PHWinfo - Afficher un message

25/10/2006, 22h32

rhino007_us@yahoo.com <rhino007_us@yahoo.com> wrote:
> I was in a discussion with someone yesterday about SSH and how
> certification works with a
> Certificate Authority. A couple of points could use a little
> clarification.

> When a new SSH client sends a request to transmit data to the SSH
> Server for the first time

Rather than 'transmit data' I would phrase that as 'connect'.

does it's request include it's (the SSH
> client's) certificate which includes it's own
> public key inside, and the CA's digital signature as proof of who it
> is? Or does the SSH Server ask the CA to validate the client?

Neither. In normal SSH usage there is no CA.

In the initial SSH connection, the server's private host key is used to
verify the server's identity against the server's public host key which
is stored in a local database on the client. If this is the initial
connection and the administrator has not pre-populated the database,
then it usually allows you to accept the server's key initially. There
is no verification on this acceptance and no CA aids you.

After the SSH connection is up, the client user authenticates to the
server, possibly using a public key stored on the server to authenticate
the user's private key. (several other authentication schemes are
possible)

> Someone suggested that the SSH Server would not need to talk to the CA
> at all, and that it would simply respond to the SSH client directly.
> I know that without a CA someone would have had to put the clients
> public key on the server and visa versa, and away we go. His point is
> beginning to make sense to me, as it would save a lot of overhead.

Correct (except for the vice versa part). The server generally does not
care about the client's identity for the SSH connection.

> With a CA I had thought the SSH server would need to check with the CA
> and the CA would validate the client, and send the SSH Servers public
> key to the client along with it's own digital signature proving it is
> the valid CA to the client.

There's no CA for ssh keys. SSH is not SSL.

--
Darren Dunham ddunham@taos.com
Senior Technical Consultant TAOS http://www.taos.com/
Got some Dr Pepper? San Francisco, CA bay area
< This line left intentionally blank to confuse you. >

25/10/2006, 22h32	#6
Darren Dunham Messages: n/a Hébergeur:	Re: Tectia SSH and use with a CA rhino007_us@yahoo.com <rhino007_us@yahoo.com> wrote: > I was in a discussion with someone yesterday about SSH and how > certification works with a > Certificate Authority. A couple of points could use a little > clarification. > When a new SSH client sends a request to transmit data to the SSH > Server for the first time Rather than 'transmit data' I would phrase that as 'connect'. does it's request include it's (the SSH > client's) certificate which includes it's own > public key inside, and the CA's digital signature as proof of who it > is? Or does the SSH Server ask the CA to validate the client? Neither. In normal SSH usage there is no CA. In the initial SSH connection, the server's private host key is used to verify the server's identity against the server's public host key which is stored in a local database on the client. If this is the initial connection and the administrator has not pre-populated the database, then it usually allows you to accept the server's key initially. There is no verification on this acceptance and no CA aids you. After the SSH connection is up, the client user authenticates to the server, possibly using a public key stored on the server to authenticate the user's private key. (several other authentication schemes are possible) > Someone suggested that the SSH Server would not need to talk to the CA > at all, and that it would simply respond to the SSH client directly. > I know that without a CA someone would have had to put the clients > public key on the server and visa versa, and away we go. His point is > beginning to make sense to me, as it would save a lot of overhead. Correct (except for the vice versa part). The server generally does not care about the client's identity for the SSH connection. > With a CA I had thought the SSH server would need to check with the CA > and the CA would validate the client, and send the SSH Servers public > key to the client along with it's own digital signature proving it is > the valid CA to the client. There's no CA for ssh keys. SSH is not SSL. -- Darren Dunham ddunham@taos.com Senior Technical Consultant TAOS http://www.taos.com/ Got some Dr Pepper? San Francisco, CA bay area < This line left intentionally blank to confuse you. >