Re: [git-users] ssh keys
On Tue, 9 Sep 2014 01:48:23 -0700 (PDT) j...@norricorp.f9.co.uk wrote: > I have run ssh-keygen to generate a rsa key which I pasted to the > authorized_keys file fore the git user on the git server. And all > works, I can run git pull and push commands without being asked for a > password. But if I run "ssh gituser@gitserver command" then I am > asked for the password. ssh is in git\bin. > I tried creating a ssh key with putty and adding that to the > auth_keys file as well but makes no difference. > Any ideas what I am doing wrong / have not understood? The chief misunderstanding you seem to maintain is that the key is a sort of a password which you 1) generate; 2) make the other side know. Instead, SSH uses key *pairs* to ensure security: each key generated for SSH consists of the two pairs: private and public. The private one must be kept private, and the public one is safe to expose to everyone. The idea is that a particular public key uniquely identifies its matching private key, and the SSH protocol ensures the authenticating party is able to proof it possess the private key without passing it over the wire while authenticating. With default settings, ssh-keygen geneates two files under your ~/.ssh: "id_rsa" is the private key and "id_rsa.pub" is the public one (here, "id" stands for "identity" -- the term SSH uses to refer to its keys -- and "rsa" refers to the RSA cryptographic algorythm used to generate the key material). Hence, after you've generated a pair of keys, you have to transfer the public key to your SSH "server" and paste it there in the ~/.ssh/authorized_keys file of the user you want to be able to authenticate as using the matching private key. As to PuTTY, the sad thing is that it uses its own format for storing keys, incompatible with the de-facto standard, which OpenSSH uses (the implementation you most probably have installed on both sides). PuTTY is able to convert keys in its own format to that of OpenSSH and back, so, if you're about to use PuTTY for "client-side" Git operations, go ahead with generating keys in the PuTTY's own format and then transfer the public key in OpenSSH format to your remote -- puttygen.exe even shows you this key in this format in one of the main window's controls once you generate or load a key. -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To unsubscribe from this group and stop receiving emails from it, send an email to git-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[git-users] ssh keys
Hi, I have run ssh-keygen to generate a rsa key which I pasted to the authorized_keys file fore the git user on the git server. And all works, I can run git pull and push commands without being asked for a password. But if I run "ssh gituser@gitserver command" then I am asked for the password. ssh is in git\bin. I tried creating a ssh key with putty and adding that to the auth_keys file as well but makes no difference. Any ideas what I am doing wrong / have not understood? Regards, John -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To unsubscribe from this group and stop receiving emails from it, send an email to git-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [git-users] SSH keys required for SSL authentication/authorization?
ths for your post response, but I have some questions and comments (embedded within your post) On Saturday, July 21, 2012 6:56:50 AM UTC-7, Konstantin Khomoutov wrote: > > > > First, SSH and SSL have nothing in common except for the word [S]ecure > and the naturally following fact they secure something (SSH secures the > [SH]ell access and SSL secures the [S]ocket [L]ayer). These are > completely disjoint protocols invented for differing needs. > > These protocols also use different approach for what you call "keys". > SSH uses "shallow" approach to keys: a client generates a pair of > keys -- one public and one private, -- then transfers the public part to > the server and adds it to an *explicit* list of trusted keys. Hence the > server either trusts that key or not; nothing else. The client actually > does the similar thing by checking the server's key's fingerprint to see > if it's known and trusted. > SSL uses hierarchical approach to its "keys", which it calls > "certificates": this stuff involves certification authotities (CAs) and > trust chains they create. The whole topic is too deep to cover here but > the end result is that usually either side or both explicitly trust some > CA, and through this fact they tust each other. > In either case, the wire format of the keys used by these protocols and > the semantics of their usage is different. > Despite SSL support for hierarchical CAs, compared to your "shallow" definition that is likely only an additional feature. x509 certs can be self-signed, generated on the host itself, without a CA or levels of hierarchy. In both cases the use of certs for identification, authentication and authorization seems to me only a case of details when the handshakes for both protocols sre actually similar.Also AFAIK the keys for each protocol are similar, the containers for storage and exchange may be different. > > One last thing to note is that while SSL/TLS is based solely around > those X.509 certificates, SSH defines various methods for authentication > of the client to the server: besides the "pubkey" method we've just > discussed, it supports the very popular "keyboard interactive" method, > Kerberos authentication and GSSAPI (SSPI in Microsoft lingo) which can > also do Kerberos. > Agreed, but I think that for the purposes of establishing trusted sessions with Github, we're only talking about two methods... Username/password and cert keys. What prompted me to ask this question is that I've observed that setting up Git to github requires generating clientside keys, but also seems to require username/password... Am trying to verify my observation that - Trying to authenticate to Github even using SSL requires generating SSH keys and entering the pubkey into your github Admin account - Even after properly configuring your Github account with your pubkey, you will still be prompted for Username/Password on each connetion, but can be partially addressed clientside by modifying the credential helper caching timeout. So, this leads me to believe that SSH keys and Username/Password are required for authentication (And looking for verification) > > So no, the same keys can't be used for both SSL and SSH. > For the reasons I've described, I guess I'm still not convinced. You may be correct, but not likely for the reasons you've given. I think I'm not just being stubborn, and allow that perhaps I could be fundamentally mistaken somewhere, but to me an RSA key is a generic key that's only specific to the way the key is generated, and can be used by any given application or protocol for proving identity and possibly encryption. > > As to github, I think they implement two modes: > 1) SSH keys are used to access the repo via SSH. You associate your SSH >key with your github account and so when you're trying to >authenticate the next time, Git knows who you are from your key. > 2) SSL is used to simply encrypt the conversation with the server, and >then HTTP (which tunnelled over SSL) uses simple password-based >authentication method called "basic" to verify your identity. >See https://github.com/blog/642-smart-http-support for hints on this. > What you state may be true for SSH, but regarding SSL doesn't seem to be consistent with what I've experienced. But then, maybe I can try more experiments with SSL to prove that the SSH pubkey that's now configured isn't necessary or used for SSL. Thx, Unless a post describes where my obeservations and/or reasoning may be flawed, I may just devote some time to experimenting with what may or may not work with github. TSU -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To view this discussion on the web visit https://groups.google.com/d/msg/git-users/-/uQB6N2AjPzgJ. To post to this group, send email to git-users@googlegroups.com. To unsubscribe from this group, s
Re: [git-users] SSH keys required for SSL authentication/authorization?
On Fri, Jul 20, 2012 at 02:10:05PM -0700, TSU wrote: > Yesterday I observed on the Git IRC a conversation that SSH keys were not > required for SSL sessions( would have responded if my Freednode account > wasn't having problems). > > Aside from the fact (AFAIK) github only supports SSH for key testing and > nothing else, I was under the impression these same keys are re-used for > authenticating SSL sessions as well, implementing a kind of 2-factor > authentication (SSL keys to prove your machine, username/password to prove > your human identity). > > Are SSH keys required or not for SSL connections? I don't quite understand the question, but let's just try some things clear -- maybe this will help you. First, SSH and SSL have nothing in common except for the word [S]ecure and the naturally following fact they secure something (SSH secures the [SH]ell access and SSL secures the [S]ocket [L]ayer). These are completely disjoint protocols invented for differing needs. These protocols also use different approach for what you call "keys". SSH uses "shallow" approach to keys: a client generates a pair of keys -- one public and one private, -- then transfers the public part to the server and adds it to an *explicit* list of trusted keys. Hence the server either trusts that key or not; nothing else. The client actually does the similar thing by checking the server's key's fingerprint to see if it's known and trusted. SSL uses hierarchical approach to its "keys", which it calls "certificates": this stuff involves certification authotities (CAs) and trust chains they create. The whole topic is too deep to cover here but the end result is that usually either side or both explicitly trust some CA, and through this fact they tust each other. In either case, the wire format of the keys used by these protocols and the semantics of their usage is different. One last thing to note is that while SSL/TLS is based solely around those X.509 certificates, SSH defines various methods for authentication of the client to the server: besides the "pubkey" method we've just discussed, it supports the very popular "keyboard interactive" method, Kerberos authentication and GSSAPI (SSPI in Microsoft lingo) which can also do Kerberos. So no, the same keys can't be used for both SSL and SSH. As to github, I think they implement two modes: 1) SSH keys are used to access the repo via SSH. You associate your SSH key with your github account and so when you're trying to authenticate the next time, Git knows who you are from your key. 2) SSL is used to simply encrypt the conversation with the server, and then HTTP (which tunnelled over SSL) uses simple password-based authentication method called "basic" to verify your identity. See https://github.com/blog/642-smart-http-support for hints on this. -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To post to this group, send email to git-users@googlegroups.com. To unsubscribe from this group, send email to git-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/git-users?hl=en.
[git-users] SSH keys required for SSL authentication/authorization?
Yesterday I observed on the Git IRC a conversation that SSH keys were not required for SSL sessions( would have responded if my Freednode account wasn't having problems). Aside from the fact (AFAIK) github only supports SSH for key testing and nothing else, I was under the impression these same keys are re-used for authenticating SSL sessions as well, implementing a kind of 2-factor authentication (SSL keys to prove your machine, username/password to prove your human identity). Are SSH keys required or not for SSL connections? TIA, TS -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To view this discussion on the web visit https://groups.google.com/d/msg/git-users/-/Qg1Rq97xr5gJ. To post to this group, send email to git-users@googlegroups.com. To unsubscribe from this group, send email to git-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/git-users?hl=en.
