l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
September 2: Social gathering
Next Installfest:
TBD
Latest News:
Aug. 18: Discounts to "Velocity" in NY; come to tonight's "Photography" talk
Page last updated:
2005 Jul 22 08:01

The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
Re: [vox-tech] sshd_config and PasswordAuthentication
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] sshd_config and PasswordAuthentication



on Mon, Jul 18, 2005 at 09:24:56AM -0500, Jay Strauss (me@heyjay.com) wrote:
> Karsten M. Self wrote:
> >on Sun, Jul 17, 2005 at 09:43:43AM -0500, Jay Strauss (me@heyjay.com) 
> >wrote:
> >>Karsten M. Self wrote:
> >>>on Thu, Jul 07, 2005 at 07:43:52AM -0700, Henry House 

> >Mini-shrunk-sort version:  Use SSH-key auth with a passphrase and
> >ssh-agent.
> >
> >
> >Peace.
> 
> thanks.  How do you NOT send the password?  

   - Generate an SSH key on the local host:

       $ ssh-keygen -t dsa
       # Accept defaults, supply a passphrase.

   - Copy the *PUBLIC* half of the key to the remote host, and add it to
     ~/.ssh/authorized_keys:

       $ cat .ssh/id_dsa.pub | ssh remothost 'cat >> .ssh/authorized_keys'

   - File permissions are critical, as this is part of the SSH security
     model.

     It's necessary for the _local_ private key to *not* be *readable* to
     anyone other than the owner (mode 600).

     It's necessary for the _local_ public key, and the _remote_
     authorized_hosts files *not* to be *writeable* by anyone other than
     the owner (mode 644 or less).

     It's necessary for both _local_ and _remote_ ~/.ssh/ directories to
     *not* be *writeable* by anyone other than the owner (mode 755 or
     less).

   - If you don't run ssh-agent, you'll be prompted for your passphrase
     each time you connect to the remote host.
     
     If you _do_ run ssh-agent, and add your key(s) (run 'ssh-add'), you
     can connect to the host directly without supplying a password.

     ....both methods authenticate you to the remote host using SSH-key
     authentication.  Your remote password is never transmitted, and may
     in fact be disabled.

> Does Carol and Bob convert/encrypt their local password for this user,
> then compare the encryptions (maybe its call a hash in this context)?

No.

The authentication is handled by SSH using the public/private keypair.
The system password itself isn't involved in the authentication at all.

It's possible to have users whose remote passwords are unknown or
disabled by this method.  This is the case for a number of remote hosts
I access regularly.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
  Information is not power after all: Old-fashioned power is power. If you
  aren't big industry or government, you have very little power. Once they've
  hacked the electronic voting system, you'll have no power at all.
  - Robert X. Cringely

Attachment: signature.asc
Description: Digital signature

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech


LinkedIn
LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
facebook
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
O'Reilly and Associates
For numerous book donations.