From owner-freebsd-current Sun Feb 27 13:13:23 2000 Delivered-To: freebsd-current@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5A0A037B676; Sun, 27 Feb 2000 13:13:21 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id NAA51131; Sun, 27 Feb 2000 13:13:21 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sun, 27 Feb 2000 13:13:20 -0800 (PST) From: Kris Kennaway To: Bjoern Groenvall Cc: Doug White , "Jordan K. Hubbard" , current@FreeBSD.ORG, markm@FreeBSD.ORG Subject: Re: OpenSSH /etc patch In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 27 Feb 2000, Bjoern Groenvall wrote: > The server host key is used as part of the key material > negotiation. However, only the *server* host key is used, the client > end host key is never used. Just turn of the suid bit from ssh and > give it a try (or even mv /etc/ssh_host_key). > > After the initial handshake it is time for authentication. If > RSA-rhost authentication is used then the ssh client uses the private > part of the client key. At the server end, the server looks up the > public part of the client host key and uses that to verify > authenticity. If the server can't find the client public key, then > access is denied. Cool, thanks for the explanation. > So lets assume that the client don't have a host key but that it is > created during boot. Then there can be no host that knows the > corresponding public key. Now the client tries to use RSA-rhost > authentication, when the server attempts to verify authenticity it > will fail to lookup the key (remember that it was created on the > client perhaps moments ago). For RSA-rhost authentication to work the > public keys must first be shipped around among the hosts, only then > can RSA-rhost authentication operate. It won't work at first boot, but generating a hostkey at some point is a necessary prerequisite to ever using RSA-rhosts authentication. Sure, that's not something everyone will use, but what's the problem with doing the step for the user and saving him worrying about how to generate a host key? All he needs to do is distribute it to the other parties then. > > I'm thinking of the old/stock sshd, not OpenSSH, but I'm not aware of that > > big a change. > > I don't think there has been any radical changes with respect to > this. There might be some extra knobs in OpenSSH to control wether the > server will accept public keys from $HOME/.ssh/known_hosts files or > only from /etc/ssh_known_hosts. Right..if anyone has interoperability problems they should report them to the OpenSSH guys (www.openssh.org) Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message