ssh public keys and pam
Ethan Benson
erbenson at alaska.net
Mon Oct 24 04:35:23 UTC 2005
On Mon, Oct 24, 2005 at 12:36:17PM +1000, Ian Mortimer wrote:
>
> This is not how ssh authentication works with public keys.
> What happens is along this lines:
I believe this is backwards.
> the server sends a challenge to the client
the server generates a challenge, and encrypts it with the public key (authorized_keys).
> the client encrypts the challenge using the private key
the client decrypts the encrypted challenge and sends it back,
decryption requires the private key, not the public. Thus decrypting
the challenge proves one possesses the private key.
> the server decrypts the reply using the public key and tries
> to match it against the challenge it sent.
the server verifies the decrypted challenge sent back by the client is
the same one it sent out. You can only encrypt with a public key,
you cannot decrypt.
> At no stage does the client send the public key to the server.
true, the server already has the public key (its in authorized_keys).
the client also never sends the private key to the server, it only
sends the Comment string so the server knows which key in
authorized_keys one wishes to use.
--
Ethan Benson
http://www.alaska.net/~erbenson/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pam-list/attachments/20051023/d9ccab99/attachment.sig>
More information about the Pam-list
mailing list