[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Q: RSA Authentication vs. Password Authentication in SSH

on Mon, Nov 20, 2000 at 04:08:26PM +1100, Brian May (bam@debian.org) wrote:
> >>>>> "kmself" == kmself  <kmself@ix.netcom.com> writes:
>     kmself> Sorry?
>     kmself>   - I establish a private RSA authentication key for ssh.
>     kmself> - I send the corresponding public key to remoteserver.  -
>     kmself> You intercept the transmission and replace my public key
>     kmself> with yours.
> I assume you intend to login to the remote server. That means that you
> want to put your public key in authorised_keys (IIRC) on the remote
> host. However, since I intercepted the message, my key goes in
> authorised_keys instead.
>     kmself> I can now:
>     kmself>   - *Not* access the host I'd intended to provide access
>     kmself> to (wrong public key).  
> Correct up to here.
>     kmself> - Possibly be tricked into
>     kmself> accessing a host of your chosing via your key.
> Incorrect. You are getting the *host*'s public key mixed up with
> *your* public key. This is your public key we are talking about here
> (or so I believe).
> Now that *my* public key is in authorised_keys on the remote host
> (instead of your public key), I can now log into that remote host as
> you.

Doh!  Brain fart.  Thanks.

Ok.  So, to ensure key integrity, I do what?

And, mind, I still discover quickly that I can't log in to my remote
server as me, so I check my authorised_keys file....

...assuming I have more of a brain than I did this morning.

> The host's public key travels in the opposite direction, but lets not
> complicate matters too much...

Karsten M. Self <kmself@ix.netcom.com>     http://www.netcom.com/~kmself
 Evangelist, Zelerate, Inc.                      http://www.zelerate.org
  What part of "Gestalt" don't you understand?      There is no K5 cabal
   http://gestalt-system.sourceforge.net/        http://www.kuro5hin.org

Attachment: pgpsVlWXqo7gM.pgp
Description: PGP signature

Reply to: