How does it work? ssh2 negotiation

Posted on 2005-04-09
Last Modified: 2010-04-11
Hi experts,

I have a client who wants to transfer his data from his laptop to his desktop at the branch office, all using ssh (he used ssh-keygen -t rsa, so I am assuming--maybe wrongly--that it was ssh2). One of my colleagues helped him set everything up, but could not get the transfer automated without removing the password on his ssh key. I told him that he was required to use a password because the transfer occurs across the public internet, but I wasn't able to explain *why* in a convincing way. My understanding is that anyone obtains the public key would have login privileges (indeed, the private key as well) as that person and could impersonate him anywhere where that key was used. But, how would someone obtain that public key? I thought the ssh2 negotation itself was temporarily encrypted.

Is it safe to use a passwordless public key across the Internet. Can it be made safe?

Thanks in advance,

Question by:sow56091
    LVL 5

    Accepted Solution

    SSH uses certificates, much in the same way that secure websites use SSL:  All data sent between two hosts is encrypted.  This means that cleartext is never transmitted over the internet.

    I **think** the purpose of have a password protect the local key in your secnario is to authenticate the USER, instead of the EQUIPMENT.  Use a passwordless key leaves the system open to breach if the physical security is compromised:  If i steal the computer the key is stored on, there is nothing preventing me from accessing the remote system via your SSH setup.  

    Here's a whole load of info on SSH:
    LVL 51

    Assisted Solution

    the public key is stored on the remote server, everyone can have this key it's public !
    The corresponding secret (private) key needs to be protected, 'cause everyone having this key indeed impersonates as the owner.
    That's what ssh's password (key phrase) is for: if you want to use the secret you have to give the pass phrase. That makes it hard to use a stolen key.

    According your password problem: I assume that you have not added the public key to the remote server's authorized_keys in the user's .ssh directory. Then you need to tell the ssh deamon also to allow RSA authentication.

    And as Genexen said, the traffic is encrypted, doesn't matter if logged using a key or a password or no password.
    LVL 3

    Author Comment

    Thank you both for the clarification. I understand that better now.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Suggested Solutions

    Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
    SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now