Re: Q: RSA Authentication vs. Password Authentication in SSH
>>>>> "Dave" == Dave Sherohman <esper@sherohman.org> writes:
Dave> OK, now you's lost me... I thought the big advantage of
Dave> public keys was exactly that - they're public. You don't
Dave> have to worry about transferring them securely, so long as
Dave> the corresponding private key remains safe.
Yes. You are correct. The key can be public.
Dave> To map this onto the specific case at hand, ssh, if you were
Dave> to obtain my public ssh key, the worst thing that could
Dave> result from this interception is that you could add it to
Dave> your list of authorized_keys and allow me to freely use your
Dave> account - which is a detriment to the person intercepting
Dave> the key, not the person owning it. (I'm ignoring the
Dave> possibility that you might try to factor the public key, as
Dave> doing so is generally considered to be a practical
Dave> impossibility for the foreseeable future.)
However, you are incorrect here. The worse case situation is that I
can intercept your public key *and* replace it with my own, meaning I
can use now use *your* account. Just because the key is "public"
doesn't mean you can freely transfer it without regard to security
:-(.
I guess however, that I misunderstood what you were asking...
--
Brian May <bam@debian.org>
Reply to: