SSH and GPG Keys

James Wilkinson ubuntu at westexe.demon.co.uk
Wed Jun 1 12:37:21 UTC 2005 

Stephen R Laniel wrote:
> The SSH private key is just as secure as the GPG key. The
> only reason I can think of that it *wouldn't* be as secure
> is if a lot of people had signed your GPG key. Then when
> signing into a remote host, the host could check the
> signature. It's a decent idea, but I've never seen it
> implemented.

Actually, it can be *more* secure.

Ideally, you should be able to generate a server host key on one
machine, take a copy of the public key from
/etc/sshd/ssh_host_*_key.pub, carry it on something like a floppy disk,
and put it into the ~/.ssh/known_hosts file on the other computer. Then
you don't have to worry about the "degrees of trust" of a GPG key: you
*know* that the key was generated on the computer you were interested
in. So if SSH (or PuTTY) connect to it without complaint, you *know*
you're connnecting to the right computer. [1]

You can do something similar with personal keys.

What's important is to work out what the security is giving you. For
SSH, what's important is that the remote machine is the one you think it
is (and that the user is the one the server thinks he or she is). [2]
It's practical to do something like this for SSH, because most people
only SSH into a few computers.

It would be possible to do something like this for GPG if you only ever
e-mailed a few people. Since that isn't normally the case, the Next Best
Thing is to establish a "web of trust" so you can be *pretty* sure that
the person who e-mailed you is who they say they are, even if you've
never met them.

James.

[1] Barring Trojan binaries or stolen keys, at any rate.

[2] SSH sessions are encrypted anyway, with strong cryptography that
isn't based on your username, password, passphrase, or key (once the
connection has been set up). All you have to worry about is "man in the
middle" attacks, where you're connecting to the wrong computer. That's
what all the host key business is about.
-- 
E-mail address: james | Cardinal Fang: you are hereby charged that you are
@westexe.demon.co.uk  |                crunchy and good with ketchup.
                      |     -- The megahal program, trained on my quote file.

More information about the ubuntu-users mailing list