Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: Re: ssh public keys and pam
From: Ethan Benson (erbensonalaska.net)
Date: Sun Oct 23 2005 - 23:35:23 CDT
On Mon, Oct 24, 2005 at 12:36:17PM +1000, Ian Mortimer wrote:
> This is not how ssh authentication works with public keys.
> What happens is along this lines:
I believe this is backwards.
> the server sends a challenge to the client
the server generates a challenge, and encrypts it with the public key (authorized_keys).
> the client encrypts the challenge using the private key
the client decrypts the encrypted challenge and sends it back,
decryption requires the private key, not the public. Thus decrypting
the challenge proves one possesses the private key.
> the server decrypts the reply using the public key and tries
> to match it against the challenge it sent.
the server verifies the decrypted challenge sent back by the client is
the same one it sent out. You can only encrypt with a public key,
you cannot decrypt.
> At no stage does the client send the public key to the server.
true, the server already has the public key (its in authorized_keys).
the client also never sends the private key to the server, it only
sends the Comment string so the server knows which key in
authorized_keys one wishes to use.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----
Pam-list mailing list