On Tuesday 30 July 2002 08:39 pm, David Guntner wrote:
> Ooooh, that sounds promising. I'll have to look into that. Is it
> particularly hard to make sure that your key is available to those you want
> to access the system?
>
> I presume that even with the system key, they *do* still have to login as
> themselves, right? :-)
>
> --Dave
This is definitely "the way to go", and the setup works something like this:
The remote user provides their _public_ key (prior to first login), and it is
added (manually) to $HOME/.ssh/authorized_keys (see "man ssh") for that user.
When said user attempts to login, this public key is used to encrypt a random
string that is sent to the ssh client trying to log in. If the client can
return the same random string, decrypted (meaning that it, almost certainly,
has the correct _private_ key) then the user is allowed to log in. Each user
has their own private key(s), and the host system has no need of knowing what
the key(s) actually is...
Given the number of bits involved and the fact that 'dictionary lookups' are
useless against them, key authentication should be far more secure than
password authentication. Even if the user chooses a "dumb" password, anyone
trying to hack your system would need to hack the user's system first, grab
_their_ private key, and crack it before they could gain access to your
system...
-Jason
=========================
"Pride is all very well, but a sausage is a sausage."
-- Gaspode, of course
(Terry Pratchett, Men at Arms)
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
