Introduction to Keys
» Table of Contents |  |  | » Glossary | | | » Index | | |
| | |
| ||
| ||
SSH uses public-key cryptography to verify the identity of hosts as well as the identity of individual users. Public-key cryptography uses a pair of mathematically related keys. One key is public and is distributed to anyone who wants it; the other key is private and is known only to the owner. When a message is encrypted with a certain public key, it can only be decrypted by using the associated private key.
The SSH host public and private keys are asymmetric keys that distinguish and identify hosts. Specifically:
The server host provides its public key to connecting clients so that they can verify the identity of the server.
The client host provides its public key to the server so that the server can verify the identity of the client host during host-based authentication.
Host keys are created either during TCP/IP configuration by the TCPIP$CONFIG.COM command procedure, or manually by a system manager, using the SSH_KEYGEN utility, as described in Chapter 7.
| |
| |
| |
 | NOTE: SSH for OpenVMS is configured with a single SSH service listening port (22) and a single host key. All incarnations of the SSH server process use the same host key. |
| |
| |
| |
Public key authentication requires that a user also have a public-private key pair. The public key is published and distributed, or copied, to all the SSH servers with which the user communicates. The private key is kept on the local SSH client and must not be revealed to anyone except the key's owner. The user creates the public-private key pair by using the SSH_KEYGEN key generation utility (described in Chapter 7). The user's keys are used during public-key authentication. For information about the public-key authentication method, see Chapter 3.
Key are generated by using the SSH_KEYGEN utility, as described in Chapter 7. SSH_KEYGEN generates both user's keys and host keys. For each key, the SSH_KEYGEN utility generates a pair of files: one with a public key and one with a private key. These files are used by cryptographic algorithms.
A user might need several, even hundreds of keys. For example, you might use one key for each remote server to which you connect, or one key for each account on a remote server. The following utilities are available to help manage multiple keys:
SSH_ADD helps you add private keys to the authentication agent.
For more information about these utilities, see Chapter 7.