[techtalk] how ssh works/setting up openssh (kind of long)
Brian Engle
bengle at fti-net.com
Wed Jan 19 13:51:21 EST 2000
these are some direct links to the openssh man pages, I know you said you
read the man pages, the first one is how the whole connection setup works,
this will let you know what sort of stuff you need to have available on the
server and remote machines as far as public and private keys go....I'm
pretty sure with TTermPro, you actually get a text box to enter the key
into, but it's been a few months since I played with it, so I can't be
positive...it may just be a text file that you point it to so it knows where
to look when the server requests the key
http://www.openbsd.org/cgi-bin/man.cgi?query=sshd&sektion=8
DESCRIPTION
sshd (Secure Shell Daemon) is the daemon program for ssh(1). Together
these programs replace rlogin and rsh programs, and provide secure en-
crypted communications between two untrusted hosts over an insecure
net-
work. The programs are intended to be as easy to install and use as
pos-
sible.
sshd is the daemon that listens for connections from clients. It is
nor-
mally started at boot from /etc/rc. It forks a new daemon for each
incom-
ing connection. The forked daemons handle key exchange, encryption,
au-
thentication, command execution, and data exchange.
sshd works as follows. Each host has a host-specific RSA key (normally
1024 bits) used to identify the host. Additionally, when the daemon
starts, it generates a server RSA key (normally 768 bits). This key is
normally regenerated every hour if it has been used, and is never
stored
on disk.
Whenever a client connects the daemon, the daemon sends its host and
server public keys to the client. The client compares the host key
against its own database to verify that it has not changed. The client
then generates a 256 bit random number. It encrypts this random number
using both the host key and the server key, and sends the encrypted
num-
ber to the server. Both sides then start to use this random number as
a
session key which is used to encrypt all further communications in the
session. The rest of the session is encrypted using a conventional ci-
pher, currently Blowfish and 3DES, with 3DES being is used by default.
The client selects the encryption algorithm to use from those offered
by
the server.
Next, the server and the client enter an authentication dialog. The
client tries to authenticate itself using .rhosts authentication,
.rhosts
authentication combined with RSA host authentication, RSA challenge-re-
sponse authentication, or password based authentication.
Rhosts authentication is normally disabled because it is fundamentally
insecure, but can be enabled in the server configuration file if
desired.
System security is not improved unless rshd(8), rlogind(8),
rexecd(8),
and rexd(8) are disabled (thus completely disabling rlogin(1) and
rsh(1)
into that machine).
If the client successfully authenticates itself, a dialog for preparing
the session is entered. At this time the client may request things
like
allocating a pseudo-tty, forwarding X11 connections, forwarding TCP/IP
connections, or forwarding the authentication agent connection over the
secure channel.
Finally, the client either requests a shell or execution of a command.
The sides then enter session mode. In this mode, either side may send
data at any time, and such data is forwarded to/from the shell or
command
on the server side, and the user terminal in the client side.
Now as for the ssh_host_key problem, I have a feeling this might be an
appropriate link:
http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1
this just goes over the keygen program, however I think the description
section might give some info as to where the host key, etc need to be on the
server
DESCRIPTION
ssh-keygen generates and manages authentication keys for ssh(1).
Normal-
ly each user wishing to use SSH with RSA authentication runs this once
to
create the authentication key in $HOME/.ssh/identity. Additionally, the
system administrator may use this to generate host keys.
Normally this program generates the key and asks for a file in which to
store the private key. The public key is stored in a file with the
same
name but ``.pub'' appended. The program also asks for a passphrase.
The
passphrase may be empty to indicate no passphrase (host keys must have
empty passphrase), or it may be a string of arbitrary length. Good
passphrases are 10-30 characters long and are not simple sentences or
otherwise easily guessable (English prose has only 1-2 bits of entropy
per word, and provides very bad passphrases). The passphrase can be
changed later by using the -p option.
There is no way to recover a lost passphrase. If the passphrase is
lost
or forgotten, you will have to generate a new key and copy the corre-
sponding public key to other machines.
There is also a comment field in the key file that is only for conve-
nience to the user to help identify the key. The comment can tell what
the key is for, or whatever is useful. The comment is initialized to
``user at host'' when the key is created, but can be changed using the -c
option.
I have a feeling this may be part of the problem with
/usr/local/etc/ssh_host_key not being found, like it says, when you run the
keygen, it makes a host key and a server public key, you tell it the
filename to save to, and also a passphrase if you so desire...the host key
doesn't ahve a passphrase at all ("The passphrase may be empty to indicate
no passphrase (host keys must have empty passphrase)"), but the public key
may have a pass phrase. it's the public key that is copied to the host
machines ("There is no way to recover a lost passphrase. If the passphrase
is lost or forgotten, you will have to generate a new key and copy the
corresponding public key to other machines.")
There's more in terms of what the host does at
http://www.openbsd.org/cgi-bin/man.cgi?query=ssh&sektion=1 however, that's
mostly localized to the openssh client, I don't know how much of it is
standardized from client to client
you might also check out the online man pages for ssh-agent and ssh-add:
http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-agent&sektion=1
http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-add&sektion=1
sorry I can't give much more help than that, it's been a while since I
played with any of the configuration stuff, I might be able to find some
more links if none of these are of any help
Brian
> -----Original Message-----
> From: Subba Rao [mailto:subb3 at attglobal.net]
> Sent: Wednesday, January 19, 2000 12:06 PM
> To: Linux Ladies
> Subject: [techtalk] Re: ssh setup
>
>
>
> I have downloaded the OpenSSH and OpenSSL (prerequisite for OpenSSH).
> The installation went fine.
>
> I have several questions about the public/private keys. When
> I used the ssh-keygen,
> the keys were generated. I am assuming you use one of these
> keys with the ssh client.
> The clients I will use are on Win95/NT and OS/2.
>
> Do I copy these keys and put them in the ssh clients directory?
>
> When I tried to start sshd, I got the following message.
>
> error: Could not load host key: /usr/local/etc/ssh_host_key:
> No such file or directory
>
> I did not see any info about ssh_host_key in the ssh or sshd
> man pages. What
> is this key and how do I fix it?
>
>
> Subba Rao
> subb3 at attglobal.net
> http://pws.prserv.net/truemax/
>
> => Time is relative. Here is a new way to look at time. <=
> http://www.smcinnovations.com
>
> ************
> techtalk at linuxchix.org http://www.linuxchix.org
>
************
techtalk at linuxchix.org http://www.linuxchix.org
More information about the Techtalk
mailing list