What is the difference between /etc/ssh/ and ~/.ssh?

ssh security openssh key-authentication cryptography
12,464

Solution 1

/etc/ssh provides configuration for the system: default configuration for users (/etc/ssh/ssh_config), and configuration for the daemon (/etc/ssh/sshd_config). The various host files in /etc/ssh are used by the daemon: they contain the host keys, which are used to identify the server — in the same way that users are identified by key pairs (stored in their home directory), servers are also identified by key pairs. Multiple key pairs are used because servers typically offer multiple types of keys: RSA, ECDSA, and Ed25519 in your case. (Users can also have multiple keys.)

The various key files are used as follows:

  • your private key, if any, is used to identify you to any server you’re connecting to (it must then match the public key stored in the server’s authorized keys for the account you’re trying to connect to);
  • the server’s private key is used by the client to identify the server; such identities are stored in ~/.ssh/known_hosts, and if a server’s key changes, SSH will complain about it and disable certain features to mitigate man-in-the-middle attacks;
  • your public key file stores the string you need to copy to remote servers (in ~/.ssh/authorized_keys); it isn’t used directly;
  • the server’s public key files store strings you can copy to your known hosts list to pre-populate it; it also isn’t used directly.

The last part isn’t used all that often; the default SSH model is known as “TOFU” (trust on first use): a connection is trusted by default the first time it’s used, and SSH only cares about unexpected changes. In some cases though it’s useful to be able to trust the first connection too: a server’s operator can communicate the server’s public keys, and users can add these to their known hosts before the first connection.

See the ssh_config and sshd_config manpages for details (man ssh_config and man sshd_config on your system). The format used for known hosts is described in the sshd manpage.

Solution 2

/etc/ssh holds the private and public key pairs for the host (the computer/operating system)

~/.ssh holds the key pairs for its owner user

Research a little on how symmetric keys and PKI work. You'll find out that, in most situations, both the sender and the receiver need their own pair of private/public keys.

Share:
12,464

Related videos on Youtube

Kavish Gour
Author by

Kavish Gour

Updated on September 18, 2022

Comments

  • Kavish Gour
    Kavish Gour over 1 year

    I’m having fun with OpenSSH, and I know the /etc/ssh directory is for the ssh daemon and the ~/.ssh directory is for a particular user.

    Both directories contain private and public keys:

    Diectories Contents

    But what is the difference between those keys? I’m confused because the ones I use as a user is in my home directory, and what are the roles of the keys found in /etc/ssh?

  • Kavish Gour
    Kavish Gour about 6 years
    Let's say a user is trying to establish a connection with my public key, this is just between me and the user (i assume) so, why do the daemon has to identify itself ? How do the daemon host files comes in play ?
  • Stephen Kitt
    Stephen Kitt about 6 years
    When you connect to an SSH server, you identify yourself to the server (using either your login and password, or a key), and the server identifies itself to you, using its host key. This is typically transparent, but it is important: it avoids man-in-the-middle attacks after the first connection. Known host keys are stored in ~/.ssh/known_hosts, and SSH verifies server host keys against those to check that it’s connecting to the right server.
  • Kavish Gour
    Kavish Gour about 6 years
    I did some research based on your answer: /etc/ssh/ssh_host_key.pub /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_rsa_key.pub These three files contain the public parts of the host keys. These files should be world-readable but writable only by root. Their contents should match the respective private parts. "These files are not really used for anything; they are provided for the convenience of the user so their contents can be copied to known hosts files. " I don't understand the last sentence inside the quotes. Can you please elaborate it for me (my english is not that good).
  • Stephen Kitt
    Stephen Kitt about 6 years
    See my updated answer.
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' about 6 years
    @dr01 Are you suggesting to remove it in favor of “always” or “sometimes”? It's true that in most scenarios, each side has its own private key. But there's a very widespread scenario where only one side has a private key, and you used it to post your comment: web browsing over HTTPS, and more generally TLS without TLS client authentication (on the web, user authentication is usually done with a password, not with a private key).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSH key-based authentication: known_hosts vs authorized_keys
Does reinstalling openssh-server change the host key?
How to change encryption algorithm for private key file using OpenSSH 5.3
SSH: Effects of no-pty login option in authorized_keys
How do I skip the "known_host" question the first time I connect to a machine via SSH with public/private keys?
SSH keypair generation: RSA or DSA?
How to verify that ssh certificate was signed by specified ssh CA private key?
SSH is requiring password when public key is on remote host
authorized_keys for multiple chrooted users with the same home directory
How does OpenSSH determine the choose the host key algorithm?