开发者

How do two machines authenticate over an SSH connection?

开发者 https://www.devze.com 2022-12-15 04:22 出处:网络
I always use ssh in putty to connect a remote ser开发者_如何学Gover. As I know, ssh is based on public/private key mechanism, is it?

I always use ssh in putty to connect a remote ser开发者_如何学Gover. As I know, ssh is based on public/private key mechanism, is it?

Does that mean the client will receive a public key first time when it connects to the server and then use the public key to continue with following communication?

Thanks.


Do you mean for authentication, or for encryption?

For authentication, Section 5.5.1 here covers it: http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch05_05.htm#ch05-46136.html

In general, you create the key pair and get them there through other means.

If you mean for the encryption, try section 3.9.1.3 here: http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch03_09.htm#ch03-65213.html


There are two parts where public/private key come into play -- session initialization and (optionally) user authentication.

In session initialization, the host public and private keys are used to set up the encrypted connection, but are not used to encrypt the connection itself. Instead, the initial set up is used to securely generate a unique session key that is used to encrypt the connection. The host public/private keys are generated and installed on the server.

While connecting, your ssh client (PuTTY in this case) will verify that the host key is what it remembers from the last time you connected. (If they are different, then somebody might be snooping on your connection!) This is why PuTTY asks you to confirm the hash of the host key the first time you connect -- it doesn't have a record of what the key is supposed to be, so it asks you to verify. If you tell PuTTY to confirm and save, then PuTTY will save the hash of the host key in the registry for future connections.

In user authentication, the user public and private keys are used to allow access to the server. The public key is installed for the user on the server. The server can then use that key to issue a challenge to the client that can only be answered correctly by using the user's private key. The user generates the public/private keys him/herself (e.g. with ssh-keygen).

For PuTTY, you can generate your own public and private key using the PuTTYgen utility (this is the PuTTY equivalent to ssh-keygen). It's up to you how you want to get the public key installed on the server. Then, run Pageant (a little app that sits in your notification area) and add your private key. If you set a passphrase on your private key, then Pageant will prompt you to enter it. Pageant, while running, will then work with PuTTY (or pscp, psftp, etc.) to make use of your private key.

This is a gross simplification of the processes involved; see James' answer for links to details.

0

精彩评论

暂无评论...
验证码 换一张
取 消