Re: FW: No longer can connect
From: Marius Huse Jacobsen (mahuja_at_c2i.net)
Date: 07/10/05
- Previous message: Simon Wilkinson: "Re: OpenSSH/kerberos compile problem."
- In reply to: Nathan Zabaldo: "FW: No longer can connect"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 10 Jul 2005 17:33:29 +0200 To: secureshell@securityfocus.com
Nathan Zabaldo wrote:
> I've read the manual on how to generate keys, but it is too cryptic for me
> not being a linux guy quite yet.
>
> Please someone spell it out for me. This is what I am looking for please
> fill in the blanks.
>
> On my box I have users that I have set up that I want to be able to use
> Putty to connect remotely via sshd. Sshd is now installed and up and
> running. For my users to connect I have to (blank) in each of my user's
> accounts.
(accounts->home directory)
put the public key result from the user running puttygen into the
~/.ssh/authorized_keys file
(see screenshot of puttygen attached.)
> For example in a terminal on the box when I am logged into a users account
> type in:
n/a (not applicable)
> I'm sure this is simplistic to some people out there, but rocket science to
> a Windows guy trying to get away from Windows.
The clue is that the private key should not originate on your box, as
you're trying to. The public key needs to be there, obviously, so that
the ssh server has something to check the private one against.
I'm getting a feeling that you don't understand the crypto involved. So
here goes:
The key authentication is based on public key crypto, subfield digital
signing. Meaning there is a public key and a matching private key. When
connecting, the server sends a chunk of data, which the client signs
with the private key. The signed data are sent back, and then the server
can find if it was signed by a private key corresponding to one of the
public keys associated with that user. (This is slightly simplified, but
should give you an idea.)
Important clues:
The client must have the private key,
the server must have the public key,
and both keys must of course match each other, meaning they should be
generated in the same place.
I think we can call it a cryptographically very bad habit to generate
the private key on the server and send it to the client. Anyone who
snatches the public key (as in transit to server) can only grant access
to the holder of the private key in places this snatcher already
controls - there's no real gain for the attacker. If the private key is
snatched, the attacker gains access.
IOW, the keys should be generated clientside.
(There's an addition reason for this, and that is that the keys would
have to be imported into puttys private key format anyway.)
>> Normally users authenticate by password, or by generating their own
>> key pairs.
Tried and true.
If you're gonna do anything else, you're sauntering through a minefield.
- image/png attachment: puttygen.PNG
- Previous message: Simon Wilkinson: "Re: OpenSSH/kerberos compile problem."
- In reply to: Nathan Zabaldo: "FW: No longer can connect"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
