Re: Basics of key authentication

From: Richard E. Silverman (res_at_qoxp.net)
Date: 07/25/04 

Date: 25 Jul 2004 13:24:23 -0400

>>>>> "OT" == OpticTygre <optictygre@adelphia.net> writes:

    OT> Ok, so everything I've read basically tells me the client creates
    OT> a public and private key. The public key gets copied to the
    OT> server, and when the client wants to log in, the server encrypts
    OT> some message with the public key, and the client decrypts it with
    OT> its private key to prove he is who he says he is. Is that right
    OT> so far?

No, it's the other way around. The client uses its private key to sign
some data (which are chosen to bind the request to this request and SSH
session to prevent replay attacks). The server checks the signature with
the client's public key.

    OT> 1. A server can have tons of public keys stored on it. How does
    OT> he know which public key to encrypt the message with for the
    OT> client?

This isn't what happens, but even so -- the keys on the server are
connected with particular accounts in order to authorize their owners to
log into those accounts. The mechanism is implementation-dependent, but
for instance with OpenSSH/Unix, the keys authorizing access to account
"bob" are in ~bob/.ssh/authorized_keys. So the server certainly knows
which keys are relevant to a login request for that account.

    OT> In other words, what's the step-by-step process used for
    OT> authenticating via public/private keys between client and server?
    OT> Thanks for helping to clear things up.

See section 3.3, "Public Key Authentication Method: publickey", in:

  http://www.snailbook.com/docs/userauth.txt 

-- 
  Richard Silverman
  res@qoxp.net

Relevant Pages

  • Re: TIPS FOR THE NEWCOMER
    ... As long as the private key is readable by the ssh client when it comes ... When the ssh client connects to the server, ... private key which matches the public key. ...
    (SSH)
  • Re: Explanation of SSH
    ... I am still unclear on how SSH works exactly. ... Client issues SSH command and names server ... "Shopper" says "server sends back its public host and server keys ... Surely there is only one public key it sends ...
    (comp.security.ssh)
  • [NT] Dark Age of Camelot Man-In-The-Middle
    ... use of RSA public key cryptography and an RC4 based symmetric algorithm. ... Seeing the imminent release of code for cracking the game client (which ... At the beginning of each TCP session, the server sends a 1536 bit RSA ... void bytes_out(unsigned char *data, int len) ...
    (Securiteam)
  • Re: Debian SSH server configuration
    ... I would like to configure a Debian server to only allow clients to ssh ... I don't want any client computers to be able to ssh into ... It sounds like what you are asking for is host based authentication, ... where the server check to make sure that it has the host public key ...
    (Debian-User)
  • Re: Basics of key authentication
    ... The public key gets copied to the server, ... and the client decrypts it with its private key to prove he is who he ... and the digital signature to the server. ...
    (comp.security.ssh)