EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Confused about SSH Server Public-Key and User Verification

Also by EldoS: BizCrypto
Components for BizTalk® and SQL Server® Integration Services that let you securely store and transfer information in your business automation solutions.
#9578
Posted: 04/06/2009 21:34:17
by John Toops (Standard support level)
Joined: 04/06/2009
Posts: 2

I've been looking at the forum and the .NET version of the example SSHServer. So my understanding is that you create a public/private key combination for both the server and client(i.e. individual user). The ssh server is to be pre-populated with the client's public key. The ssh client should be pre-populated with the server's public key. Using public key authorization, the client gives the server its public key. The server looks up the known user's public key by user name. From the example, it looks like the server just compares a SHA1 hash of the given and pre-known public keys. How does this actually verify that the user is who that say they are? It is a public key, which I assume can be known by any server that the client talks to. As far as I can tell, the server doesn't require or have functionality to subject the client to prove that it knows the client's private key.

Sorry, if I am misunderstanding stuff. If someone can clarify, that would be greatly appreciated. Thanks John
#9579
Posted: 04/06/2009 23:42:14
by Eugene Mayevski (EldoS Corp.)

Quote
John Toops wrote:
The ssh client should be pre-populated with the server's public key. Using public key authorization, the client gives the server its public key.


The client needs to have the keypair. Then the client uses the private key in key exchange (KEX) procedure. The server doesn't receive the private key of the client, but this private key still needs to be present and used.


Sincerely yours
Eugene Mayevski
#9582
Posted: 04/07/2009 03:18:07
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

And, in addition - client uses his private key for signature generation during KEX, and validity of this signature (this validation requires client public key to be present on the server side) proofs that client is the private key owner.
#9597
Posted: 04/07/2009 10:23:20
by John Toops (Standard support level)
Joined: 04/06/2009
Posts: 2

Thank you for the clarification. So behind the scenes, the client will create a signature using its private key. This signature and the client's public key is given to the server. The server will then use the client's public key to validate the signature. The same public key, either before or after, is passed to the event system (and uses custom code) to verify that that the user is associated with the public key. I assume secure blackbox's ssh client code uses the same procedure to verify the server's identity. By any chance, is a failed event triggered on signature validation failure. Again thanks for all your explaination. John
#9598
Posted: 04/07/2009 10:34:46
by Mykola Olshevsky (Basic support level)
Joined: 07/07/2005
Posts: 450

Yes, you are right. The server's identify verified in the same way, except that client should a priori know the validity of server's key (You should have noticed, that all SSH clients asking about trust to server key, showing it's fingerprint, when connecting to the server for a first time. That's it.).
#10641
Posted: 07/24/2009 03:49:44
by Stefan Mittel (Basic support level)
Joined: 07/24/2009
Posts: 2

Hi,
my question on this point is, where I can check for the client fingerprint in server? I only found point of checking user public key and on client the fingerprint of server, but I could not find any function or property to get client fingerprint to check it.

Can you help me?

Thanks Stefan.
#10642
Posted: 07/24/2009 04:02:12
by Ken Ivanov (EldoS Corp.)

Please use FingerprintMD5 and FingerprintSHA1 properties of the key object passed to TElSSHServer.OnAuthPublicKey event.
#10643
Posted: 07/24/2009 04:13:13
by Stefan Mittel (Basic support level)
Joined: 07/24/2009
Posts: 2

Thanks alot. It works fine.
Also by EldoS: Callback File System
Create virtual file systems and disks, expose and manage remote data as if they were files on the local disk.

Reply

Statistics

Topic viewed 2006 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!