|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Re: ssh public keys and pam
From: Ethan Benson (erbenson
alaska.net)
Date: Sun Oct 23 2005 - 23:35:23 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Oct 24, 2005 at 12:36:17PM +1000, Ian Mortimer wrote:
>
> This is not how ssh authentication works with public keys.
> What happens is along this lines:
I believe this is backwards.
> the server sends a challenge to the client
the server generates a challenge, and encrypts it with the public key (authorized_keys).
> the client encrypts the challenge using the private key
the client decrypts the encrypted challenge and sends it back,
decryption requires the private key, not the public. Thus decrypting
the challenge proves one possesses the private key.
> the server decrypts the reply using the public key and tries
> to match it against the challenge it sent.
the server verifies the decrypted challenge sent back by the client is
the same one it sent out. You can only encrypt with a public key,
you cannot decrypt.
> At no stage does the client send the public key to the server.
true, the server already has the public key (its in authorized_keys).
the client also never sends the private key to the server, it only
sends the Comment string so the server knows which key in
authorized_keys one wishes to use.
--
Ethan Benson
http://www.alaska.net/~erbenson/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iEYEARECAAYFAkNcZIsACgkQJKx7GixEevzidQCfTnjNg4Rg4/EHXGdIb5ydRXJG
HDYAni1J4UdAlzQqFEKKZzmMhzN+UE1N
=3dOH
-----END PGP SIGNATURE-----
_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://www.redhat.com/mailman/listinfo/pam-list
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]