Find the authorized_keys file on the target machine: grep 'AuthorizedKeysFile' /etc/ssh/sshd_config.This will either be in ssh-agent or I may have to use ssh-keygen -l -E md5 -f on the authenticating host. Find the fingerprint of the key being used by the authenticating host.When I get the message, Permission denied (publickey), I have a protocol. I’ve learned some fun tricks that I use constantly: Get fingerprint from public key ssh-keygen(1) ssh-keygen -l -f Generate a public key given a private key ssh-keygen(1) ssh-keygen -y -f Automatically add server key to known_hosts file ssh-keyscan(1): ssh-keyscan -H > ~/.ssh/known_hosts List key fingerprints in ssh-agent ssh-agent(1) ssh-add -l I spend a lot of time looking at the authlog and comparing keys. ![]() In practice, that usually means not comparing 32 meaningless letters and numbers except when strictly necessary: Security at the expense of usability comes at the expense of security. When using the md5 hash algorithm, comparing a key fingerprint means comparing 16, 16-bit numbers (and for the uninitiated that means blankly staring at 32 meaningless letters and numbers). – Hash Visualization: a New Technique to improve Real-World SecurityĮnsuring that two keys are the same means comparing key hashes- fingerprints. It is a known fact in psychology that people are slow and unreliable at processing or memorizing meaningless strings ![]() Even the hashed fingerprints of these keys are just slightly smaller meaningless globs of letters and numbers. Part of the confusion is that base64-encoded public keys and private keys are just huge globs of meaningless letters and numbers. Public key authentication is confusing, even for “ professionals”. Security at the expense of usability comes at the expense of security.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |