Do you have a question? Post it now! No Registration Necessary. Now with pictures!
September 22, 2003, 5:14 pm
rate this thread
- Richard E. Silverman
September 22, 2003, 9:12 pm
Re: ssh public key exchange
hdu> I'm using redhat 8 and the sshd will automatically exchange
hdu> public key in initial stage. However, I prefer the public key
hdu> exchanged in other more secure channel. So, I want to prohibit
hdu> the exchange public key during initialize ssh session. Do anyone
hdu> know how to do it.
You can't; the key exchange is a fixed part of the SSH protocol.
The issue is not the server giving out the key; it is public and should be
available to any potential client. The issue is the client establishing
trust in the key, i.e. the binding between the key and the server's
identity. And that is a one-sided policy issue which cannot be enforced
by the server in any way. Simply not giving out the key would not do it,
since the user could obtain the key by some other means and still not
verify it. And this would be a bad decision anyway, since it general the
client may have other more convenient means of verifying a key, such as
via a PKI; not every SSH implementation uses the common, simplistic
known-hosts files approach.
The most you can do is configure you client software to require a
known-hosts entry by default and refuse to connect otherwise, with
stricthostkeychecking=yes in the ssh_config file.
- » protocol question - issue with exit-status inside unfinished data stream?
- — Newest thread in » Secure Shell Forum