[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Re: ssh public keys and pam



On Mon, Oct 24, 2005 at 12:36:17PM +1000, Ian Mortimer wrote:
> 
> This is not how ssh authentication works with public keys.
> What happens is along this lines:

I believe this is backwards.

>    the server sends a challenge to the client

the server generates a challenge, and encrypts it with the public key (authorized_keys).

>    the client encrypts the challenge using the private key

the client decrypts the encrypted challenge and sends it back,
decryption requires the private key, not the public.  Thus decrypting
the challenge proves one possesses the private key.

>    the server decrypts the reply using the public key and tries
>    to match it against the challenge it sent.

the server verifies the decrypted challenge sent back by the client is
the same one it sent out.  You can only encrypt with a public key,
you cannot decrypt.

> At no stage does the client send the public key to the server.

true, the server already has the public key (its in authorized_keys).
the client also never sends the private key to the server, it only
sends the Comment string so the server knows which key in
authorized_keys one wishes to use.

-- 
Ethan Benson
http://www.alaska.net/~erbenson/

Attachment: pgpQTZIKgnnQN.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]