l i n u x - u s e r s - g r o u p - o f - d a v i s
L U G O D
 
Next Meeting:
October 20: code_swarm 		Next Installfest:
Sat. Nov. 8th [TENTATIVE] 		Latest News:
Sep. 25: Installfest this Saturday 		Page last updated:
2005 Jul 22 08:01
Events
 Meetings
 Installfests
 Demos
 Photos
Services
 Library
 LERT
 Jobs
 Documents
Interact
 Mailing Lists
 - Search
 - Archives
 Chat
About Us
 Members
 Projects
 Testimonials
 Call for Speakers
 Why Not MS?
 Finances
 Sponsors

^Home
?Search
?News & RSS
?Calendar
@Contact Us
$Buy Stuff
=Printable


The following is an archive of a post made to our 'vox-tech mailing list' by one of its subscribers.

 Report this post as spam:

(Enter your email address)
Re: [vox-tech] sshd_config and PasswordAuthentication
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [vox-tech] sshd_config and PasswordAuthentication

on Mon, Jul 18, 2005 at 09:24:56AM -0500, Jay Strauss (me@heyjay.com) wrote:
> Karsten M. Self wrote:
> >on Sun, Jul 17, 2005 at 09:43:43AM -0500, Jay Strauss (me@heyjay.com) 
> >wrote:
> >>Karsten M. Self wrote:
> >>>on Thu, Jul 07, 2005 at 07:43:52AM -0700, Henry House 

> >Mini-shrunk-sort version:  Use SSH-key auth with a passphrase and
> >ssh-agent.
> >
> >
> >Peace.
> 
> thanks.  How do you NOT send the password?  

   - Generate an SSH key on the local host:

       $ ssh-keygen -t dsa
       # Accept defaults, supply a passphrase.

   - Copy the *PUBLIC* half of the key to the remote host, and add it to
     ~/.ssh/authorized_keys:

       $ cat .ssh/id_dsa.pub | ssh remothost 'cat >> .ssh/authorized_keys'

   - File permissions are critical, as this is part of the SSH security
     model.

     It's necessary for the _local_ private key to *not* be *readable* to
     anyone other than the owner (mode 600).

     It's necessary for the _local_ public key, and the _remote_
     authorized_hosts files *not* to be *writeable* by anyone other than
     the owner (mode 644 or less).

     It's necessary for both _local_ and _remote_ ~/.ssh/ directories to
     *not* be *writeable* by anyone other than the owner (mode 755 or
     less).

   - If you don't run ssh-agent, you'll be prompted for your passphrase
     each time you connect to the remote host.
     
     If you _do_ run ssh-agent, and add your key(s) (run 'ssh-add'), you
     can connect to the host directly without supplying a password.

     ....both methods authenticate you to the remote host using SSH-key
     authentication.  Your remote password is never transmitted, and may
     in fact be disabled.

> Does Carol and Bob convert/encrypt their local password for this user,
> then compare the encryptions (maybe its call a hash in this context)?

No.

The authentication is handled by SSH using the public/private keypair.
The system password itself isn't involved in the authentication at all.

It's possible to have users whose remote passwords are unknown or
disabled by this method.  This is the case for a number of remote hosts
I access regularly.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
  Information is not power after all: Old-fashioned power is power. If you
  aren't big industry or government, you have very little power. Once they've
  hacked the electronic voting system, you'll have no power at all.
  - Robert X. Cringely

Attachment: signature.asc
Description: Digital signature

_______________________________________________
vox-tech mailing list
vox-tech@lists.lugod.org
http://lists.lugod.org/mailman/listinfo/vox-tech

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
1105 Kennedy Place, Suite 1, Davis, CA 95616
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

 Sponsored in part by:
nerdbooks.com
For numerous book donations.