[vox-tech] sshd_config and PasswordAuthentication

Karsten M. Self kmself at ix.netcom.com
Mon Jul 18 11:02:02 PDT 2005 

on Mon, Jul 18, 2005 at 09:24:56AM -0500, Jay Strauss (me at heyjay.com) wrote:
> Karsten M. Self wrote:
> >on Sun, Jul 17, 2005 at 09:43:43AM -0500, Jay Strauss (me at heyjay.com) 
> >wrote:
> >>Karsten M. Self wrote:
> >>>on Thu, Jul 07, 2005 at 07:43:52AM -0700, Henry House 

> >Mini-shrunk-sort version:  Use SSH-key auth with a passphrase and
> >ssh-agent.
> >
> >
> >Peace.
> 
> thanks.  How do you NOT send the password?  

   - Generate an SSH key on the local host:

       $ ssh-keygen -t dsa
       # Accept defaults, supply a passphrase.

   - Copy the *PUBLIC* half of the key to the remote host, and add it to
     ~/.ssh/authorized_keys:

       $ cat .ssh/id_dsa.pub | ssh remothost 'cat >> .ssh/authorized_keys'

   - File permissions are critical, as this is part of the SSH security
     model.

     It's necessary for the _local_ private key to *not* be *readable* to
     anyone other than the owner (mode 600).

     It's necessary for the _local_ public key, and the _remote_
     authorized_hosts files *not* to be *writeable* by anyone other than
     the owner (mode 644 or less).

     It's necessary for both _local_ and _remote_ ~/.ssh/ directories to
     *not* be *writeable* by anyone other than the owner (mode 755 or
     less).

   - If you don't run ssh-agent, you'll be prompted for your passphrase
     each time you connect to the remote host.
     
     If you _do_ run ssh-agent, and add your key(s) (run 'ssh-add'), you
     can connect to the host directly without supplying a password.

     ....both methods authenticate you to the remote host using SSH-key
     authentication.  Your remote password is never transmitted, and may
     in fact be disabled.

> Does Carol and Bob convert/encrypt their local password for this user,
> then compare the encryptions (maybe its call a hash in this context)?

No.

The authentication is handled by SSH using the public/private keypair.
The system password itself isn't involved in the authentication at all.

It's possible to have users whose remote passwords are unknown or
disabled by this method.  This is the case for a number of remote hosts
I access regularly.


Peace.

-- 
Karsten M. Self <kmself at ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
  Information is not power after all: Old-fashioned power is power. If you
  aren't big industry or government, you have very little power. Once they've
  hacked the electronic voting system, you'll have no power at all.
  - Robert X. Cringely
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://ns1.livepenguin.com/pipermail/vox-tech/attachments/20050718/d334dd16/attachment.pgp

More information about the vox-tech mailing list