Subject: Re: ssh-agent and keys

Re: ssh-agent and keys

From: Peter Krempa <pkrempa_at_redhat.com>
Date: Mon, 05 Dec 2011 01:46:50 +0100

Dňa 5.12.2011 1:13, Ben Kibbey wrote / napísal(a):
> Hello folks,
>
> I have a question about how to implement ssh-agent support in my
> program. Am I supposed to iterate over libssh2_agent_get_identity() and
> libssh2_agent_userauth() until a valid/correct key is found from the
> agent?
Yes, that's probably the correct approach. I'm going to implement
agent-based auth soon, so if you don't figure it out by yourself, then
ask again in some time :)

It seems insecure if the remote host was somehow compromised
> since the SSH server may collect private keys for others hosts from the
> client.

The private SSH keys are _NOT_ sent to the server in any case. The
authenitcation is done in a following way (simplified):

1) The server creates a random message.
2) The server encrypts the message using the client's public key
3) The server sends the encrypted challenge to the client
4) The client decrypts the message using his private key and replies to
the server using plaintext of the message
5) The server verifies, that the client is in posession of the private
key, as he was able to decrypt the message. (In ideal world) Only the
rightful owner is in posession of the private key and thus able to
decrypt the message.
6) Authentication succeeds.

The private key is named private, as you never ever tell it anyone.
This is the beauty of asymetric cryptography.

> Or maybe there is a way to obtain the public portion of the key from the
> agent's private key and compare it with the remotes public key identity
> before sending any private key data?
Private key is NEVER sent :). You have to add your public key to
"authorised_keys" to tell the server, that it should try this key, as
you hold the private part to it. This cannot be determined on the fly,
as an attacker could specify, his own public key, he has a private key
for. (The keys always come in pairs: public-private.).
>
> Thanks for any help,
>

I hope this clarified it somewhat.

Regards,

Peter

_______________________________________________
libssh2-devel http://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel
Received on 2011-12-05