Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 655 — #681
i
i
i
i
i
i
i
i
26
Security in the Network
Version 2 of the SSH protocol is used by default. Override this to use ver-
sion 1 of the protocol with the -1 switch. The client stores all public host
keys in ~/.ssh/known_hosts after its first contact with a remote host.
This prevents any man-in-the-middle attacks — attempts by foreign SSH
servers to use spoofed names and IP addresses. Such attacks are detected
either by a host key that is not included in ~/.ssh/known_hosts or by
the server’s inability to decrypt the session key in the absence of an appro-
priate private counterpart.
It is recommended to backup the private and public keys stored in /etc/
ssh/ in a secure, external location. In this way, key modifications can be
detected and the old ones can be used again after a reinstallation. This
spares users any unsettling warnings. If it is verified that, despite the warn-
ing, it is indeed the correct SSH server, the existing entry regarding this sys-
tem must be removed from ~/.ssh/known_hosts.
26.4.6 SSH Authentication Mechanisms
Now the actual authentication takes place, which, in its simplest form, con-
sists of entering a password as mentioned above. The goal of SSH was to
introduce a secure software that is also easy to use. As it is meant to re-
place rsh and rlogin, SSH must also be able to provide an authentication
method appropriate for daily use. SSH accomplishes this by way of an-
other key pair, which is generated by the user. The SSH package provides a
helper program for this: ssh-keygen. After entering ssh-keygen -t rsa
or ssh-keygen -t dsa, the key pair is generated and you are prompted
for the base file name in which to store the keys.
Confirm the default setting and answer the request for a passphrase. Even
if the software suggests an empty passphrase, a text from ten to thirty char-
acters is recommended for the procedure described here. Do not use short
and simple words or phrases. Confirm by repeating the passphrase. Subse-
quently, you will see where the private and public keys are stored, in this
example, the files id_rsa and id_rsa.pub.
Use ssh-keygen -p -t rsa or ssh-keygen -p -t dsa to change
your old passphrase. Copy the public key component (id_rsa.pub in
the example) to the remote machine and save it to ~/.ssh/authorized_
keys. You will be asked to authenticate yourself with your passphrase the
next time you establish a connection. If this does not occur, verify the loca-
tion and contents of these files.
655SUSE LINUX Enterprise Server