Tool-BarfreeBSD ArticlesSearch Our SiteHOMEfreeBSD LinksContribute to FreeBSD HelpFreeBSD FilesFreeBSD Script Corner

Written by: David Supuran

  Verification in SSHD with RSA vs. passwords.

RSA is an encryption scheme using a public/private key system. A public key is used to encrypt data, and a private key is used to decrypt data. Each key can only be used for the one specified crypt which makes it a worthy encryption scheme compared to single key algorithms which enable you to encrypt/decrypt data with one key in certain circumstances. I will explain this later on.

As passwords are a widely used verification system. You may enter a password and send it over the internet. When it travels over the internet it passes through multiple routers/computers at any given time which is why any important data should be well encrypted that travels over the internet. If SSHD is allowing plain text passwords to be sent (and it is set so on generally every box I've seen in production) over the internet there is a risk your password might be viewed by a 3rd party. This is where the public/private key encryption scheme of RSA comes into play. A user will generate their RSA key pair by running ssh-keygen(1) storing the private key in ~/.ssh/identity and the public key in ~/.ssh/ where ~ is the user's home directory.  The private key (~/.ssh/identity) will be needed on the user's account he wishes to login from, then the public key (~/.ssh/ is placed on the remote account in ~/.ssh/authorized_keys. Only one public key can be placed per line in ~/.ssh/authorized_keys, so please make sure you do not wrap the lines. At this time a user will be able to login from the account with the private key to the account with the public key without being prompted for a password.

This all sounds nice, but I still don't understand how RSA is more secure
than passwords. With RSA your private key is never transmitted over the
internet, or used in an insecure manner. SSHD will check to see if a authorized_key belongs to you by using the public key to encrypt a random string, then asking the client to decrypt this encrypted string with it's private key and send back the plain text. With this way of verification no password is sent over the internet making it more secure.

If you wish to read more on the subjects I suggest ssh(1), ssh-agent(1), sshd(8), and the readme files included with the SSHD.


© 1997 - 20013 Defcon1, , Copyrights for all materials on this web site are held by the individual authors, artists, photographers or creators. Materials may not be reproduced or otherwise distributed without permission of and the content's original author.

Tool-Bar-2Defcon1  Webmail