?
Solved

How does it work? ssh2 negotiation

Posted on 2005-04-09
3
Medium Priority
?
384 Views
Last Modified: 2010-04-11
Hi experts,

I have a client who wants to transfer his data from his laptop to his desktop at the branch office, all using ssh (he used ssh-keygen -t rsa, so I am assuming--maybe wrongly--that it was ssh2). One of my colleagues helped him set everything up, but could not get the transfer automated without removing the password on his ssh key. I told him that he was required to use a password because the transfer occurs across the public internet, but I wasn't able to explain *why* in a convincing way. My understanding is that anyone obtains the public key would have login privileges (indeed, the private key as well) as that person and could impersonate him anywhere where that key was used. But, how would someone obtain that public key? I thought the ssh2 negotation itself was temporarily encrypted.

Is it safe to use a passwordless public key across the Internet. Can it be made safe?

Thanks in advance,

Sean
0
Comment
Question by:sow56091
3 Comments
 
LVL 5

Accepted Solution

by:
Genexen earned 1600 total points
ID: 13743811
SSH uses certificates, much in the same way that secure websites use SSL:  All data sent between two hosts is encrypted.  This means that cleartext is never transmitted over the internet.

I **think** the purpose of have a password protect the local key in your secnario is to authenticate the USER, instead of the EQUIPMENT.  Use a passwordless key leaves the system open to breach if the physical security is compromised:  If i steal the computer the key is stored on, there is nothing preventing me from accessing the remote system via your SSH setup.  

Here's a whole load of info on SSH:  http://www.openssh.com/manual.html
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 400 total points
ID: 13744301
the public key is stored on the remote server, everyone can have this key it's public !
The corresponding secret (private) key needs to be protected, 'cause everyone having this key indeed impersonates as the owner.
That's what ssh's password (key phrase) is for: if you want to use the secret you have to give the pass phrase. That makes it hard to use a stolen key.

According your password problem: I assume that you have not added the public key to the remote server's authorized_keys in the user's .ssh directory. Then you need to tell the ssh deamon also to allow RSA authentication.

And as Genexen said, the traffic is encrypted, doesn't matter if logged using a key or a password or no password.
0
 
LVL 3

Author Comment

by:sow56091
ID: 13749069
Thank you both for the clarification. I understand that better now.

Sean
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Securing your business data in current era should be your biggest priority. Numerous people are unaware of the fact that insiders commit more than 60 percent of security breaches. You need to figure out the underlying cause and invoke your potential…
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question