Re: SSH and RSA
from 'man ssh' you can find some answer:
As a third authentication method, ssh supports RSA based authentication.
The scheme is based on public-key cryptography: there are cryptosystems
where encryption and decryption are done using separate keys, and it is
not possible to derive the decryption key from the encryption key. RSA
is one such system. The idea is that each user creates a public/private
key pair for authentication purposes. The server knows the public key,
and only the user knows the private key. The file
$HOME/.ssh/authorized_keys lists the public keys that are permitted for
logging in. When the user logs in, the ssh program tells the server
which key pair it would like to use for authentication. The server
checks if this key is permitted, and if so, sends the user (actually the
ssh program running on behalf of the user) a challenge, a random number,
encrypted by the user's public key. The challenge can only be decrypted
using the proper private key. The user's client then decrypts the chal
lenge using the private key, proving that he/she knows the private key
but without disclosing it to the server.
ssh implements the RSA authentication protocol automatically. The user
creates his/her RSA key pair by running ssh-keygen(1). This stores the
private key in .ssh/identity and the public key in .ssh/identity.pub in
the user's home directory. The user should then copy the identity.pub to
.ssh/authorized_keys in his/her home directory on the remote machine (the
authorized_keys file corresponds to the conventional .rhosts file, and
has one key per line, though the lines can be very long). After this,
the user can log in without giving the password. RSA authentication is
much more secure than rhosts authentication.
I hope this will help you
On Mon, Feb 19, 2001 at 10:14:18AM -0800, Duane Powers wrote:
> Hi all,
> Recently I was made administrator over a dozen Solaris boxen <heh>
> The prior admin was offsite and used ssh with rsa keys to access the boxes.
> He allowed root login, and used the RSA key functionality to keep the root
> password safe.
> I am not as mature as he was regarding ssh <newbie> and have only used
> ssh as a plug in replacement to telnet, <I tend to not set a different
> p/w during
> ssh-keygen> and simply access the boxes as follows: ssh -l <me> <hostname>
> then I login using the normal p/w that is local to the box. I have found
> that he did
> not need to transmit the local password over the tunnel, but rather used
> RSA to
> verify his identity, but I can't find documentation on how to do it.
> <man ssh, man ssh-agent, man ssh-add, Practical UNIX & Internet
> Security> does anyone have any information on how I can implement the
> same safeguards? Or where I can at least find some documentation on
> practical ssh implementation.
> As always, You guys are great, thanks in advance for the help,
> The plan was simple. Unfortunately, so was Bullwinkle.
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com