Re: Have I got a clue yet? ;)
From: Richard E. Silverman (res_at_qoxp.net)
Date: 08/09/05
- Next message: Newt Ossh: "Re: SSH and "screen control"."
- Previous message: Richard E. Silverman: "Re: SSH and "screen control"."
- In reply to: MikesBrain: "Have I got a clue yet? ;)"
- Next in thread: MikesBrain: "Re: Have I got a clue yet? ;)"
- Reply: MikesBrain: "Re: Have I got a clue yet? ;)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 09 Aug 2005 09:42:45 -0400
>>>>> "MB" == MikesBrain <Mike@N.UK> writes:
MB> 1ST CONTACT
MB> An ssh client request is sent to a server. (In my case, my client
MB> P1 sends a request to my server P2.)
MB> The sshd server sends it's public key to the client.
MB> The client encrypts a data-chunk with the server's public key and
MB> returns this to the server.
No. The details at this level are more complex, and the server's public
key is used for authentication only, not encryption. See:
http://www.snailbook.com/docs/connection.txt
MB> The resulting server-generated encrypted "channel" which is
MB> specific to this client/server interaction is now used as the
MB> communication method between the client and the server.
MB> AUTHORISATION/LOGIN
MB> Through this encrypted connection, one or more of several possible
MB> client validation methods can now be deployed.
MB> * Password verification (Needs an existing account)
On a Unix system you need an "existing account" regardless of the
authentication method.
MB> * Client private/public key verification (Needs client key)
MB> * Client key plus key-specific passphrase verification.
These are the same thing; the question of how a key is stored and accessed
on the client side is outside the scope of the protocol.
MB> Once the client has been validated, whatever services the server
MB> has been configured to allow to this client can be deployed by the
MB> client. Typically, a shell with user-level priviledges.
MB> FURTHER CONTACT
MB> Once 1st contact has been made, a client with a suitable account
MB> can place a copy of thir own public key in the their account dir
MB> on the server in the file "authorized_keys".
It's odd that you're putting this here, when you already mentioned
publickey authentication as a possible step before this, implying this has
already been done.
MB> All further contact can be based on the client verifying
MB> themselves by refering to their public/private key to establish
MB> their identity, their public key being known to the server and in
MB> effect "registered" with it from the 1st contact process.
I'm not sure what this means, but it sounds as if you may be confusing
server hostkey validation as having something to do with user
authentication.
MB> The client's own ssh_config (systemwide or user-specific) can also
MB> be used to restrict how the ssh connection functions, but this can
MB> only really be considered a safeguard for the client...
The global ssh_config file sets defaults only. Any setting in it can be
overridden, so it doesn't really restrict anything.
-- Richard Silverman res@qoxp.net
- Next message: Newt Ossh: "Re: SSH and "screen control"."
- Previous message: Richard E. Silverman: "Re: SSH and "screen control"."
- In reply to: MikesBrain: "Have I got a clue yet? ;)"
- Next in thread: MikesBrain: "Re: Have I got a clue yet? ;)"
- Reply: MikesBrain: "Re: Have I got a clue yet? ;)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
