Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: FW: No longer can connect

from [Marius Huse Jacobsen] Network Security [Permanent Link]
Subject: Re: FW: No longer can connect
Date: Sun, 10 Jul 2005 17:33:29 +0200
Nathan Zabaldo wrote: 
I've read the manual on how to generate keys, but it is too cryptic for me
not being a linux guy quite yet.

Please someone spell it out for me.  This is what I am looking for please
fill in the blanks.

On my box I have users that I have set up that I want to be able to use
Putty to connect remotely via sshd.  Sshd is now installed and up and
running.  For my users to connect I have to (blank) in each of my user's
accounts.


(accounts->home directory)

put the public key result from the user running puttygen into the ~/.ssh/authorized_keys file

(see screenshot of puttygen attached.)

For example in a terminal on the box when I am logged into a users account
type in:


n/a   (not applicable)

I'm sure this is simplistic to some people out there, but rocket science to
a Windows guy trying to get away from Windows.


The clue is that the private key should not originate on your box, as you're trying to. The public key needs to be there, obviously, so that the ssh server has something to check the private one against.



I'm getting a feeling that you don't understand the crypto involved. So here goes:

The key authentication is based on public key crypto, subfield digital signing. Meaning there is a public key and a matching private key. When connecting, the server sends a chunk of data, which the client signs with the private key. The signed data are sent back, and then the server can find if it was signed by a private key corresponding to one of the public keys associated with that user. (This is slightly simplified, but should give you an idea.)

Important clues:
The client must have the private key,
the server must have the public key,
and both keys must of course match each other, meaning they should be generated in the same place.

I think we can call it a cryptographically very bad habit to generate the private key on the server and send it to the client. Anyone who snatches the public key (as in transit to server) can only grant access to the holder of the private key in places this snatcher already controls - there's no real gain for the attacker. If the private key is snatched, the attacker gains access.

IOW, the keys should be generated clientside.

(There's an addition reason for this, and that is that the keys would have to be imported into puttys private key format anyway.)

Normally users authenticate by password, or by generating their own
key pairs.


Tried and true.
If you're gonna do anything else, you're sauntering through a minefield.

PNG image

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: OpenSSH/kerberos compile problem., Simon Wilkinson
Next by Date:  RE: OpenSSH/kerberos compile problem., Tay, Gary
Previous by Thread:  Re: FW: No longer can connect, Andrew Haninger
Next by Thread:  Ssh.com openssh compatibility problem, Klein, Robert (NIH/CIT)
Indexes:  [Date] [Thread] [Top] [All Lists]