ssh public keys and pam
Ian Mortimer
ian at physics.uq.edu.au
Tue Oct 25 04:23:20 UTC 2005
On Sun, 2005-10-23 at 20:35 -0800, Ethan Benson wrote:
> I believe this is backwards.
The book 'SSH, the Secure Shell. The Definitive guide' by Barrett and
Silverman describes it this way:
1. Your client says, "Hey server, I'd like to connect by SSH to an
account on your system, ..."
2. The server says, "Well, maybe. First, I challenge you to prove
your identity!" And the server sends some data, known as a
challenge, to the client.
3. Your client says, "I accept your challenge. Here is proof of
my identity. I made it myself mathematically using your challenge
and my private key." This response to the server is called an
authenticator.
4. The server says, "Thanks for the authenticator. .,."
Specifically, the server checks smith's public keys to see if the
authenticator "matches" any of them. (The "match" is another
cryptographic operation.) If so, the server says, "OK, come on
in!" Otherwise the authentication fails.
Apart from the anthropomorphism that's the same as I described (although
I simplified it a bit).
> it only
> sends the Comment string so the server knows which key in
> authorized_keys one wishes to use.
The comment string is just a comment for the benefit of human readers
(so you know which key is which). It plays no part in the transaction.
You can prove that by removing the comment string from your
authorized_keys file. You'll be able to login with or without the
comment included.
--
Ian
More information about the Pam-list
mailing list