[kwlug-disc] Tightening up SSH

Adam Glauser adamglauser at gmail.com
Mon Jul 19 09:54:11 EDT 2010

On 19/07/2010 9:44 AM, Johnny Ferguson wrote:
> Thank you very much. I'm going to look into what's involved in public
> key authentication. I kind of veered away from it because I didn't quite
> understand how it was working. Does each machine need a copy of the
> other's public key so they can use their private keys to verify
> eachother? Should each machine have its own key?

As I understand it, each machine already has a keypair which is 
generated as part of the install.  This is why you get the "host has 
changed its RSA key" message if you put a different machine at the same 
IP address/hostname on your network, or do a reinstall.

For authentication, there should be one key per user.  Each server you 
to which you wish to connected would need to have a copy of your public 
key associated with your user name.  There is probably a bit more 
involved in the details, but the high-level view is as follows.

You connect to the server.
The generates a random chunk of data called nonce, and encrypts it will 
your public key.
The server sends you the encrypted nonce.
You (and, in theory, only you) can decrypt the nonce with your private key.
You tell the server what the nonce value was.  If you got it right, the 
server considers your identity valid and you are logged in.

In terms of how to set this up in detail, you'll have to search for a 
how-to.  I haven't actually gotten round to doing it on my server yet.

More information about the kwlug-disc mailing list