It's not opening the pub file at all, so it must be extracting the public key from the private key. openat(AT_FDCWD, "/home/sweh/.ssh/id_rsa", O_RDONLY|O_CLOEXEC) = 8 Let's create a simple rclone test config: Īnd what do we see with this one? $ strace -ff rclone lsd sftptest: 2>&1 | grep id_rsa Open("/home/sweh/.ssh/id_rsa-cert.pub", O_RDONLY) = -1 ENOENT (No such file or directory) Open("/home/sweh/.ssh/id_rsa-cert", O_RDONLY) = -1 ENOENT (No such file or directory) Open("/home/sweh/.ssh/id_rsa.pub", O_RDONLY) = 4 Open("/home/sweh/.ssh/id_rsa", O_RDONLY) = 4 Now we can see an example of OpenSSH and the files it opens: $ strace -ff ssh uname -a 2>&1 | grep ^open.*id_rsa
So let's unencrypt the private key (to make this easier, going forward) with ssh-keygen -p and add it to the authorized_keys file. This gets important if there's a lot of possible keys (why unlock those that can't be used, anyway?) By having a separate public key file it means we can send the public key to the server and then only need to unlock the one(s) being used to authenticate. pub file? Well, if you looked carefully I needed to enter the passphrase to unlock the encrypted private key file. So why, if the public key is in the private key file do we need a.
Ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDScBL2j0mwz7swpHBLzE4HjaJ6OpC96sg50aB1LRPbfdojKjiyuc9fC8VSCCCAHdovFihheLsbPyWKGq/tMM4e8JXp0YD2AG63k8FZ98WjAgC5g6UAK+MitmtRxCyjF52JoLioM1R9iACN+8guV0oZ9sSD7DNW2UTZrlgDavrM0QZ17tWu3QEz6U+l1bQwdisZxNpomED5quYI6pZypAdzBKi8HJw7BJDtmoEirPZzTP+T1Iw6pH/7tMDNQ8atk8OAH2VCAYIurXjxXG8+XNoPaqBtU2dF+8gK4TsLU0gqgYRlnE0UIu0aXQb+YSWNV5Xk7oo86F5cMF0WCGCGJ0l9 can see the key is the same, just missing the comment at the end. Ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDScBL2j0mwz7swpHBLzE4HjaJ6OpC96sg50aB1LRPbfdojKjiyuc9fC8VSCCCAHdovFihheLsbPyWKGq/tMM4e8JXp0YD2AG63k8FZ98WjAgC5g6UAK+MitmtRxCyjF52JoLioM1R9iACN+8guV0oZ9sSD7DNW2UTZrlgDavrM0QZ17tWu3QEz6U+l1bQwdisZxNpomED5quYI6pZypAdzBKi8HJw7BJDtmoEirPZzTP+T1Iw6pH/7tMDNQ8atk8OAH2VCAYIurXjxXG8+XNoPaqBtU2dF+8gK4TsLU0gqgYRlnE0UIu0aXQb+YSWNV5Xk7oo86F5cMF0WCGCGJ0l9 The private key contains a copy of it! We can see this with ssh-keygen -y. Now one of things hidden, here, is that you don't actually need the pub file to do this. The "complicated math" is where signing happens the client signs a message using the private key, and the server validates it using the public key. It matches what's in the authorized_keys file. Server says "Hey, I like the look of this.Sends key to server (kinda detail not important).But I'm not too sure.Ī simple ssh key based authentication goes something like. I don't think so I think that "signer" is part of signing the challenge as part of the authentication process.
0 kommentar(er)
