Whishlist for next-gen card

Peter Lebbing peter at digitalbrains.com
Sun Mar 1 21:54:18 CET 2015

On 01/03/15 17:43, NdK wrote:
> while I was talking of remote user auth (so using openpgp card instead of
> ~/.ssh/id_* keys -- something that's already doable).

No, I'm talking about that as well. And I don't think the fingerprint of
the host is part of the signed data or the signature. Why do you think the
fingerprint of the host is part of that?

By /host/ authentication I mean that you verify that the host your are
connecting to is in fact the host you wanted to connect to; and /that/ is
through the public key of the host, of which you can verify the fingerprint.
Let's call this keypair A.

After you've verified the fingerprint, a copy of the hosts' public key, A, is
stored in ~/.ssh/known_hosts on your client machine.

But when the host is authenticating that you are in fact the user you are
claiming to be, you sign a challenge that only you could sign because you have
the private key, let's call it B. That is /user/ authentication.

The host checks that your public key B is in ~/.ssh/authorized_keys on the
server machine; if so, you're authenticated.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list