[svlug] deny ssh

Bill Jonas bill at billjonas.com
Wed Nov 28 01:08:02 PST 2001


On Wed, Nov 28, 2001 at 02:01:07AM -0500, step1b at cyberspace.org wrote:
> I have some questions about the working of ssh.

I'll take a crack at a couple.

> What is this server public key for ? May be the client also verifies
> if it is the  correct server that is responding. am I right ?

Two purposes:

1.) Yes.  The client stores the server's public key and compares it to
what's offered by the server.  If there's a difference, the client
software will alert you to this and give you the option of continuing or
aborting the connection, generally.  This is to guard against
man-in-the-middle attacks, one of the problems of telnet.

2.) The SSH protocol acutally uses a symmetric-key algorithm for the
session, like Blowfish or 3DES.  However, the problem with symmetric-key
encryption is exchanging the key(s) securely in the first place.
Public-key cryptography takes care of that; the keys are encrypted with
public-key encryption so that they can't be discovered by third parties.
(Why not just use public-key cryptography to encrypt the entire session?
Because it's slow and CPU-intensive.)  (Side note: This is similar to
how PGP/GPG encryption works.  An email that you send is encrypted with
a different algorithm, and the key for that algorithm is encrypted with
the recipient's public key.  Speed isn't so much of an issue here, but
if you send an encrypted email to more than one recipient, the size of
the encrypted message only increases by a little for each additional
recipient, since only the message key needs to be re-encrypted for each
new recipient.)

> The verbose mode doesnt show anything about the challenge, why ?

Are you using key-based authentication?  If not, then there's no key
with which to encrypt a challenge.  This is used so that you don't need
to type a password to connect.  Basically, key-based (as opposed to
password-based) authentication works as follows: You create a
public-private ssh key pair and store the public key on the remote
server.  Then when you try to log in, the server attempts to validate
that you are who you say you are by sending the challenge.  If you
successfully answer the challenge, then you're authenticated and login
proceeds.  If you're unsuccessful, the server may fall back to standard
password-based authentication (or it may not, depending on how it's
configured).
> other times I do not get anything about the remote protocol.  Does
> this mean the client implementation is different ? or it is optional
> for the server(remote host) to identify its protool version ?
...
> does it mean I am being denied login from this client machine?  or can
> it also mean something else ?

I'll defer these questions to someone else since I'm not sure.

-- 
Bill Jonas    *    bill at billjonas.com    *    http://www.billjonas.com/

Developer/SysAdmin for hire!   See http://www.billjonas.com/resume.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20011128/6300160a/attachment.bin


More information about the svlug mailing list