SSH Fingerprint Validation and Authentication

From: saifa (saifa@redneck.gacracker.org)
Date: 04/16/03

  • Next message: spanda: "non interactive sftp?" 
    Date: 16 Apr 2003 01:56:57 -0000
From: saifa <saifa@redneck.gacracker.org>

    Greetings,

    Some questions regarding fingerprint validation and authentication ...

    1. Fingerprints.

    Let's say that a user connects to my machine for the first time using
    SSH, and is presented with:

      [user@host user]# ssh host.domain.org
      The authenticity of host 'host.domain.org (hhh.xxx.yyy.zzz)' can't be established.
      RSA key fingerprint is 5b:37:cf:68:84:57:6f:1c:27:0e:2a:ef:fd:52:10:49.
      Are you sure you want to continue connecting (yes/no)?

    I understand that the error received if a key has *changed* will alert
    the user to a possible compromise, but how does this initial warning
    help? If the user contacts me and asks "what is your SSH RSA
    fingerprint?," how does this help the user determine that the machine
    hasn't been compromised?

    Using PGP I can publish my fingerprint on each email or newsgroup post
    I make, and then when someone downloads my public key they can check
    the fingerprint against those I have previously published and so
    determine whether or not it has changed. Is there an equivalent
    practice for SSH keys?

    2. Authentication.

    Is there a way to force the SSH server to use both public key *and*
    password authentication? If so, is there a way (compile-time option?)
    to ensure that when the private key is generated by the SSH client the
    passphrase is not null?

    TIA
    saifa

  • Next message: spanda: "non interactive sftp?"

    Relevant Pages

    • Re: ssh
      ... ssh can use DSA or RSA keys for authentication. ... public key can decrypt. ... is significantly smaller than that for ssh RSA/DSA keypairs. ... host to capture the key (either an unprotected key or a capture of your ...
      (Vuln-Dev)
    • Re: Six Kerberos/OS X/SSH observations and questions
      ... >>3) I've had public key SSH logins working well between all three boxes ... > Kerberos has the following advantages, which may or may not be of interest ... > has been using public key pairs for authentication, ...
      (comp.security.ssh)
    • Re: [Fedora] Seeing input on Securing the Linux system from intrusions and attacks.
      ... My sshd_config file is setup to disable all forms of authentication ... except for public key, and the only valid public key file is ... If I need anything more than ssh, ... within my local home network. ...
      (Fedora)
    • Re: ssh
      ... Assuming that I use strong passwords, is password auth using ssh2 sshd ... > ssh can use DSA or RSA keys for authentication. ... > public key can decrypt. ... > is significantly smaller than that for ssh RSA/DSA keypairs. ...
      (Vuln-Dev)
    • Re: I do not get ssh. Why is it more secure?
      ... I ask this because I will be needing to open SSH for a vendor ... SSH is encrypted, telnet isn't. ... To allow access to an account you put the user's public key in ... authentication is much better. ...
      (comp.os.linux.misc)