Please decrypt your manual



I. most of ssh manual and all sshd manual present server and client as one machine, called host. All files mentioned are placed on one machine. This is incorrect, and makes the explanation unclear. For example, man sshd SSH_KNOWN_HOSTS FILE FORMAT suggests to copy keys from /etc/ssh/ssh_host_key.pub into /etc/ssh/ssh_known_hosts, as if those files are on the same machine.

II. a general presentation of ssh workings is missing, and makes the decryption of those manuals even more difficult. i suppose, but i am not sure that:

both server and client encrypt their messages with the encryption keys in:
/etc/ssh/ssh_host_?sa_key
/etc/ssh/ssh_host_?sa_key.pub

both server and client can memorize known hosts' public encryption keys in /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts

only the server is protected through authorization. this happens in two ways:

1. server side (usually used methods):
      a. the client provides an authorization key:
         + public part in //server/~/.ssh/authorized_keys
         + private part in //client/~/.ssh/id_dsa
(this could be using http://en.wikipedia.org/wiki/Rsa#Signing_messages ?)
      b. the client provides its password
   this (#1) should happen for EVERY line sent from client to server.

2. client side:
      the client verifies that it has the server's public encryption key:
      a. with a question to the unknowing human at the client's console
      b. verifying the server's public encryption key against the lists of servers' public encryption keys in:
         //client/etc/ssh/ssh_known_hosts and //client/~/.ssh/known_hosts


//server/etc/ssh/ssh_known_hosts and //server/~/.ssh/known_hosts are not used habitually, because other authorization means are preferred. Probably IgnoreUserKnownHosts in sshd_config refers to this.


These few lines took me three frustating days of hard work, instead of two easy hours of learning, and I am still not sure I guessed rightly. I believe that this attitude makes Linux lose market in favour of Windows servers. Three expensive unpleasant days. I hope that the author of sshd manual is feeling better now and will correct his writing. And please verify my "discoveries" above and publish them somewhere. At the beginning of ssh man, for example.







Relevant Pages

  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    (comp.object)
  • Re: More Get-IPlayer Questions
    ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
    (uk.comp.os.linux)
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
    (comp.os.vms)
  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
    (Full-Disclosure)
  • Re: What doesnt lend itself to OO?
    ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...
    (comp.object)