ssh and keys
John O'Loughlin
j.oloughlin at qmul.ac.uk
Wed Mar 28 16:30:45 UTC 2007
> I think you have missed the point for ssh...
> It is just a terminal you use in connecting remotely to a box just like
> telnet, the difference is that the traffic between the remote location
> and your box is encrypted...hence it is this encryption that the keys
> are used for.
Those are different keys, the machine's keys are used for encrypting the
traffic, a user's public/private key pair is used for authentication (the
public key in ~/.ssh/authorized_keys)
In /etc/ssh/sshd_config
you'll see:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
and indeed you can turn off password ssh login altogether
PasswordAuthentication no
John
Hence to get access to the box you would still require the
> account that was created for you to logon with. This is where pam comes
> in..to authenticate who you are...
>
>
>
>
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth2006 at rcn.com
> Sent: Wednesday, March 28, 2007 5:08 PM
> To: General Red Hat Linux discussion list
> Subject: Re: ssh and keys
>
>
> John,
>
>> Date: Wed, 28 Mar 2007 16:00:00 +0100 (BST)
>> From: "John O'Loughlin" <j.oloughlin at qmul.ac.uk>
>>
>> I'm not sure what you mean by parallel, but there is no relationship
>> between your standard password and the key pair you generate.
>>
>> password aging does not affect your keys.
>>
> Okay... so I'm a bit lost - how can you log onto a box without using
> your real password, the one that you're prompted for if you don't use
> the ssh key pair? Does PAM's sshd authentication, which points to
> system-auth, not get pulled in for validation?
>
> mark
>> John
>>
>> On Wed, 28 Mar 2007, m.roth2006 at rcn.com wrote:
>>
>>> So, here's one for the assembled knowledge base here:
>>> if I use ssh-keygen to create a key pair, and put the public key on
> the remote box, so that I can ssh in without being prompted for a
> password, this leaves me confused about a couple of things:
>>> 1) is the ssh key pair in parallel to the real password
>>> for the account? That is, if I create a keypair and
>>> use either no passphrase, or some password other
>>> than my actual password for the account, does ssh
>>> go *around* the standard authentication?
>>> 2) since the remote box ages passwords, does PAM know
>>> that I'm using an ssh key pair, and age *them*,
>>> or do I merely have to change my real password in
>>> a timely manner, but don't have to regen a new
>>> ssh key pair?
>>>
>>> Thanks in advance.
>>>
>>> mark
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
More information about the redhat-list
mailing list