[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Q: RSA Authentication vs. Password Authentication in SSH

>>>>> "Dave" == Dave Sherohman <esper@sherohman.org> writes:

    Dave> OK, now you's lost me...  I thought the big advantage of
    Dave> public keys was exactly that - they're public.  You don't
    Dave> have to worry about transferring them securely, so long as
    Dave> the corresponding private key remains safe.

Yes. You are correct. The key can be public.

    Dave> To map this onto the specific case at hand, ssh, if you were
    Dave> to obtain my public ssh key, the worst thing that could
    Dave> result from this interception is that you could add it to
    Dave> your list of authorized_keys and allow me to freely use your
    Dave> account - which is a detriment to the person intercepting
    Dave> the key, not the person owning it.  (I'm ignoring the
    Dave> possibility that you might try to factor the public key, as
    Dave> doing so is generally considered to be a practical
    Dave> impossibility for the foreseeable future.)

However, you are incorrect here. The worse case situation is that I
can intercept your public key *and* replace it with my own, meaning I
can use now use *your* account. Just because the key is "public"
doesn't mean you can freely transfer it without regard to security
:-(.

I guess however, that I misunderstood what you were asking...
-- 
Brian May <bam@debian.org>
Reply to: