Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
July 22, 2003, 3:56 pm
rate this thread
Someone says it is not safe to give passphrase and should let it
empty. The resesan is when a user enters a passphrase (or a password)
in a network environment, anyone who controls either the client
or the server machine will get the it. Does this mean passphrase is
sent by pure text since RSA or DSA authorization has not finished ? Am
Another question is what's the use of rsa or dsa key for the host.
When I use openssh, it generates a pair of public and private key for
the host.Is it used for RhostsRSA ,which is a delegation of user
authentication from the server to the client host. Client saves the
private key ,and send the public key to server as known host. Is it
true ? Is it used only for client host to let server know it is from
the right client in ssh enviroment??
- Richard E. Silverman
July 22, 2003, 4:40 pm
Re: What's the use of passphrase used in generated RSA or DSA key?
hh> It is only used to encrypt identity file(which is the private
hh> key). Someone says it is not safe to give passphrase and should
hh> let it empty. The resesan is when a user enters a passphrase (or a
hh> password) in a network environment, anyone who controls either the
hh> client machine or the server machine will get the it. Does this
hh> mean passphrase is sent by pure text since RSA or DSA
hh> authorization has not finished ? Am I right?
The passphrase is not "sent" by SSH at all. As you observe, it is used to
decrypt the user's private key, which is done on the client host. So, it
is subject to whatever security properties apply to the client/user
situation at the time. If you're sitting at the console of the client
host, presumably this is fine -- unless your box has been hacked in some
way, but then everything you type is in peril. If your access to the
client host is via the network from yet another host, then of course you
must take precautions that your passphrase is not revealed on its way to
the SSH client (or better yet, use SSH with agent forwarding for that
connection too, so that your keys are *always* loaded on a local, trusted
hh> Another question is what's the use of rsa or dsa key for the host...
The primary use of the host key is server authentication. It allows the
client to verify the identity of the server; that is, to gain assurance
that the client is connecting to the entity it intends to reach. This is
to resist spoofing and man-in-the-middle attacks.
Secondarily, it is also used in the other direction for trusted-host
(RhostsRSA, hostbased) user authentication.
- » ssh on command line: force using a group size (prime size) of 1024 (and no...
- — Newest thread in » Secure Shell Forum