[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FAS and public Key auth



On Thu, 22 May 2008, Till Maas wrote:

> On Thu May 22 2008, Mike McGrath wrote:
>
> > Client tries to ssh to Server A
> >
> > Server A generates a random number, encrypts it with pub, sends it to the
> > client
> >
> > The client decrypts this number with private key and sends it back to A.
> >
> > Bam!  Shell.
>
>
> The public key authentication does not work this way.
>
> > The guys in #openssh are saying this isn't possible but I wasn't convinced
> > with their reason (basically that server B doesn't have server A's
> > host keys).  Can someone else explain why the above isn't possible?
>
> To authenticate, the client needs to sign a session identifier (and some other
> information) with his private key and send the signature to the server. The
> session identifier is a hash of several data that includes the host key.
>

So what you're saying is it is impossible to do a man in the middle attack
with OpenSSH (assuming the host keys of the server haven't been
compromised) ?

	-Mike


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]