MESSAGE
| DATE | 2002-01-16 |
| FROM | Jay Sulzberger
|
| SUBJECT | Re: Typo in last Re: [hangout] ssh
|
On Tue, 15 Jan 2002, Ruben Safir wrote:
> Where is the Pubic key!
On this machine:
root-at-coignbox:~# ls -l /etc/ssh
total 124
-rw-r--r-- 1 root root 88039 Dec 3 13:38 moduli
-rw-r--r-- 1 root root 1050 Dec 3 13:38 ssh_config
-rw------- 1 root root 668 Dec 29 12:39 ssh_host_dsa_key
-rw-r--r-- 1 root root 603 Dec 29 12:39 ssh_host_dsa_key.pub
-rw------- 1 root root 528 Jan 13 18:56 ssh_host_key
-rw-r--r-- 1 root root 332 Dec 28 22:08 ssh_host_key.pub
-rw------- 1 root root 883 Dec 29 12:39 ssh_host_rsa_key
-rw-r--r-- 1 root root 223 Dec 29 12:39 ssh_host_rsa_key.pub
-rw-r--r-- 1 root root 1208 Feb 11 2001 sshd_config
There are three /etc/ssh/*key.pub files. These three are readable by
world. These three files contain the meant to be available to the world
public keys. You may and should publish these three files.
Do not publish any other files in /etc/ssh .
(There may also be a directory /etc/ssh2 similar to /etc/ssh . The rules
for /etc/ssh also apply to /etc/ssh2, up to some difference in the names
of the files which hold public and private secret keys and config files.)
In your, you as regular user, home directory there is likely at keast one
directory .ssh and perhaps a .ssh2 . In .ssh there may be a file called
known_hosts
In .ssh2 there may be a directory
hostkeys
known_hosts and hostkeys are used to help secure connections run over ssh.
In all cases to protect against man-in-the-middle attacks, the contents of
know_hosts/hostkeys must have been gotten, by you, via another channel
than ssh, at either end, uses. One should use a channel that does not
ride the net at all.
Here are two lines from my known_hosts file
panix2.panix.com,166.84.1.2 1023 41 8328717694614624579989398436472504364916720\2527866288936333864291205787161331001228416534858072119485820781336051911508811\7165986430275043836160163919843865060569500607964599598541435136718923698699894\7763310866484917523301493723794317954158295652004170230549873471932043926680950\2241241506842744068623249699
zork.net,64.81.65.8 1024 37 126050179063822177778964487734407756220838896226033\3343285209715831492404761172361789918027743393793849060315032241227899997552064\4019572463283683911120966335735268031513365800851615382458502811729483996398397\5754677562183133932585779842020288031248709593308356911117064019001948762371428\603955808332262970019
These are two public keys from the famous computers panix2.panix.com and
zork.net .
When ssh is run to log into, say, zork.net, the public key for zork.net,
stored on my computer, under my control (in the case where I have been
careful and have not been 0wned by hostile corces) is used to help check
that the computer I connect to is indeed zork.net and not some cunning
imposter's computer.
There is a bit more to be said about this, and, as far as I can see, the
man pages fail to say it. I'll attempt to read them again and, in any
case, I will post the necessary few extra words.
oo--JS.
____________________________
New Yorker Linux Users Scene
Fair Use -
because it's either fair use or useless....
|
|
