on Mon, Jul 18, 2005 at 09:24:56AM -0500, Jay Strauss ([EMAIL PROTECTED]) wrote: > Karsten M. Self wrote: > >on Sun, Jul 17, 2005 at 09:43:43AM -0500, Jay Strauss ([EMAIL PROTECTED]) > >wrote: > >>Karsten M. Self wrote: > >>>on Thu, Jul 07, 2005 at 07:43:52AM -0700, Henry House
> >Mini-shrunk-sort version: Use SSH-key auth with a passphrase and
> >ssh-agent.
> >
> >
> >Peace.
>
> thanks. How do you NOT send the password?
- Generate an SSH key on the local host:
$ ssh-keygen -t dsa
# Accept defaults, supply a passphrase.
- Copy the *PUBLIC* half of the key to the remote host, and add it to
~/.ssh/authorized_keys:
$ cat .ssh/id_dsa.pub | ssh remothost 'cat >> .ssh/authorized_keys'
- File permissions are critical, as this is part of the SSH security
model.
It's necessary for the _local_ private key to *not* be *readable* to
anyone other than the owner (mode 600).
It's necessary for the _local_ public key, and the _remote_
authorized_hosts files *not* to be *writeable* by anyone other than
the owner (mode 644 or less).
It's necessary for both _local_ and _remote_ ~/.ssh/ directories to
*not* be *writeable* by anyone other than the owner (mode 755 or
less).
- If you don't run ssh-agent, you'll be prompted for your passphrase
each time you connect to the remote host.
If you _do_ run ssh-agent, and add your key(s) (run 'ssh-add'), you
can connect to the host directly without supplying a password.
....both methods authenticate you to the remote host using SSH-key
authentication. Your remote password is never transmitted, and may
in fact be disabled.
> Does Carol and Bob convert/encrypt their local password for this user,
> then compare the encryptions (maybe its call a hash in this context)?
No.
The authentication is handled by SSH using the public/private keypair.
The system password itself isn't involved in the authentication at all.
It's possible to have users whose remote passwords are unknown or
disabled by this method. This is the case for a number of remote hosts
I access regularly.
Peace.
--
Karsten M. Self <[email protected]> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Information is not power after all: Old-fashioned power is power. If you
aren't big industry or government, you have very little power. Once they've
hacked the electronic voting system, you'll have no power at all.
- Robert X. Cringely
signature.asc
Description: Digital signature
_______________________________________________ vox-tech mailing list [email protected] http://lists.lugod.org/mailman/listinfo/vox-tech
