Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Management - Understanding RSA/DSA Authent

Posted by Hemos on from the from-the-ground-up dept.

Paul writes "I found this useful article, over at developerWorks Linux Zone that clearly explains RSA/DSA authentication. It covers what you need to get passwordless authentication implemented using RSA and DSA authentication protocols."

8 of 95 comments (clear)

  1. Using RSA authentication without a password by Dr.+Sp0ng · · Score: 4

    Reading over the comments here, it seems that people don't seem to understand the benefits of using a passphrase to unlock your key over simply using a password. Well, as long as you trust that nobody but you is going to be using your workstation (from the console - other people logged in remotely is fine) until you log out, you can put something like this in your .xinitrc file:

    exec ssh-agent sh -c 'ssh-add < /dev/null & sleep 5 ; exec wmaker'

    This pops up a window which asks for your passphrase, then ssh-agent stays resident with your unlocked secret key. After 5 seconds, it spawns windowmaker (obviously, replace this with your wm of choice).

    It sets an environment variable (SSH_AGENT_PID) with the process ID of ssh-agent and another one (SSH_AUTH_SOCK) which is the socket to use to communicate with ssh-agent. So when you try to ssh to somewhere, ssh checks for these variables and gets your unlocked key from ssh-agent transparently, and you ssh with no password. But without your passphrase to unlock it at the beginning of your X session, nobody else can use it (don't forget to xlock if you go anywhere :) And since it works through environment variables, which are passed on to children but not to other processes, the only processes which will have access to the ssh-agent are wmaker (or whatever window manager you're using) and its children - namely, anything you're running in X. It's fairly secure.
    --

  2. Re:passwordless authentication by Bullschmidt · · Score: 3

    No.. see, the random number sent to you is encrypted... it can only be decrypted by your private key. By the time you send it back to the server, its of no use to the sniffer. The next time there will be a different number encrypted and sent, which they can't decrypt since they don't have your private key.

    --
    "Of all days, the day on which one has not laughed is the most surely the one wasted." -Sebastian Roch Nicol
  3. I wonder if /. editors read the links... by pongo000 · · Score: 4
    It covers what you need to get passwordless authentication implemented using RSA and DSA authentication protocols."
    Well, not exactly...passphraseless authentication is in part 2, which doesn't appear to have been published yet.
  4. Re:passwordless authentication by hillct · · Score: 4

    No. Public Key authentication is exactly that. The authentication is done using a public and private key set.

    The text - or mouse movement - you (probably) entered when the key was generated was intended as a source of unique input, hopefully containing enough entropic characteristics to create a secure non-pattern based key set.

    The then probably had the option to encrypt the key using a passphrase which you'd then have to use when authenticating using that key set.

    The main difference here is that the passphrase is not a required part of a key set, and it is not the main cryptographic mechanism of the authentication process.

    --CTH

    --

    --Got Lists? | Top 95 Star Wars Line
  5. Re:Question by plcurechax · · Score: 3
    article treats RSA and DSA as one entity

    RSA and DSA are two algorithms which are used in a similar (interchanagable for our purposes) fashion.

    The article says that SSH1 used the patented RSA key

    The RSA patent in the US (# 4,405,829) expired in September 2000.

    How is it that SSH2 can use a signature algorithm to do real encryption?

    The actual transport encryption is done via a symmetric cipher algorithm such as Triple-DES (3DES), Blowfish, or IDEA (patented in US, Europe) which are much faster (~ 1000-1500 times) than public key algorithms. The RSA or DSA is used to negotiate the key to be used by the symmetric cipher (which uses the same key to encrypt and decrypt, hence "symmetric").

  6. There's another good article... by Lobsang · · Score: 4
    This article on Linux-Gazette is also very good, focusing on the usage of ssh-agent.

    Have phun.

  7. lucky for you foreigners ... by beanerspace · · Score: 4
    Good thing the U.S. modified it's policy on exporting encryption technologies (a.k.a. munitions).

    Otherwise we'd have to ask those of you reading the featured article apply some mental floss and forget what you've just read, shred any hard-copies you took to the bathroom with you, and format hard drive just to insure that you haven't accidentally cached it somewhere.

    --

    healyourchurchwebsite.com - WWJB?
  8. Re:Cryptography awareness by jeffy124 · · Score: 3
    SSH and PGP are but small examples of what can be done.

    I thought of something regarding PGP earlier today in response to the file sharing story this morning:

    Develop a file-sharing network where data is encrypted using PGP's style of encryption. Remote user generates a temporary symmetric key based on keystrokes, mouse movements, etc, encrypts the file you want using that temp key, then encrypts the temp using your public key, then transmit the pair to you. Decrypt the temp key using your private key, then decrypt the shared file. Use a similar scheme of things when searching for files and other data transmissions. Naturally we want all this to be transparent to the user and happen automatically. Only problem with this is it is processor intensive and may slow things down because of all the math work involved in encrpytion/decryption process.

    --
    The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.