On Thu, 2005-02-10 at 09:57 -0700, Colin Anderson wrote: > 5. Use key-based auth mechanism rather than password. It's my understanding > that the key is never sent, only a hash of the key. The target system > compares the hash against it's hash of the key, and if it matches, cool.
Not exactly, for the sake of completeness. Public/private key authentication usually is based on the fact that messages encrypted by a public key can only be decrypted by the private key. So your public key, which is stored on the server, can be used by the server to send an encrypted challenge. If you are able to decrypt that challenge, via the private key stored on your desktop system, you've proven that you have the private key and hence are the identity you said you are. So, whoever has access to the private key, and to the (optional but vital!) passphrase with which the key is encrypted for storage, can authorize against the corresponding public key. That's why the private key and it's passphrase must be kept secret. On the other hand, all that travels the net are arbitrary one time challenges, and no critical information is exposed. Regards, Bruno. _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
