The title indicates SSH public key authentication, but the text is a paraphrase that sounds like you are trying to encrypt a message and send it to the server and manually deal with things. If the title is accurate, the best howto I've found (and been using for years) is http://sial.org/howto/openssh/publickey-auth/. sial also has a number of other excellent howto's -- e.g. ssl certs, etc.
Typically, if you keep your explanations very explicit by using command line text (for example, "I used `ssh-keygen -q -f ~/.ssh/id_rsa -t rsa` and then entered a blank pass phrase."), then it is easier for people to see what you are doing and help out.
I'm trying to understand what happens when you initiate an SSH session. My head is a bit full from reading too much I'm afraid. Then I tend to ramble confusing things.
The thing that confuses me the most is why certificates are not used (self-signed or 'real' official ones, doesn't matter for the intended purpose).
It seems you're confused with SSH, PKI concepts, and (G)PGP.
I suggest just focusing on one subject at a time. Segregating the three will be less confusing. They also warrant segregation, as they are three separate items of discussion and share no practical part in implementation.
As choogendyk stated, what is it that you're trying to achieve?
I've figured out the certifcate thing. Seems to be working like a charm (the server already had a keypair generated by my DDWRT router itself which is running some sort of embedded linux)
Unixfool, I'm indeed trying to understand the concepts behind it more thoroughly. Sure it works and I don't need to know how persé. But nonetheless, I'm very interested in the subject and I hate using things I do not understand.
I understand the public/private key concept is only for authentication only (+ to agree on a mutual symm. key). Whereas the symmetric key is for session encryption. The hashes are to verify no one has tampered with the packets. I'm still unsure what HMAC does and how Diffie-hellman fits in all of this.
The last two subjects are still a bit over my head:-).
Last edited by Jeroen1000; 09-03-2009 at 01:02 AM.
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,197
Rep:
Wikipedia is pretty good in the technology area. Their ssh page has a fair bit of detail on how it works. It gives you all the RFC's. Of course, if you really want to understand it, you might want to get the O'Reilly book.
Wikipedia is pretty good in the technology area. Their ssh page has a fair bit of detail on how it works. It gives you all the RFC's. Of course, if you really want to understand it, you might want to get the O'Reilly book.
The O'Reilly book on SSH is positively awesome! I bought the book a few years ago and it is still very useful.
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,197
Rep:
Yes. That's the book. Baffled? Well, if you click on the picture of the book on that link, you can cycle through the table of contents and actually browse through and read some of the contents. Given your attempts to understand what goes on underneath, I wouldn't think you should be surprised at 600+ pages about secure shell.
We can access other machine without putting password every time. ssh provide option to put user public key as authorized key on machine which user want to access without entering password every time.
Following simple steps are required to do this
root@machine1#ssh-keygen
...
(press enter whenever ask for passphrase)
ssh-keygen generate private(id_rsa) and public key(id_rsa.pub) file for that user (here root)
Now put root public key file (id_rsa.pub) on machine which you want to access (here machine with ip 192.168.11.51)
root@machine1#ssh-copy-id -i /root/.ssh/id_rsa.pub root@192.168.11.51
...
enter "yes" if ask for adding machine
specify password for root user of 192.168.11.51 whenever ask ..
vishesh, the link to your blog already appears in your signature, so there's no need to post it. I've noticed you've done this on multiple occasions within a very short time frame. Please understand that this kind of behavior can be interpreted as an attempt to draw traffic to your site, in which case your LQ privileges could be affected. Contact me via email if you have any questions/comments regarding this matter (do NOT use this thread).
choogendyk ane unixfool, it does cover all I wanted to know. I haven't read it yet but did place the order. I'm very pleased about this recommendation, thank you all
It would be better configuring ssh to not allow root logins. Logging in as root on the remote machine is bad practice. I edited /etc/X11/xdm/sys.xsession, removing the comment from the "usessh" line. A subsequent part of the script will then prompt for the passphrase when logging in.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.