Re: ssh clarification needed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Jan 04, 2009 at 03:32:24AM -0800, Mike Cloaked wrote:
> Anne Wilson-4 wrote:
> > 
> > 
> > Is a ssh key specific to a computer, or to a user?  That is, does my key 
> > pertain to any box on the lan, as long as I'm the user?  Or is it machine 
> > 
> > 
> 
> ssh keys are specific to the user - they are in the users .ssh directory in
> their home user directory. Root also has its own .ssh
> 
> On the server side you can choose who to allow to connect and also whether
> to allow password connections and many other options in /etc/ssh/sshd_config 
> and you can find more in "man sshd_config"

In part the answer is both.  Note that ssh keys can be setup by the administrator 
to allow access at a global system level and also individual users have the
ability to set (within limits) ssh keys and features for their own account.

Looking at the sshd man page finds:
     "The /etc/ssh/ssh_known_hosts and ~/.ssh/known_hosts files contain host
     public keys for all known hosts.  The global file should be prepared by
     the administrator (optional), and the per-user file is maintained auto-
     matically: whenever the user connects from an unknown host, its key is
     added to the per-user file."

Also each host has a key specific to itself that is used in the initial setup
and serves as a fingerprint for subsequent connections.
   http://suso.org/docs/shell/ssh.sdf
   http://www.openssh.org/

Like individual user keys individual host keys can be 'replicated' in
strategic ways that make hosts equivalent in a number of interesting and useful
way.  However there is a bit of exchanging security for ease of use
sort of like a campus master key or master key ring.

I did a bit of googling for interesting ssh tricks and was convinced that
most of the interesting things are not documented because they are obvious
to those that understand key system design.   But multiple key system design is
not in itself simple....


-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux