Date: Sun, 27 Feb 2000 13:13:20 -0800 (PST) From: Kris Kennaway <kris@FreeBSD.org> To: Bjoern Groenvall <bg@sics.se> Cc: Doug White <dwhite@resnet.uoregon.edu>, "Jordan K. Hubbard" <jkh@zippy.cdrom.com>, current@FreeBSD.ORG, markm@FreeBSD.ORG Subject: Re: OpenSSH /etc patch Message-ID: <Pine.BSF.4.21.0002271309490.48133-100000@freefall.freebsd.org> In-Reply-To: <wud7pi60lv.fsf@bg.sics.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On 27 Feb 2000, Bjoern Groenvall wrote: > The server host key is used as part of the key material > negotiation. However, only the *server* host key is used, the client > end host key is never used. Just turn of the suid bit from ssh and > give it a try (or even mv /etc/ssh_host_key). > > After the initial handshake it is time for authentication. If > RSA-rhost authentication is used then the ssh client uses the private > part of the client key. At the server end, the server looks up the > public part of the client host key and uses that to verify > authenticity. If the server can't find the client public key, then > access is denied. Cool, thanks for the explanation. > So lets assume that the client don't have a host key but that it is > created during boot. Then there can be no host that knows the > corresponding public key. Now the client tries to use RSA-rhost > authentication, when the server attempts to verify authenticity it > will fail to lookup the key (remember that it was created on the > client perhaps moments ago). For RSA-rhost authentication to work the > public keys must first be shipped around among the hosts, only then > can RSA-rhost authentication operate. It won't work at first boot, but generating a hostkey at some point is a necessary prerequisite to ever using RSA-rhosts authentication. Sure, that's not something everyone will use, but what's the problem with doing the step for the user and saving him worrying about how to generate a host key? All he needs to do is distribute it to the other parties then. > > I'm thinking of the old/stock sshd, not OpenSSH, but I'm not aware of that > > big a change. > > I don't think there has been any radical changes with respect to > this. There might be some extra knobs in OpenSSH to control wether the > server will accept public keys from $HOME/.ssh/known_hosts files or > only from /etc/ssh_known_hosts. Right..if anyone has interoperability problems they should report them to the OpenSSH guys (www.openssh.org) Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0002271309490.48133-100000>