Re: Setting up a secure shell server

From: Tommy Ward (tommy@webever.com)
Date: 01/14/02


Date: Mon, 14 Jan 2002 10:16:48 -0800
To: "Nicholas de Jong" <nick@infilsec.com>, "Kevin Lisciotti" <moonpup@mediaone.net>, "David Chin" <dwchin@umich.edu>
From: Tommy Ward <tommy@webever.com>


*** snip ***

>.... this may prove to be an administration issue, user generates key....
>does not know what is going on, perhaps emails public key to administrator,
>administrator inserts key....

*** snip ***

Actually, to avoid having the user emailing their public key, and the admin
blindly trusting the key received in unauthenticated mail, it might be better
for the two of them to perform a little key generating ceremony. Doesn't have
to be too formal, but in the same vein that sometimes we create an
account for a new user and hand the keyboard to them at the "enter
user's password prompt", sitting down together to generate the key pair
and moving the key via floppy might be a better idea. This of course assumes
that the admin and user are geographically co-resident. If not, they
need to come up with some way of exchanging the necessary key file
with assurance that it is from the correct person.

*** snip ***

>BTW : If your guys are using the Windows SSH2 client from ssh.com, you will
>have much less pain if you also use the sshd from ssh.com (check the licence
>but as I remember it sshd is free for OS's like FreeBSD, Linux etc..) not
>the openssh sshd. It turns out the two sshd's use different key formats
>which will likely drive you mad. I recall hearing of a key conversion
>utility?? true?? anyone??

I recently ran into this same problem using a Putty client and openssh sshd.

....Tommy



Relevant Pages

  • Re: securing sshd_config
    ... > your public key can log into your computer. ... so that you can use ssh from some other computer which has ssh ... but if I've the necessity of log-in like Administrator (i use Windows!) ...
    (comp.security.ssh)
  • Re: EFS - encrypt data on a remote server
    ... I tried to use the fek as a public key and it worked... ... mean the Administrator on Server has encrypted a file ... >Alexander Kulikovsky wrote: ... >Microsoft MVP Scripting and WMI, ...
    (microsoft.public.security)
  • Re: EFS - encrypt data on a remote server
    ... I tried to use the fek as a public key and it worked... ... mean the Administrator on Server has encrypted a file ...
    (microsoft.public.security)