On 27 Feb 2000, Bjoern Groenvall wrote:
> The server host key is used as part of the key material
> negotiation. However, only the *server* host key is used, the client
> end host key is never used. Just turn of the suid bit from ssh and
> give it a try (or even mv /etc/ssh_host_key).
>
> After the initial handshake it is time for authentication. If
> RSA-rhost authentication is used then the ssh client uses the private
> part of the client key. At the server end, the server looks up the
> public part of the client host key and uses that to verify
> authenticity. If the server can't find the client public key, then
> access is denied.
Cool, thanks for the explanation.
> So lets assume that the client don't have a host key but that it is
> created during boot. Then there can be no host that knows the
> corresponding public key. Now the client tries to use RSA-rhost
> authentication, when the server attempts to verify authenticity it
> will fail to lookup the key (remember that it was created on the
> client perhaps moments ago). For RSA-rhost authentication to work the
> public keys must first be shipped around among the hosts, only then
> can RSA-rhost authentication operate.
It won't work at first boot, but generating a hostkey at some point is a
necessary prerequisite to ever using RSA-rhosts authentication. Sure,
that's not something everyone will use, but what's the problem with doing
the step for the user and saving him worrying about how to generate a host
key? All he needs to do is distribute it to the other parties then.
> > I'm thinking of the old/stock sshd, not OpenSSH, but I'm not aware of that
> > big a change.
>
> I don't think there has been any radical changes with respect to
> this. There might be some extra knobs in OpenSSH to control wether the
> server will accept public keys from $HOME/.ssh/known_hosts files or
> only from /etc/ssh_known_hosts.
Right..if anyone has interoperability problems they should report them to
the OpenSSH guys (www.openssh.org)
Kris
----
"How many roads must a man walk down, before you call him a man?"
"Eight!"
"That was a rhetorical question!"
"Oh..then, seven!" -- Homer Simpson
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
