Capture the public key using tcpdump? - SSH

This is a discussion on Capture the public key using tcpdump? - SSH ; Hi, here's an odd question: Suppose I lose the authorized_keys file for public key authentication because of a disk failure. I have a few remote clients that are a hassle to get to, which connect via ssh to perform network ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Capture the public key using tcpdump?

  1. Capture the public key using tcpdump?

    Hi, here's an odd question:

    Suppose I lose the authorized_keys file for public key authentication
    because of a disk failure. I have a few remote clients that are a hassle
    to get to, which connect via ssh to perform network backups.

    Is there a way to get the public key as these clients connect? I've done
    a quick tcpdump, but I don't see anything that looked like the public
    key from the client.

    Thanks.



  2. Re: Capture the public key using tcpdump?

    postmaster@cjc.org wrote:
    > Hi, here's an odd question:
    >
    > Suppose I lose the authorized_keys file for public key authentication
    > because of a disk failure. I have a few remote clients that are a hassle
    > to get to, which connect via ssh to perform network backups.
    >
    > Is there a way to get the public key as these clients connect? I've done
    > a quick tcpdump, but I don't see anything that looked like the public
    > key from the client.
    >
    > Thanks.
    >
    >


    No. Neither the public or private key is broadcast when authenticating.

  3. Re: Capture the public key using tcpdump?

    >>>>> "Chuck" == Chuck writes:

    Chuck> postmaster@cjc.org wrote:
    >> Hi, here's an odd question:
    >>
    >> Suppose I lose the authorized_keys file for public key
    >> authentication because of a disk failure. I have a few remote
    >> clients that are a hassle to get to, which connect via ssh to
    >> perform network backups.
    >>
    >> Is there a way to get the public key as these clients connect?
    >> I've done a quick tcpdump, but I don't see anything that looked
    >> like the public key from the client.
    >>
    >> Thanks.
    >>
    >>


    Chuck> No. Neither the public or private key is broadcast when
    Chuck> authenticating.

    This is false; the client sends the public key as part of the "publickey"
    authentication request, so the SSH server can select which of the
    possibly several authorized keys to check. I don't know, however, any
    tool that will easily extract this for you. Your best bet may be to hack
    sshd to write it out for you.

    --
    Richard Silverman
    res@qoxp.net


  4. Re: Capture the public key using tcpdump?

    In article <12q4v5d1jmjtf11@news.supernews.com>, wrote:
    >
    >Is there a way to get the public key as these clients connect? I've done
    >a quick tcpdump, but I don't see anything that looked like the public
    >key from the client.


    How about this, then? Can I allow rsh-style host-based authentication
    without having the public key of the remote machine, i.e., just by IP
    address? I'll live with the risk of a man-in-the-middle attack until
    I can get to the remote machines for a quick reconfiguration.

    Thanks.


  5. Re: Capture the public key using tcpdump?

    Richard E. Silverman wrote:

    >
    > Chuck> No. Neither the public or private key is broadcast when
    > Chuck> authenticating.
    >
    > This is false; the client sends the public key as part of the "publickey"
    > authentication request, so the SSH server can select which of the
    > possibly several authorized keys to check. I don't know, however, any
    > tool that will easily extract this for you. Your best bet may be to hack
    > sshd to write it out for you.
    >


    Doesn't that depend on what authentication method is used? If using
    pubkey, the server already has the public key in the authorized_keys
    file. Why would the client need to send it again?

  6. Re: Capture the public key using tcpdump?

    In article <6wQoh.2739$%Q4.1752@trnddc06> Chuck
    writes:
    >Richard E. Silverman wrote:
    >
    >>
    >> Chuck> No. Neither the public or private key is broadcast when
    >> Chuck> authenticating.
    >>
    >> This is false; the client sends the public key as part of the "publickey"
    >> authentication request, so the SSH server can select which of the
    >> possibly several authorized keys to check. I don't know, however, any
    >> tool that will easily extract this for you. Your best bet may be to hack
    >> sshd to write it out for you.
    >>

    >
    >Doesn't that depend on what authentication method is used? If using
    >pubkey, the server already has the public key in the authorized_keys
    >file. Why would the client need to send it again?


    Maybe read Richard's text again?:-) Obviously, if the server just used
    the public key sent by the client without consulting authorized_keys,
    there would be a much bigger problem than the redundancy...

    --Per Hedeland
    per@hedeland.org

+ Reply to Thread