[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Re: ssh public keys and pam

Hash: SHA1

> Ian Mortimer wrote:
>> This is not how ssh authentication works with public keys. What
>> happens is along this lines:
> I believe this is backwards.
>> the server sends a challenge to the client
> the server generates a challenge, and encrypts it with the public
> key (authorized_keys).
>> the client encrypts the challenge using the private key
> the client decrypts the encrypted challenge and sends it back,
> decryption requires the private key, not the public. Thus
> decrypting the challenge proves one possesses the private key.
>> the server decrypts the reply using the public key and tries to
>> match it against the challenge it sent.
> the server verifies the decrypted challenge sent back by the client
> is the same one it sent out. You can only encrypt with a public
> key, you cannot decrypt.
>> At no stage does the client send the public key to the server.
> true, the server already has the public key (its in
> authorized_keys). the client also never sends the private key to
> the server, it only sends the Comment string so the server knows
> which key in authorized_keys one wishes to use.

So Ian if I understand your posting right there's no way to pass this
to a PAM - Module
because it would require direct interaction between the PAM-Module and
the SSH - client.

The PAM - Module would have to play the ssh - Server sending an
encrypted challange
to the client requesting for authentication.

Is that right?

Regards Daniel
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]