View Single Post
  #3   (View Single Post)  
Old 4th July 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,999

General guideline for using public keys for authentication:

These are actually "key pairs" -- there are two halves which must be combined. Think of a lock that has two keyholes, where two different keys must be inserted and turned in order to open the lock.

There are two types of keys that make up a "key pair" -- a public key, and a private key. The public key is perfectly safe to send in-the-clear; via e-mail, posted on a web page, whatever. The private key should be kept private.

In actual practice with SSH between two people who wish to be client and server via SSH, and who are using public communication -- perhaps e-mail or instant messaging or text messages by cell phone, or shipping a diskette / CD / memory stick -- the person who will operate the client generates a key pair and sends the public "half" to the server administrator. No private information needs ever be sent via public methods at any time.

(If there is a private method for transferring private keys, then the key pair may be generated at the server or on an unrelated system.)

During authentication, the private key is used to generate an encrypted signature which can only be confirmed by decrypting with the public key. It proves that the sending station used the private key.

OpenSSH servers generate their own key pairs (on OpenBSD, in /etc/ssh) that are used to create a "fingerprint" which is used to confirm the server to clients. This fingerprint is stored in ~/.ssh/known_hosts for OpenSSH clients.
Reply With Quote