Sharing the SSH server keys & other questions

From: Carlos N (cgnjunkregDELETE_at_hotmail.com)
Date: 06/25/04 

Date: Fri, 25 Jun 2004 17:05:44 -0400

Basic SSH question:

If I want to use RSA authentication by clients the process is simple. I
generate a key pair, leave the private key (encrypted or not) on the
client, give the public key to the server, make sure the server knows
about it and presto.

This makes sense. The server administrator has to actively accept the
clients key, insuring that not just anyone can login.

However, it seems that the reverse is not true. The server also has a
private/public key pair (whether using key or password authentication).
  It seems, however, that the server automatically will feed its public
key to the client. The client checks to make sure the key is OK - sure
that protects the client. But it seems like ANY client can connect and
automatically gets the key. Is there a way to limit the exchange so
that the admin has to hand out the server's key through a different
channel? Am I missing the point?

In case you are wondering... I'm trying to set up a very simple SSH
server on my home machine, so my wife can access it remotely. It seems
like handing out the server key manually would be a way to restrict
passerbys from trying to log in. Of course, the password and/or client
key does the same thing. I'm just wondering....

On a very related note. Since she will be traveling, sometimes using
her laptop, sometimes using internet cafes or hotel computers, it seems
like the best option is to use password rather than key authentication.
  Is this correct? This way she doesn't have to install a new key in
each place. It also seems to preclude my doing any host-level access
privileges in SSD.

Thanks!
Carlos

Relevant Pages

  • Re: WCF security advice (and clarification) needed
    ... You, the client, resolve the foo.mycompany.com hostname within your ... TCP/IP) with that ticket as the security token. ... There are two parties participating in a security scenario, the server ... HTTP supports other authentication ...
    (microsoft.public.dotnet.framework.webservices)
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
    (comp.protocols.kerberos)
  • Re: Aironet 1200/Radius Help Needed
    ... I just fired up a W2003 Advanced Server so that I can take ... >> IAS servers (do I need a separate certificate for the secondary IAS ... >> of authentication since it involves just installing the certificate on ... >between the AP and the client. ...
    (microsoft.public.internet.radius)
  • Re: Windows Authentication, Single sign on and Active Directory
    ... service proxy client fails to connect due to authentication failure and then ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... The server is always in the domain. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Outlook -> remote exchange -> always wants a password
    ... I have my server set to use Integrated Windows authentication over SSL. ... almost certainly "break" your existing users if the client setup does not ... Close out of these configuration dialogs, ...
    (microsoft.public.windows.server.sbs)