info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Are ssh keys tied to a user or the originating machine?
1,531 views
Skip to first unread message
JimR
Nov 21, 2015, 1:10:09 PM11/21/15
to
I'm trying to better understand ssh.
User foo on machine bar generates a keypair, and provides the public key
to remote user dokes on machine shme . foo connects to dokes account
at shme, and everything is happy.
Then user foo also has an account on machine baz. He takes the private
key he generated on machine bar, and copies it to machine baz. Can he
connect to dokes on shme? My limited testing suggests that it works.
Is that a universal truth?
Next, foo passes his private key to unrelated user thud on machine
grunt. thud installs the private key owned by foo. Can thud now
connect to user dokes on machine shme?
Next, replace the above ssh keys with PGP keys. Do the same answers apply?
Thanks,
JimR
User foo on machine bar generates a keypair, and provides the public key
to remote user dokes on machine shme . foo connects to dokes account
at shme, and everything is happy.
Then user foo also has an account on machine baz. He takes the private
key he generated on machine bar, and copies it to machine baz. Can he
connect to dokes on shme? My limited testing suggests that it works.
Is that a universal truth?
Next, foo passes his private key to unrelated user thud on machine
grunt. thud installs the private key owned by foo. Can thud now
connect to user dokes on machine shme?
Next, replace the above ssh keys with PGP keys. Do the same answers apply?
Thanks,
JimR
William Unruh
Nov 21, 2015, 1:15:53 PM11/21/15
to
On 2015-11-21, JimR <NotR...@yahoo.com> wrote:
> I'm trying to better understand ssh.
>
> User foo on machine bar generates a keypair, and provides the public key
> to remote user dokes on machine shme . foo connects to dokes account
> at shme, and everything is happy.
>
> Then user foo also has an account on machine baz. He takes the private
> key he generated on machine bar, and copies it to machine baz. Can he
> connect to dokes on shme? My limited testing suggests that it works.
> Is that a universal truth?
Yes
> I'm trying to better understand ssh.
>
> User foo on machine bar generates a keypair, and provides the public key
> to remote user dokes on machine shme . foo connects to dokes account
> at shme, and everything is happy.
>
> Then user foo also has an account on machine baz. He takes the private
> key he generated on machine bar, and copies it to machine baz. Can he
> connect to dokes on shme? My limited testing suggests that it works.
> Is that a universal truth?
>
> Next, foo passes his private key to unrelated user thud on machine
> grunt. thud installs the private key owned by foo. Can thud now
> connect to user dokes on machine shme?
>
Yes-- but a really really bad idea.
> Next, foo passes his private key to unrelated user thud on machine
> grunt. thud installs the private key owned by foo. Can thud now
> connect to user dokes on machine shme?
>
> Next, replace the above ssh keys with PGP keys. Do the same answers apply?
world wound anything know who is using the key?
>
> Thanks,
> JimR
Richard Kettlewell
Nov 22, 2015, 9:09:15 AM11/22/15
to
JimR <NotR...@yahoo.com> writes:
> I'm trying to better understand ssh.
>
> User foo on machine bar generates a keypair, and provides the public
> key to remote user dokes on machine shme . foo connects to dokes
> account at shme, and everything is happy.
>
> Then user foo also has an account on machine baz. He takes the
> private key he generated on machine bar, and copies it to machine baz.
> Can he connect to dokes on shme? My limited testing suggests that it
> works. Is that a universal truth?
>
> Next, foo passes his private key to unrelated user thud on machine
> grunt. thud installs the private key owned by foo. Can thud now
> connect to user dokes on machine shme?
The keys are not ‘tied’ to anything. When you permit access to a public
> I'm trying to better understand ssh.
>
> User foo on machine bar generates a keypair, and provides the public
> key to remote user dokes on machine shme . foo connects to dokes
> account at shme, and everything is happy.
>
> Then user foo also has an account on machine baz. He takes the
> private key he generated on machine bar, and copies it to machine baz.
> Can he connect to dokes on shme? My limited testing suggests that it
> works. Is that a universal truth?
>
> Next, foo passes his private key to unrelated user thud on machine
> grunt. thud installs the private key owned by foo. Can thud now
> connect to user dokes on machine shme?
key (in .ssh/authorized_keys), any holder of the corresponding private
key can authenticate.
Copying private keys around is not a great strategy. Consider what
happens when one of the accounts holding the private key is compromised.
Your response to this situation is to remove the corresponding key from
all .ssh/authorized_keys files; i.e. to revoke all access from that key
to anything. If you have the same private key on multiple machines then
the effect is to revoke access from all those machines, even if only one
of them was compromised.
I’d suggest that the only good reason to do this is if there is some
difficulty with having multiple entries in (the equivalent of)
.ssh/authorized_keys.
In short although the keys are not physically connected to user or host,
it’s probably best to treat them as if they were.
> Next, replace the above ssh keys with PGP keys. Do the same answers
> apply?
signatures or decrypt received messages (assuming it is a
signature-capable or decryption-capable key, respectively).
--
http://www.greenend.org.uk/rjk/
jc09...@gmail.com
Jun 3, 2018, 10:25:25 PM6/3/18
to
Hopefully someone else responded to this crap, coz I'm ticked off with the extra work deciphering your questions
William Unruh
Jun 4, 2018, 4:40:42 AM6/4/18
to
On 2018-06-04, jc09...@gmail.com <jc09...@gmail.com> wrote:
> On Saturday, November 21, 2015 at 1:10:09 PM UTC-5, JimR wrote:
>> I'm trying to better understand ssh.
>>
>> User foo on machine bar generates a keypair, and provides the public key
>> to remote user dokes on machine shme . foo connects to dokes account
>> at shme, and everything is happy.
>>
>> Then user foo also has an account on machine baz. He takes the private
>> key he generated on machine bar, and copies it to machine baz. Can he
>> connect to dokes on shme? My limited testing suggests that it works.
>> Is that a universal truth?
Yes.
> On Saturday, November 21, 2015 at 1:10:09 PM UTC-5, JimR wrote:
>> I'm trying to better understand ssh.
>>
>> User foo on machine bar generates a keypair, and provides the public key
>> to remote user dokes on machine shme . foo connects to dokes account
>> at shme, and everything is happy.
>>
>> Then user foo also has an account on machine baz. He takes the private
>> key he generated on machine bar, and copies it to machine baz. Can he
>> connect to dokes on shme? My limited testing suggests that it works.
>> Is that a universal truth?
Note that there are two keys, a machine key pair, and a personal key pair. The
machine keys are to ensure that you actually connect to the machine you claim
to be connecting to. (the public keys of those machines are stored in
your local machine. It you have never connected to it before, it asks if you
ae sure that you are connecting to the right machine, and if you assure the program you
are it stores the other side's public key on your machine, so you do not have
to give that assurance again) The personal private key is used for the other side to make sure that it
is actually you loggin in (your machine uses the private key to sign a message
which the other side decodes to make sure it is you).
>>
>> Next, foo passes his private key to unrelated user thud on machine
>> grunt. thud installs the private key owned by foo. Can thud now
>> connect to user dokes on machine shme?
Very very stupid move.
>> Next, foo passes his private key to unrelated user thud on machine
>> grunt. thud installs the private key owned by foo. Can thud now
>> connect to user dokes on machine shme?
>>
>> Next, replace the above ssh keys with PGP keys. Do the same answers apply?
What has PGP to do here? It is not used for connecting to machines. But yes,
>> Next, replace the above ssh keys with PGP keys. Do the same answers apply?
your key pair is yours, and if anyone else gets ahold of it, then can reay any
mail you have or ever will encrypt with that key pair. Again a totally stupid
thing to do to let anyone get your private key. Anyone, including your
wife/lover/boss/National security agency.
Carlos E.R.
Jun 4, 2018, 5:36:09 AM6/4/18
to
You are replying to a post from 2015. There is no point on asking or
saying anything now.
--
Cheers, Carlos.
Aragorn
Jun 4, 2018, 6:24:14 AM6/4/18
to
On Monday 04 June 2018 11:35, Carlos E.R. conveyed the following to
comp.os.linux.security...
> On 2018-06-04 04:25, jc09...@gmail.com wrote:
>
>> On Saturday, November 21, 2015 at 1:10:09 PM UTC-5, JimR wrote:
>>
>>> I'm trying to better understand ssh.
>>>
>>> [...]
interface to Usenet. It is one of the reasons ─ albeit not the only
reason ─ why I've decided to start filtering out anything coming in
through Google Groups. ;)
--
With respect,
= Aragorn =
comp.os.linux.security...
> On 2018-06-04 04:25, jc09...@gmail.com wrote:
>
>> On Saturday, November 21, 2015 at 1:10:09 PM UTC-5, JimR wrote:
>>
>>> I'm trying to better understand ssh.
>>>
>>
>> I just read your post. How about some appropriate names so we all
>> don't have to keep track of whether "shit" refers to a machine or
>> user. Hopefully someone else responded to this crap, coz I'm ticked
>> off with the extra work deciphering your questions
>
> Who cares?
>
> You are replying to a post from 2015. There is no point on asking or
> saying anything now.
That seems to happen quite a lot with people who use Google Groups as an
>> I just read your post. How about some appropriate names so we all
>> don't have to keep track of whether "shit" refers to a machine or
>> user. Hopefully someone else responded to this crap, coz I'm ticked
>> off with the extra work deciphering your questions
>
> Who cares?
>
> You are replying to a post from 2015. There is no point on asking or
> saying anything now.
interface to Usenet. It is one of the reasons ─ albeit not the only
reason ─ why I've decided to start filtering out anything coming in
through Google Groups. ;)
--
With respect,
= Aragorn =
Carlos E.R.
Jun 4, 2018, 7:16:09 AM6/4/18
to
--
Cheers, Carlos.
0 new messages