Re: SSH and RSA

To: Duane Powers <duane@uberLAN.net>
Cc: debian-security@lists.debian.org
Subject: Re: SSH and RSA
From: Pedro Zorzenon Neto <pzn@terra.com.br>
Date: Mon, 19 Feb 2001 15:33:01 -0300
Message-id: <20010219153301.A2184@mantis.autsens.localnet>
Reply-to: pzn@terra.com.br
In-reply-to: <3A91627A.1080700@uberLAN.net>; from duane@uberLAN.net on Mon, Feb 19, 2001 at 10:14:18AM -0800
References: <3A91627A.1080700@uberLAN.net>

Hi Duane,

from 'man ssh' you can find some answer:

     As a third authentication method, ssh supports RSA based authentication.
     The scheme is based on public-key cryptography: there are cryptosystems
     where encryption and decryption are done using separate keys, and it is
     not possible to derive the decryption key from the encryption key.  RSA
     is one such system.  The idea is that each user creates a public/private
     key pair for authentication purposes.  The server knows the public key,
     and only the user knows the private key.  The file
     $HOME/.ssh/authorized_keys lists the public keys that are permitted for
     logging in.  When the user logs in, the ssh program tells the server
     which key pair it would like to use for authentication.  The server
     checks if this key is permitted, and if so, sends the user (actually the
     ssh program running on behalf of the user) a challenge, a random number,
     encrypted by the user's public key.  The challenge can only be decrypted
     using the proper private key.  The user's client then decrypts the chal
     lenge using the private key, proving that he/she knows the private key
     but without disclosing it to the server.

     ssh implements the RSA authentication protocol automatically.  The user
     creates his/her RSA key pair by running ssh-keygen(1).  This stores the
     private key in .ssh/identity and the public key in .ssh/identity.pub in
     the user's home directory.  The user should then copy the identity.pub to
     .ssh/authorized_keys in his/her home directory on the remote machine (the
     authorized_keys file corresponds to the conventional .rhosts file, and
     has one key per line, though the lines can be very long).  After this,
     the user can log in without giving the password.  RSA authentication is
     much more secure than rhosts authentication.

I hope this will help you

  Bye


On Mon, Feb 19, 2001 at 10:14:18AM -0800, Duane Powers wrote:
> Hi all,
> 
> Recently I was made administrator over a dozen Solaris boxen <heh>
> The prior admin was offsite and used ssh with rsa keys to access the boxes.
> He allowed root login, and used the RSA key functionality to keep the root
> password safe.
> I am not as mature as he was regarding ssh <newbie> and have only used
> ssh as a plug in replacement to telnet, <I tend to not set a different 
> p/w during
> ssh-keygen> and simply access the boxes as follows: ssh -l <me> <hostname>
> then I login using the normal p/w that is local to the box. I have found 
> that he did
> not need to transmit the local password over the tunnel, but rather used 
> RSA to
> verify his identity, but I can't find documentation on how to do it. 
> <man ssh, man ssh-agent, man ssh-add, Practical UNIX & Internet 
> Security> does anyone have any information on how I can implement the 
> same safeguards? Or where I can at least find some documentation on 
> practical ssh implementation.
> 
> As always, You guys are great, thanks in advance for the help,
> 
> 
> ~duane
> 
> -- 
> 
>    The plan was simple.  Unfortunately, so was Bullwinkle. 
> 
> 
> 
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> 
>

Reply to:

References:
- SSH and RSA
  - From: Duane Powers <duane@uberLAN.net>

Prev by Date: Re: SSH and RSA
Next by Date: Re: SSH and RSA
Previous by thread: Re: SSH and RSA
Next by thread: Re: SSH and RSA
Index(es):
- Date
- Thread