Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
RSA question
js1 at js1
Jan 20, 2000, 9:22 PM
Post #1 of 3 (629 views)
Permalink
This may be a FAQ, but wouldn't SSH be more secure if the user can only
log in if the server has the client's ssh_host_key.pub in its
ssh_known_hosts file AND the user has his identity.pub from his
client computer in the authorized_keys on the server? This
would require two keys to be able to log in. I thought this
was ssh would work with the following sshd_config file:


--- BEGIN FILE ---
Port 22
ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
CheckMail no
UseLogin no
SyslogFacility AUTH
LogLevel INFO
RhostsRSAAuthentication yes
IgnoreRhosts yes
RhostsAuthentication no
IgnoreUserKnownHosts yes
RSAAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no
---- END FILE ---

But, it turns out, that as long as authorized_keys on my server has
the identity.pub file from my client computer, I'm allowed in regardless
if the public key of the client is in the ssh_known_hosts on the server.

It seems like requiring two keys would be preferrable, but if
I've misconfigured something, please let me know. Thanks for any help.

Jiann-Ming Su
js1@js1.org
Re: RSA question [ In reply to ]
markus.friedl at informatik
Jan 21, 2000, 2:11 AM
Post #2 of 3 (618 views)
Permalink
On Fri, Jan 21, 2000 at 12:22:48AM -0500, Jiann-Ming Su wrote:
> This may be a FAQ, but wouldn't SSH be more secure if the user can only
> log in if the server has the client's ssh_host_key.pub in its
> ssh_known_hosts file AND the user has his identity.pub from his
> client computer in the authorized_keys on the server? This
> would require two keys to be able to log in. I thought this

no, this is not possible with SSH, it's not defined in the protocol,
you cannot do both. -markus
Re: RSA question [ In reply to ]
js1 at js1
Jan 21, 2000, 7:17 AM
Post #3 of 3 (615 views)
Permalink
On Fri, 21 Jan 2000, Markus Friedl wrote:

> On Fri, Jan 21, 2000 at 12:22:48AM -0500, Jiann-Ming Su wrote:
> > This may be a FAQ, but wouldn't SSH be more secure if the user can only
> > log in if the server has the client's ssh_host_key.pub in its
> > ssh_known_hosts file AND the user has his identity.pub from his
> > client computer in the authorized_keys on the server? This
> > would require two keys to be able to log in. I thought this
>
> no, this is not possible with SSH, it's not defined in the protocol,
> you cannot do both. -markus
>

Ok, then I ask, would it not be desireable to be able to do both?

Jiann-Ming Su
js1@js1.org

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal