GNU/Linux Desktop Survival Guide by Graham Williams
Desktop Survival Project Home Preface Advocacy History Distributions Installation Basic Survival Wajig Audio AbiWord APM Backup Bash Booting Cameras CD Chinese ChRoot Clock Commercial Conference Management Configuration CRON CVS Databases DIA Directories Disks Documentation DVD Email Eye of Gnome Evolution File Systems Firewalls Floppy Disks Fonts Ghemical GIMP Glade Gnome GnuCash Gnumeric GQView Graphics Groups HTML Editors ImageMagick Initialisations on Booting Java KDE Kernels Keyboard Konqueror KVM Switch LaTeX Log System Login Magellan Mathematics Memory Modems Mounting Devices MS/Windows Music MySQL Nautilus Networks NFS NT File System OpenOffice.org Oracle Packages Partitions Passwords PDF Photos PPP Presentations Printing Python R Remote Desktops Rsync Samba Scanning Science Security SH File System Sketch Spell SPlus Spruce SSH SUDO Subversion Swap Themes USB Video Virtualization Web Word X XML Sample Installations Troubleshooting Index

Public and Private Keys

Through devious means a Trojan remote host might be pretending to be the remote host you are attempting to connect to (using IP spoofing, DNS spoofing or routing spoofing) and thus might intercept your communications and obtain your password. A more secure approach using ssh employs a public-key mechanism. Here, you create your own key (essentially just a sequence of bits) that consists of a public part and a private part. You copy the public key on to your account on the remote host and the private part never leaves your local host. The remote host can use the public key to encrypt a message such that only with your private key can you decrypt the message.

You can generate a private/public key pair with the ssh-keygen command, storing the private key in /home/kayon/.ssh/identity and the public key in /home/kayon/.ssh/identity.pub. A passphrase will be asked for to encrypt your private key within your file system (otherwise the root user, for example, could obtain your private key). Your passphrase will be used to `unlock' your private key whenever you need to use it. The public key needs to be communicated to your remote host. The steps are simple:

  $ ssh-keygen -t dsa
  $ cd .ssh
  $ scp id_dsa.pub [email protected]:.ssh/id_dsa.pub.modern

  $ ssh alpine
  $ cd .ssh
  $ cat id_dsa.pub.modern >> authorized_keys
  $ exit

The remote host may already have an authorised keys file in /home/kayon/.ssh/authorized_keys. Don't copy over it, but append the contents of your local /home/kayon/.ssh/identity.pub to it. Multiple keys can appear in the one file.

Now, when you connect to the remote host using ssh your public key on that host will be used to send an encrypted message (a random number in fact) back to your local host. The local host decrypts the message using the private key stored only on the local host and decrypted using the passphrase. The decrypted message is returned to the remote host for verification.

This method, using public keys, does not send passwords (or passphrases) over the network. A passphrase is used on the local host only to unlock the local private key.