ssh clarification needed

Nifty Fedora Mitch niftyfedora at niftyegg.com
Mon Jan 5 04:03:19 UTC 2009


On Sun, Jan 04, 2009 at 03:32:24AM -0800, Mike Cloaked wrote:
> Anne Wilson-4 wrote:
> > 
> > 
> > Is a ssh key specific to a computer, or to a user?  That is, does my key 
> > pertain to any box on the lan, as long as I'm the user?  Or is it machine 
> > 
> > 
> 
> ssh keys are specific to the user - they are in the users .ssh directory in
> their home user directory. Root also has its own .ssh
> 
> On the server side you can choose who to allow to connect and also whether
> to allow password connections and many other options in /etc/ssh/sshd_config 
> and you can find more in "man sshd_config"

In part the answer is both.  Note that ssh keys can be setup by the administrator 
to allow access at a global system level and also individual users have the
ability to set (within limits) ssh keys and features for their own account.

Looking at the sshd man page finds:
     "The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
     public keys for all known hosts.  The global file should be prepared by
     the administrator (optional), and the per-user file is maintained auto-
     matically: whenever the user connects from an unknown host, its key is
     added to the per-user file."

Also each host has a key specific to itself that is used in the initial setup
and serves as a fingerprint for subsequent connections.
   http://suso.org/docs/shell/ssh.sdf
   http://www.openssh.org/

Like individual user keys individual host keys can be 'replicated' in
strategic ways that make hosts equivalent in a number of interesting and useful
way.  However there is a bit of exchanging security for ease of use
sort of like a campus master key or master key ring.

I did a bit of googling for interesting ssh tricks and was convinced that
most of the interesting things are not documented because they are obvious
to those that understand key system design.   But multiple key system design is
not in itself simple....


-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?




More information about the users mailing list