How does it work? ssh2 negotiation

Hi experts,

I have a client who wants to transfer his data from his laptop to his desktop at the branch office, all using ssh (he used ssh-keygen -t rsa, so I am assuming--maybe wrongly--that it was ssh2). One of my colleagues helped him set everything up, but could not get the transfer automated without removing the password on his ssh key. I told him that he was required to use a password because the transfer occurs across the public internet, but I wasn't able to explain *why* in a convincing way. My understanding is that anyone obtains the public key would have login privileges (indeed, the private key as well) as that person and could impersonate him anywhere where that key was used. But, how would someone obtain that public key? I thought the ssh2 negotation itself was temporarily encrypted.

Is it safe to use a passwordless public key across the Internet. Can it be made safe?

Thanks in advance,

Sean
LVL 3
sow56091Asked:
Who is Participating?
 
GenexenCommented:
SSH uses certificates, much in the same way that secure websites use SSL:  All data sent between two hosts is encrypted.  This means that cleartext is never transmitted over the internet.

I **think** the purpose of have a password protect the local key in your secnario is to authenticate the USER, instead of the EQUIPMENT.  Use a passwordless key leaves the system open to breach if the physical security is compromised:  If i steal the computer the key is stored on, there is nothing preventing me from accessing the remote system via your SSH setup.  

Here's a whole load of info on SSH:  http://www.openssh.com/manual.html
0
 
ahoffmannCommented:
the public key is stored on the remote server, everyone can have this key it's public !
The corresponding secret (private) key needs to be protected, 'cause everyone having this key indeed impersonates as the owner.
That's what ssh's password (key phrase) is for: if you want to use the secret you have to give the pass phrase. That makes it hard to use a stolen key.

According your password problem: I assume that you have not added the public key to the remote server's authorized_keys in the user's .ssh directory. Then you need to tell the ssh deamon also to allow RSA authentication.

And as Genexen said, the traffic is encrypted, doesn't matter if logged using a key or a password or no password.
0
 
sow56091Author Commented:
Thank you both for the clarification. I understand that better now.

Sean
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.