[kwlug-disc] Tightening up SSH
adamglauser at gmail.com
Mon Jul 19 09:54:11 EDT 2010
On 19/07/2010 9:44 AM, Johnny Ferguson wrote:
> Thank you very much. I'm going to look into what's involved in public
> key authentication. I kind of veered away from it because I didn't quite
> understand how it was working. Does each machine need a copy of the
> other's public key so they can use their private keys to verify
> eachother? Should each machine have its own key?
As I understand it, each machine already has a keypair which is
generated as part of the install. This is why you get the "host has
changed its RSA key" message if you put a different machine at the same
IP address/hostname on your network, or do a reinstall.
For authentication, there should be one key per user. Each server you
to which you wish to connected would need to have a copy of your public
key associated with your user name. There is probably a bit more
involved in the details, but the high-level view is as follows.
You connect to the server.
The generates a random chunk of data called nonce, and encrypts it will
your public key.
The server sends you the encrypted nonce.
You (and, in theory, only you) can decrypt the nonce with your private key.
You tell the server what the nonce value was. If you got it right, the
server considers your identity valid and you are logged in.
In terms of how to set this up in detail, you'll have to search for a
how-to. I haven't actually gotten round to doing it on my server yet.
More information about the kwlug-disc