[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Re: ssh public keys and pam



On Fri, 2005-10-21 at 23:31 +0000, Daniel Jacober wrote:

> I don't agree. Here's how I believe it should work:
>     - All users are registered in the LDAP directory including their
> public key.
>     - A User wants to authenticate with SSH from a client to a server
> therefore he sends a public key.
>     - The sshd on the target server recieves the key and sends it
> (with or without PAM) to an LDAP directory server (obviously some
> additional security must be implemented to communicate to the LDAP DS).
>     - The directory server then compares the recieved public key to
> the one stored in the directory belonging to the user asking for
> authentication.
>     - If authentication is ok the LDAP - DS sends auth ok back to the
> sshd which grants the user access to the system.

This is not how ssh authentication works with public keys.
What happens is along this lines:

   the server sends a challenge to the client

   the client encrypts the challenge using the private key

   the server decrypts the reply using the public key and tries
   to match it against the challenge it sent.
   
At no stage does the client send the public key to the server.

To use a public key from LDAP, the server would have to extract the
public key from the directory and use that to decrypt the client's
response to the challenge.


-- 
Ian


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]