John, I think you have missed the point for ssh... It is just a terminal you use in connecting remotely to a box just like telnet, the difference is that the traffic between the remote location and your box is encrypted...hence it is this encryption that the keys are used for. Hence to get access to the box you would still require the account that was created for you to logon with. This is where pam comes in..to authenticate who you are... -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of m.roth2006@xxxxxxx Sent: Wednesday, March 28, 2007 5:08 PM To: General Red Hat Linux discussion list Subject: Re: ssh and keys John, >Date: Wed, 28 Mar 2007 16:00:00 +0100 (BST) >From: "John O'Loughlin" <j.oloughlin@xxxxxxxxxx> > >I'm not sure what you mean by parallel, but there is no relationship >between your standard password and the key pair you generate. > >password aging does not affect your keys. > Okay... so I'm a bit lost - how can you log onto a box without using your real password, the one that you're prompted for if you don't use the ssh key pair? Does PAM's sshd authentication, which points to system-auth, not get pulled in for validation? mark >John > >On Wed, 28 Mar 2007, m.roth2006@xxxxxxx wrote: > >> So, here's one for the assembled knowledge base here: >> if I use ssh-keygen to create a key pair, and put the public key on the remote box, so that I can ssh in without being prompted for a password, this leaves me confused about a couple of things: >> 1) is the ssh key pair in parallel to the real password >> for the account? That is, if I create a keypair and >> use either no passphrase, or some password other >> than my actual password for the account, does ssh >> go *around* the standard authentication? >> 2) since the remote box ages passwords, does PAM know >> that I'm using an ssh key pair, and age *them*, >> or do I merely have to change my real password in >> a timely manner, but don't have to regen a new >> ssh key pair? >> >> Thanks in advance. >> >> mark >> >> -- >> redhat-list mailing list >> unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >> https://www.redhat.com/mailman/listinfo/redhat-list >> > >-- >redhat-list mailing list >unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe >https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
