HPE Community
Operating System - HP-UX
1820140 Members
3325 Online
109620 Solutions
New Discussion юеВ

Re: Openssh check keys

 
SOLVED
Go to solution
jerry1
Super Advisor

тАО12-20-2006 06:05 AM

тАО12-20-2006 06:05 AM

Openssh check keys

How can I check/list the contents of the
ssh key(s)? I did not setup ssh on the box(es)
and do not know what has been done.
There is a question if the key(s) have
been setup with an expire time set.
Currently our UNIX server connects to a
windows server running OpenSSH. From what
The windows server is setup with this
sshd_config:

Protocol 2
PermitRootLogin yes
StrictModes no
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
IgnoreUserKnownHosts yes
PasswordAuthentication yes
UsePrivilegeSeparation no
MaxStartups 10:30:60
Banner /etc/banner.txt
Subsystem sftp /usr/sbin/sftp-server



I assume that the commands would be the same
on both platforms to check the keys.
I cannot find what I am looking for in the man
pages. Currently we can connect to the
windows server as sshadmin@ without the
sshd on the windows server asking for a
password.
0 Kudos
Reply
3 REPLIES 3
spex
Honored Contributor

тАО12-20-2006 06:35 AM

тАО12-20-2006 06:35 AM

Solution

Re: Openssh check keys

Jerry,

$ cat ~/.ssh/authorized_keys

I know a key can be made to expire via 'ssh-add -t '. However, I'm not sure how you would check the expiry after-the-fact.

PCS
Reply
Matti_Kurkela
Honored Contributor

тАО12-20-2006 07:08 AM

тАО12-20-2006 07:08 AM

Re: Openssh check keys

The SSH key format does not contain any expiration times.

The "lifetime" that can be set with ssh-add does not affect the key on the disk, just the non-persistent copy of the key in the ssh-agent's memory (at the host running the SSH client).

Apparently the intention is to provide a sudo-like behavior: if you need to use your SSH key several times in a row, you need to enter your passphrase only once... but after not using the key for a while, you'll need to enter the passphrase again. (Interesting, and maybe very useful; I hadn't noticed this option before.)

As far as I know, the SSH software has no way to implement an expire time on SSH keys, as the users can generate the keys for themselves with any parameters they wish.

(Everyone should generate his/her own keys, instead of letting someone else do it: this way one can be sure nobody else has ever seen the private key.)

The only way to force an expiration of keys on the server side would be to set up a scheduled job to examine the users' public keys (in authorized_keys files or the like) and store a copy/fingerprint/digest of them for future comparisions. On subsequent runs, if the user's key was first seen more than X days ago, do something to prevent the use of that key. You might also want to warn the user somehow when the user's key is almost X days old.
MK
Reply
Senthil Prabu.S_1
Trusted Contributor

тАО12-20-2006 03:47 PM

тАО12-20-2006 03:47 PM

Re: Openssh check keys

Hi,
I am not sure whether my reply with solve your problem.

you can check the public keys you have generated using ssh-keyscan command.

HTH,
Prabu.S
One man's "magic" is another man's engineering. "Supernatural" is a null word.
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.