Security Power Tools

Errata for Security Power Tools

Submit your own errata for this product.

The errata list is a list of errors and their corrections that were found after the product was released. If the error was corrected in a later version or reprint the date of the correction will be displayed in the column titled "Date Corrected".

The following errata were submitted by our customers and approved as valid errors by the author or editor.

Color Key: Serious Technical Mistake Minor Technical Mistake Language or formatting error Typo Question Note Update

Version Location Description Submitted By Date Submitted Date Corrected
Printed, PDF, Safari Books Online, Other Digital Version
Page 15.1.2

Section 15.1.2 appears to be seriously flawed in Points 3 and 4 (see also RFC 4252). Please check. Signatures are usually not created using the PUBLIC key as otherwise any could provide the signature as the key is public. Usually, the private key is used. Likewise the the checking is not performed by computing the same value with the public key but by decrypting the message with the public key, i.e. inverting the encryption.

Note from the Author or Editor:
In section 15.1.2: Original text: 1. The SSH client requests authentication of a given user to the server. 2. If there is a public key on the server in that userís home directory, the server replies with a challenge (random string) encrypted with the clientís public key. 3. The client decrypts the message with its private key, signs the challenge with its public key, and sends the signature back to the server. 4. The server computes the same signature with the userís public key and compares it to the signature sent by the client. If they match, the user is authenticated. Proposed correction: 1. The SSH client requests authentication of a given user to the server, this request includes the user's public key. 2. If a matching public key is on the server in that user's home directory, the server replies with a request for public key authentication accepted message. 3. The client sends back a signed message to the server where the signature is generated using the user's private key. 4. The server decrypts the signature using the user's public key and verifies that it's content is correct. If so, then the user is authenticated.

Anonymous  Sep 21, 2010