Hi,
Beware, this is a bit long!
I have downloaded and installed openssh (and openssl as required by
openssh). It is my intention to completely remove the r-services
(rlogin, etc.).
As such, I believe that I should go for the third alternative within the
ssh documentation; To let all users create their own key pair. (This
requires all users to be 'aware' which I naively thought would not be
necessary with the ssh solution. Or am I missing something?)
I have read the ssh documentation back and forth many times by now, and
even though I'm very familiar with the concepts of pgp, the ssh package
seems strange. I guess I'd need some introduction document to read,
because I'm really confused.
Any 'RTFM for beginners' I should do?
For instance, a user '[EMAIL PROTECTED]' creates a private/public key
pair. The public key is now given to '[EMAIL PROTECTED]' so that the user
can securely ssh login from pcA to pcB.
Now pcB uses this public key, stored in pcB, to encrypt a random number
and send this back to pcA as a challenge. pcA is the only one having the
private key and the only one that can decrypt the challenge and send it
back to pcB for authentication.
Question: Doesn't this imply that the public key from pcA must be given
to pcB on a secure channel?
AFAIK, there is no tool to verify key fingerprints as we do before we
trust a public pgp/gpg key. Or am I missing something here?
And how does the host keys fit in? After installation of the rpms on two
PCs at home, I found the private and public host keys already generated
in /etc/ssh on both machines. Correct?
So, I took the /etc/ssh/ssh_host_key.pub from pcB and stored it as
/etc/ssh_known_hosts in pcA. (The /etc/ssh_known_hosts file didn't exist
before in pcA.)
Then I tried as an ordinary user at pcA to 'ssh -l user pcB' to login as
user 'user' on pcB. The first response is that ssh tells me that "the
autenticity of pcB can't be established, key fingerprint is bla,bla. Do
you want to continue?".
Again, what tools do I have as root to verify the autenticity of the
public host key from pcB? And as an ordinary user? Am I missing
something fundamental here?
Best regards
Gustav (confused (more than usual))
--
pgp = Pretty Good Privacy.
To get my public pgp key, send an e-mail to: [EMAIL PROTECTED]
Visit my web site at http://www.schaffter.com
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
