ssh and keys

John O'Loughlin j.oloughlin at qmul.ac.uk
Wed Mar 28 16:30:45 UTC 2007 


> I think you have missed the point for ssh...
> It is just a terminal you use in connecting remotely to a box just like
> telnet, the difference is that the traffic between the remote location
> and your box is encrypted...hence it is this encryption that the keys
> are used for.

Those are different keys, the machine's keys are used for encrypting the 
traffic, a user's public/private key pair is used for authentication (the 
public key in ~/.ssh/authorized_keys)

In /etc/ssh/sshd_config

you'll see:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

and indeed you can turn off password ssh login altogether

PasswordAuthentication no

John

Hence to get access to the box you would still require the
> account that was created for you to logon with. This is where pam comes
> in..to authenticate who you are...
>
>
>
>
>
> -----Original Message-----
> From: redhat-list-bounces at redhat.com
> [mailto:redhat-list-bounces at redhat.com] On Behalf Of m.roth2006 at rcn.com
> Sent: Wednesday, March 28, 2007 5:08 PM
> To: General Red Hat Linux discussion list
> Subject: Re: ssh and keys
>
>
> John,
>
>> Date: Wed, 28 Mar 2007 16:00:00 +0100 (BST)
>> From: "John O'Loughlin" <j.oloughlin at qmul.ac.uk>
>>
>> I'm not sure what you mean by parallel, but there is no relationship
>> between your standard password and the key pair you generate.
>>
>> password aging does not affect your keys.
>>
> Okay... so I'm a bit lost - how can you log onto a box without using
> your real password, the one that you're prompted for if you don't use
> the ssh key pair? Does PAM's sshd authentication, which points to
> system-auth, not get pulled in for validation?
>
>    mark
>> John
>>
>> On Wed, 28 Mar 2007, m.roth2006 at rcn.com wrote:
>>
>>> So, here's one for the assembled knowledge base here:
>>>   if I use ssh-keygen to create a key pair, and put the public key on
> the remote box, so that I can ssh in without being prompted for a
> password, this leaves me confused about a couple of things:
>>>   1) is the ssh key pair in parallel to the real password
>>>        for the account? That is, if I create a keypair and
>>>        use either no passphrase, or some password other
>>>        than my actual password for the account, does ssh
>>>        go *around* the standard authentication?
>>>   2) since the remote box ages passwords, does PAM know
>>>        that I'm using an ssh key pair, and age *them*,
>>>        or do I merely have to change my real password in
>>>        a timely manner, but don't have to regen a new
>>>        ssh key pair?
>>>
>>> Thanks in advance.
>>>
>>>      mark
>>>
>>> --
>>> redhat-list mailing list
>>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>> https://www.redhat.com/mailman/listinfo/redhat-list
>>>
>>
>> --
>> redhat-list mailing list
>> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>> https://www.redhat.com/mailman/listinfo/redhat-list
>
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>

More information about the redhat-list mailing list