Re: OSX encryption with a difference.

Mark Conrad wrote:
> In article <tomstiller-0EA4FD.10155910102005@xxxxxxxxxxxxxxxxxxxxxxxx>,
> Tom Stiller <tomstiller@xxxxxxxxxxx> wrote:
>
>> Yeah, but you said the owner was system, rather than the user to whom
>> you wanted to connect.
>
> Yes, I thought it was wise to leave the default owner of the .ssh
> directory as "system" alone, being that owner "system" is assigned by
> running ssh-keygen. Did I goof there.

I think the point Tom was making was that you should have run
ssh-keygen as a regular user (not as root and not using sudo to
get uid 0). Then the .ssh directory it created would have been
owned by "markc" or whatever, not "system".

>> As I said above, the weaker form of authentication is still enabled.
>
> I though SSH was SSH, I was not aware that there were "weak" versions
> of SSH - - - live and learn)

It is a question of terminology.

What you talk about "ssh" you are referring to ssh using password
authentication, which Tom is referring to as weak authentication.
When you talk about "ssh + PKA" you are referring to ssh using keys,
which is in some senses a stronger form of authentication, it is
also referred to as "passphrase authentication" since ssh will ask
for a passphrase to unlock your private key rather than a password.
"PKA" is not a separate thing, it is just a method of authentication
supported by ssh. There is also confusion about what you mean by
"running ssh". When you turn on "allow remote login" on your Mac
it starts up sshd - it is then in a sense "running ssh", and it
will accept ssh connections from clients.

If you would just follow the advice you have been given all along
you could have worked all this out. Run sshd on one machine and
connect using "ssh -v -v -v" from another machine. It will tell
you exactly what it is doing as it connects (which forms of
authentication are available, which ones it tries, which keys it
using etc).

Forget about TB2 (of which I know nothing) until you have learned
the basics of ssh (including poth password and public key
authentication). You could even progress to port forwarding and
learn how to set up secure tunnels which can then be used by
other applications to communicate between machines without those
applications having to "know" anything about ssh.

Ian

--
Ian Gregory
http://www.zenatode.org.uk/ian/
.

Relevant Pages

  • Pubkey integrity check
    ... I'm planning on setting up shell-access to remote machines by using SSH with ... keypair authentication only. ... person to be able to create keys and sign those public-keys with PGP: ... So, at login through SSH, I want the sshd to verify the authenticity of the ...
    (comp.security.ssh)
  • Re: ssh public key authentication
    ... authentication, the key was right (I checked it with another user and it ... worked) and the permissions of the .ssh directory were right. ... added these keys to the authorized_keys file but when I do ssh I'm ... debug3: send_pubkey_test ...
    (Ubuntu)
  • Re: Any Way to Defeat Cracker Login Attempts? (OS X)
    ... authentication afterwards if you wish with the change noted above to ... seperate and distinct from SSH. ... Likewise, if a user was using SSH, where public and private "keys" are ... the entire TB2 network could get compromised. ...
    (comp.sys.mac.system)
  • Re: Setting up SSH on Snow Leopard
    ... The above indicates that the only two methods of authentication ... I did *not* enable the publickey or ... keyboard-interactive methods in my client. ... being advertised by the SSH server on the Mac client? ...
    (comp.sys.mac.system)
  • Re: Securing SSH: Does disabling password authentication work?
    ... keyboard-interactive with pam (would allow auth against LDAP or any ... other authentication method possible with pam) ... public/private keys ... I edited my ssh config file to disable the first method, ...
    (Debian-User)