SSH
uses public-key cryptography to verify the identity of hosts as well as the
identity of individual users. Public-key cryptography uses a pair of mathematically
related keys. One key is public and is distributed to anyone who wants it;
the other key is private and is known only to the owner. When a message is
encrypted with a certain public key, it can only be decrypted by using the
associated private key.
Host Keys
The
SSH host public and private keys are asymmetric keys that distinguish and
identify hosts. Specifically:
The server host provides its public key to connecting clients
so that they can verify the identity of the server.
The client host provides its public key to the server so that
the server can verify the identity of the client host during host-based authentication.
Host keys are created either during TCP/IP configuration
by the TCPIP$CONFIG.COM command procedure, or manually by a system manager,
using the SSH_KEYGEN utility, as described in Chapter
7.
NOTE: SSH for OpenVMS is configured with a single SSH service listening port
(22) and a single host key. All incarnations of the SSH server process use
the same host key.
User Keys
Public key authentication requires that a user also have a public-private
key pair. The public key is published and distributed, or copied, to all the
SSH servers with which the user communicates. The private key is kept on the
local SSH client and must not be revealed to anyone except the key's owner.
The user creates the public-private key pair by using the SSH_KEYGEN key generation
utility (described in Chapter 7). The user's
keys are used during public-key authentication. For information about the
public-key authentication method, see Chapter
3.
Generating Keys
Key are generated by using the SSH_KEYGEN utility, as described in Chapter 7.
SSH_KEYGEN generates both user's keys and host keys. For each key, the SSH_KEYGEN
utility generates a pair of files: one with a public key and one with a private
key. These files are used by cryptographic algorithms.
Managing User Keys
A user might need several, even hundreds of keys. For example, you might
use one key for each remote server to which you connect, or one key for each
account on a remote server. The following utilities are available to help
manage multiple keys:
SSH_AGENT helps you manage
and use keys.
SSH_ADD helps you add private keys to the authentication agent.
For more information about these utilities, see Chapter
7.