+ Post New Thread
Results 1 to 5 of 5
Mac Thread, SSH public/private key in Technical; Hello, I have been looking at securing SSH for a bit and have looked at ssh keygen and configuring the ...
  1. #1

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56

    SSH public/private key

    Hello,

    I have been looking at securing SSH for a bit and have looked at ssh keygen and configuring the public and private key pairing. I tried it on my server at home and copied my public key over to the authorised keys list on the server. I then proceeded to connect to the server using my macbook pro. It didn't prompt me for a password so i assume all went OK.

    What i am failing to understand is how you can leverage this for others to use. I mean i have said to the server this is the private key that you need to use. But i can't email the private key everywhere surely. Have i got this all wrong?

    I used the bombich / AFP548 tutorials to do this, but i think i may be mis-understanding how it is supposed to work.

    Thanks in advance.

  2. #2

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    I think that is called RSA. After this you would get challenged for a password after you type 'yes'?

    The authentication type i am trying to refer to would be DSA. Using DSA you can opt to not use a passphrase and therefore have an unchallenged connection. This is ideal for using remote backup scripts such as rsync.

    I'm just unsure as to how it can be scaled for example. Can you stick the private key into the authorised list of keys and then distribute the public key to a select few users thus resulting in them being able to connect to the server without a password going over the Internet?

    Do you know if SSH secures the password before it goes across the web?

  3. #3

    Join Date
    Oct 2007
    Location
    Lincolnshire
    Posts
    133
    Thank Post
    0
    Thanked 22 Times in 22 Posts
    Rep Power
    17
    Each potential user should generate his own public/private key pair. They provide you with copies of their public keys which you add to the list of authorized keys on the server. That's all there is to it really.

    If your clients are on Windows have a look at puTTY and pageant.
    PuTTY: a free telnet/ssh client

  4. Thanks to keithu from:

    HodgeHi (28th April 2009)

  5. #4

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,859
    Thank Post
    412
    Thanked 777 Times in 650 Posts
    Rep Power
    182
    You're talking about two different types of keys here: the host identification key, which is presented by the remote machine to you to verify that it is the machine you think it is, and not a man-in-the-middle attack; and the user verification key, which is what you present to the remote machine to prove that you are who you say you are. The only time you should see a 'really connect?' warning is the first time, after that SSH caches the host key, so that if it changes it can bleat at you (a changed key indicates that this is no longer the same machine, and shouldn't be trusted not to be stealing things from you).

    RSA and DSA keys are just generated using two different algorithms (compare). Same goes for the different key length choices available to you.

    The public/private arrangement is a bit misleading. In effect, both parts of the key can verify each other, the only difference is that you choose one to keep very, very secret and one to publish. When you authenticate against a machine using keys, you sign the host's challenge with your private portion and it verifies it using the public portion you already told it about. If they match up, you're in.

    So in practice, any user with an account generates a keypair, makes one known to the server in ~/.ssh/authorized_keys or similar and keeps one secret. For each user, rinse lather and repeat.

    For interest, keypairs also form the basis for general signing and encryption, for example in emails. In fact, if you use Ubuntu or Debian (and probably lots of other distributions) packages are signed using PKs, so you can be sure they haven't been tampered with, though apt takes care of all that for you. Example: put the following block into a file mytext.txt:

    Code:
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    hello this text has been cryptographically signed
    
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.9 (GNU/Linux)
    
    iEYEARECAAYFAkn17F0ACgkQIGby58LrznGVDwCgq4DS5VlL+Y0xPKNHrMHTBxzo
    PaEAoIkQJKxuFIc0kFZLr9uwHWM9Hv3L
    =OOtB
    -----END PGP SIGNATURE-----
    and run the following to import the public portion of the relevant key and verify the signature:

    Code:
    gpg --keyserver subkeys.pgp.net --recv-keys C2EBCE71
    gpg < mytext.txt
    Further reading:
    http://en.wikipedia.org/wiki/Public-key_cryptography
    http://docs.sun.com/source/816-6154-10/contents.htm

    (note: if you're doing this for your Joomla server, don't. The trade-off between convenience and security is too great. You should never store your private keys on a machine that you don't have absolute and personal control over. Password security is actually superior in this case, even if its more awkward (which is more or less the point)).
    Last edited by powdarrmonkey; 27th April 2009 at 06:50 PM.

  6. Thanks to powdarrmonkey from:

    HodgeHi (28th April 2009)

  7. #5

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,190
    Thank Post
    299
    Thanked 215 Times in 185 Posts
    Rep Power
    56
    it is on the joomla server but for the vle installation. The vle will be installed alongside joomla remotely using ssh among other things

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 3
    Last Post: 26th April 2010, 02:13 PM
  2. EduGeek Blogs - Public or Private/EduGeek only?
    By mb2k01 in forum General Chat
    Replies: 4
    Last Post: 13th April 2009, 04:08 PM
  3. [Fedora] SSH Problems
    By Gatt in forum *nix
    Replies: 11
    Last Post: 11th February 2009, 09:55 AM
  4. Reverse proxying SSH...
    By Joedetic in forum Wireless Networks
    Replies: 7
    Last Post: 6th August 2007, 11:56 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •