On 01/03/15 17:43, NdK wrote: > while I was talking of remote user auth (so using openpgp card instead of > ~/.ssh/id_* keys -- something that's already doable).
No, I'm talking about that as well. And I don't think the fingerprint of the host is part of the signed data or the signature. Why do you think the fingerprint of the host is part of that? By /host/ authentication I mean that you verify that the host your are connecting to is in fact the host you wanted to connect to; and /that/ is through the public key of the host, of which you can verify the fingerprint. Let's call this keypair A. After you've verified the fingerprint, a copy of the hosts' public key, A, is stored in ~/.ssh/known_hosts on your client machine. But when the host is authenticating that you are in fact the user you are claiming to be, you sign a challenge that only you could sign because you have the private key, let's call it B. That is /user/ authentication. The host checks that your public key B is in ~/.ssh/authorized_keys on the server machine; if so, you're authenticated. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
