Please decrypt your manual
- From: Doru Georgescu <headset001@xxxxxxxxx>
- Date: Fri, 5 Mar 2010 10:02:13 -0800 (PST)
I. most of ssh manual and all sshd manual present server and client as one machine, called host. All files mentioned are placed on one machine. This is incorrect, and makes the explanation unclear. For example, man sshd SSH_KNOWN_HOSTS FILE FORMAT suggests to copy keys from /etc/ssh/ssh_host_key.pub into /etc/ssh/ssh_known_hosts, as if those files are on the same machine.
II. a general presentation of ssh workings is missing, and makes the decryption of those manuals even more difficult. i suppose, but i am not sure that:
both server and client encrypt their messages with the encryption keys in:
both server and client can memorize known hosts' public encryption keys in /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts
only the server is protected through authorization. this happens in two ways:
1. server side (usually used methods):
a. the client provides an authorization key:
+ public part in //server/~/.ssh/authorized_keys
+ private part in //client/~/.ssh/id_dsa
(this could be using http://en.wikipedia.org/wiki/Rsa#Signing_messages ?)
b. the client provides its password
this (#1) should happen for EVERY line sent from client to server.
2. client side:
the client verifies that it has the server's public encryption key:
a. with a question to the unknowing human at the client's console
b. verifying the server's public encryption key against the lists of servers' public encryption keys in:
//client/etc/ssh/ssh_known_hosts and //client/~/.ssh/known_hosts
//server/etc/ssh/ssh_known_hosts and //server/~/.ssh/known_hosts are not used habitually, because other authorization means are preferred. Probably IgnoreUserKnownHosts in sshd_config refers to this.
These few lines took me three frustating days of hard work, instead of two easy hours of learning, and I am still not sure I guessed rightly. I believe that this attitude makes Linux lose market in favour of Windows servers. Three expensive unpleasant days. I hope that the author of sshd manual is feeling better now and will correct his writing. And please verify my "discoveries" above and publish them somewhere. At the beginning of ssh man, for example.
- Prev by Date: sftp-server logging under chroot & privilege separation
- Next by Date: Re: sftp-server logging under chroot & privilege separation
- Previous by thread: sftp-server logging under chroot & privilege separation
- Next by thread: Question about SCP stalling over VPN