[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Re: ssh public keys and pam



On Sun, 2005-10-23 at 20:35 -0800, Ethan Benson wrote:

> I believe this is backwards.

The book 'SSH, the Secure Shell.  The Definitive guide' by Barrett and
Silverman describes it this way:

   1. Your client says, "Hey server, I'd like to connect by SSH to an
      account on your system, ..."
   2. The server says, "Well, maybe.  First, I challenge you to prove
      your identity!"  And the server sends some data, known as a
      challenge, to the client.
   3. Your client says, "I accept your challenge.  Here is proof of
      my identity.  I made it myself mathematically using your challenge
      and my private key."  This response to the server is called an
      authenticator.
   4. The server says, "Thanks for the authenticator.  .,."
      Specifically, the server checks smith's public keys to see if the 
      authenticator "matches" any of them.  (The "match" is another
      cryptographic operation.)  If so, the server says, "OK, come on
      in!"  Otherwise the authentication fails.

Apart from the anthropomorphism that's the same as I described (although
I simplified it a bit).

>  it only
> sends the Comment string so the server knows which key in
> authorized_keys one wishes to use.

The comment string is just a comment for the benefit of human readers
(so you know which key is which).  It plays no part in the transaction.
You can prove that by removing the comment string from your
authorized_keys file.  You'll be able to login with or without the
comment included.


-- 
Ian


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]