[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH and RSA

On Mon, Feb 19, 2001 at 01:21:45PM -0500, Dan Hutchinson wrote:
> Without SSH enabled, I was able to pass my root user account from one
> trusted Solaris Box to another with an /.rhost and /etc/host.equiv file.
> #cat .rhost
> Doctor
> #cat /etc/host.equiv
> Doctor  root
> For example, Doctor would be the solaris hostname and root would be the
> account.  This leaves a big security hole, so I only activate it when
> I am doing backups for about 4-5 hours each month.  Maybe someone on
> the list can help with the RSA since I am fairly new in that field also
> Dan
> ---- Duane Powers <duane@uberLAN.net> wrote:
> > Hi all,
> > 
> > Recently I was made administrator over a dozen Solaris boxen <heh>
> > The prior admin was offsite and used ssh with rsa keys to access the
> > boxes.
> > He allowed root login, and used the RSA key functionality to keep the
> > root
> > password safe.
> > I am not as mature as he was regarding ssh <newbie> and have only used
> > ssh as a plug in replacement to telnet, <I tend to not set a different
> > 
> > p/w during
> > ssh-keygen> and simply access the boxes as follows: ssh -l <me> <hostname>
> > then I login using the normal p/w that is local to the box. I have
> > found 
> > that he did
> > not need to transmit the local password over the tunnel, but rather
> > used 
> > RSA to
> > verify his identity, but I can't find documentation on how to do it.
> > 
> > <man ssh, man ssh-agent, man ssh-add, Practical UNIX & Internet 
> > Security> does anyone have any information on how I can implement the
> > 
> > same safeguards? Or where I can at least find some documentation on
> > 
> > practical ssh implementation.
> > 
> > As always, You guys are great, thanks in advance for the help,

Hi, guys. Here's what I've got:

<-- terminal copy start: -->

$ ssh -v
SSH Version OpenSSH_2.2.0p1, protocol versions 1.5/2.0.

<-- terminal copy snip -->

$ man ssh
SSH(1)                      System Reference Manual                     SSH(1)

     ssh - OpenSSH secure shell client (remote login program)

<-- terminal copy snip -->


<-- terminal copy snip -->

   SSH protocol version 1

<-- terminal copy snip -->

     As a third authentication method, ssh supports RSA based authentication.
     The scheme is based on public-key cryptography: there are cryptosystems
     where encryption and decryption are done using separate keys, and it is
     not possible to derive the decryption key from the encryption key.  RSA
     is one such system.  The idea is that each user creates a public/private
     key pair for authentication purposes.  The server knows the public key,
     and only the user knows the private key.  The file
     $HOME/.ssh/authorized_keys lists the public keys that are permitted for
     logging in.  When the user logs in, the ssh program tells the server
     which key pair it would like to use for authentication.  The server
     checks if this key is permitted, and if so, sends the user (actually the
     ssh program running on behalf of the user) a challenge, a random number,
     encrypted by the user's public key.  The challenge can only be decrypted
     using the proper private key.  The user's client then decrypts the chal-
     lenge using the private key, proving that he/she knows the private key
     but without disclosing it to the server.

<-- terminal copy snip -->

<-- terminal copy end: -->

I also suggest re-reading the ssh-keygen(1) manual page.

To use RSA/DSA authentication you need to generate a personal log-in key pair
(via ssh-keygen). Then, copy your public key to the remote machine's
"$HOME/.ssh/authorized_keys" for RSA or "$HOME/.ssh/authorized_keys2" for DSA
where "$HOME" is the home directory for the user as who you want to log in on
the remote machine. After this step, assuming the other configuration is fine,
an "$ ssh -l remote_user_name remote_host_name" should be about enough to log
in to the remote machine.

A piece of advice: if you want security, read all the manual documentation you
have about ssh.

Good luck,
Pavel M. Penev

Reply to: