Re: ssh pubkey validation

On 2008-03-11, Tony Houghton <h@xxxxxxxxxxx> wrote:

If it has the same public key as I've given out to repo.or.cz
there's a potential security breach. Does sshd ensure that a public
key is only accepted if the client can validate it with the
corresponding private key?

A public key is totally public, and is worthless to an attacker, so no
there is no security issue. The security issue only arises if the
private key is released.

The way the public/private key system works is that anything encoded
with the public key can only be decoded by the corresponding (but not
identical) private key, when you make an SSH connection, a session key
is encrypted by the remote end with your public key, and send back to
you. You are only able to decrypt that session key if you have the
corresponding private key. If you can decrypt that session key then
the encrypted connection succeeds and the session key is used to
encrypt the traffic on the SSH session. Once the session key has been
exchanged the public/private key are not used again until a new
session key is needed, at which point a new session key is encrypted
with your public key and sent to you again and the cycle repeats.

This means that an SSH connection can only use your public key
successfully if you are initiating that connection from a machine that
has the corresponding private key. Putting your public key into the
authorized_keys file on a machine does not permit anyone with your
public key from also accessing that machine, it can only be accessed
by someone with the corresponding private key.

--
Blast off and strike the evil Bydo empire!
http://youtube.com/user/tarcus69
http://www.flickr.com/photos/tarcus/
.

Relevant Pages

  • RE: Encryption question
    ... > sender's private key at the message hash. ... >>Alice encrypts her email to Bob using his public key. ... > Security Linux, the comprehensive security solution that combines six ... Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. ...
    (Security-Basics)
  • RE: PGP scripting...
    ... cryptosystems, ... In these systems divulging your private key compromises the public ... Here is a quick over view of the public key encryption routines (the ...
    (SecProg)
  • Re: Private & Public Key storage location
    ... with that you complete the 'certificate' to have both public and private key ... To view the complete cert, you access the cert mmc, ... its end & send only the public key to the CA along with the other websites ... The CA never know the private key of the website. ...
    (microsoft.public.inetserver.iis.security)
  • CryptImportKey NTE_BAD_KEY error.
    ... of the private key is just fine but when I try to import the public key I ... // This Asymetric key set will be used to create the Autherization Code. ... delete psBuffer; ...
    (microsoft.public.security)
  • Re: Private & Public Key storage location
    ... client use the public key to ... corresponds to this certiticate' when you view the cert. ... it will has the private key as well. ... installed for your website, it will be sent to all the clients who connect ...
    (microsoft.public.inetserver.iis.security)
Loading