Secure Shell
Please decrypt your manual Mar 05 2010 06:02PM
Doru Georgescu (headset001 yahoo com)
I. most of ssh manual and all sshd manual present server and client as one machine, called host. All files mentioned are placed on one machine. This is incorrect, and makes the explanation unclear. For example, man sshd SSH_KNOWN_HOSTS FILE FORMAT suggests to copy keys from /etc/ssh/ssh_host_key.pub into /etc/ssh/ssh_known_hosts, as if those files are on the same machine.

II. a general presentation of ssh workings is missing, and makes the decryption of those manuals even more difficult. i suppose, but i am not sure that:

both server and client encrypt their messages with the encryption keys in:
/etc/ssh/ssh_host_?sa_key
/etc/ssh/ssh_host_?sa_key.pub

both server and client can memorize known hosts' public encryption keys in /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts

only the server is protected through authorization. this happens in two ways:

1. server side (usually used methods):
      a. the client provides an authorization key:
         + public part in //server/~/.ssh/authorized_keys
         + private part in //client/~/.ssh/id_dsa
(this could be using http://en.wikipedia.org/wiki/Rsa#Signing_messages ?)
      b. the client provides its password
   this (#1) should happen for EVERY line sent from client to server.

2. client side:
      the client verifies that it has the server's public encryption key:
      a. with a question to the unknowing human at the client's console
      b. verifying the server's public encryption key against the lists of servers' public encryption keys in:
         //client/etc/ssh/ssh_known_hosts and //client/~/.ssh/known_hosts

//server/etc/ssh/ssh_known_hosts and //server/~/.ssh/known_hosts are not used habitually, because other authorization means are preferred. Probably IgnoreUserKnownHosts in sshd_config refers to this.

These few lines took me three frustating days of hard work, instead of two easy hours of learning, and I am still not sure I guessed rightly. I believe that this attitude makes Linux lose market in favour of Windows servers. Three expensive unpleasant days. I hope that the author of sshd manual is feeling better now and will correct his writing. And please verify my "discoveries" above and publish them somewhere. At the beginning of ssh man, for example.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus