I'm very new to Unix and things around it, particularly for this question is SSH and authentication.
I know that I can create identities (create a pair of public/private key), put it into ssh-agent and copy the public key to the remote host so that I can SSH to the remote host without entering password. Correct me if I'm wrong, but to list all registered identities in my local system, I can just run ssh-add -l.
When I tried to connect via SSH (specifically, I was trying to connect to bitbucket via SSH so that I don't have to type in my password over and over again), I get this warning:
Warning: Permanently added the RSA host key for IP address 'xxx.xxx.xxx.xxx' to the list of known hosts.
After I gave in and proceeded with the so-called 'permanently added the RSA host key', I ran ssh-add -l and noticed that my previously created pair of public/private key was not registered, but instead a new identity seems to be created. Perplexed, I checked the contents of ~/.ssh/ but I didn't see any other public/private key files other than the one I created earlier.
I tried to remove the identity by running ssh-add -D but to no avail: it still shows up when I run ssh-add -l.
My questions are:
- What is going on? Did I just created a new identity when my Unix prompted for my local password?
- Where can I find the public and private keys for the identity listed by
ssh-add -l? Why can't I delete the identity byssh-add -D? - Why did I successfully connect to Bitbucket, while I haven't added the public key in the account manager, other than the one I created earlier on by
ssh-keygen? - I noticed that this may have something to do with
~/.ssh/known_hostsfile, but I have no clue as what purpose does the file serve, and how does it relate with this entire SSH business?
I have looked around on the internet for some explanation on how SSH works, and how Unix manages public/private keys and identities, and how does known_hosts file come into play, but I cannot find any. Any explanation or references to external articles would be greatly appreciated!
A little more context:
Previously, I have created a new pair of public/private key and added it to the ssh-agent (and copied the public key to Bitbucket, as per the instruction from Bitbucket). Then I shut down the computer, and opened it up again the next day. When I tried to do git fetch, I was prompted to enter my local user password, and the aforementioned warning shows up. And then goes my questions and confusion.
Best Answer
Keyword there is host key. The first time you connect to a host, you are presented with a fingerprint of that host's public key. The server itself has a keypair just like users do.
The idea is that you can verify the fingerprint with what you know that server's fingerprint to be, to ensure you are not being MITMed.
Once you accept the host key, it gets saved in your known_hosts file, which your client uses to verify all subsequent connections.
If the host key changes unexpectedly, your client will notice and will display a nasty error message, suggesting that something may be awry and that you should check things out.