The recommended method is using agent forwarding at this time according to http://infrastructure.fedoraproject.org/infra/docs/sshaccess.txt I agree that this is not the best solution, but it's no worse than keeping the private key on the machine, because the private key is on the filesystem for extended periods of time, while your agent is only forwarded for the duration of your shell session (which with most ISPs is cut at a certain point). Darren VanBuren ================== http://theoks.net/ On Tue, Oct 4, 2011 at 00:27, Jan-Frode Myklebust <janfrode@xxxxxxxxx> wrote: > I'm also guilty of putting private keys on bastion, but not a private > key that gives access to anything else. I didn't want to do agent > forwarding (and thereby giving root@bastion access to jump around to > other systems I'm admining), and AFAIR I needed pubkey logins to jump > to puppet01.. So I created a set of keys for usage within the fedora > infrastructure. Maybe not optimal security-wise for fedora, but I didn't > quite see how I would be able to do this securely for all ("ssh-add -c" > being too cumbersome). > > IMHO there's something lacking in the infrastructure policy. How are > people supposed to do authentication between f.ex. bastion and > puppet01? If we can't use passwords and can't have private-keys on > bastion -- do you require agent forwarding ? I think agent forwarding is > worse than keeping a private key on bastion, since it means a security > breach within fedora can easily spread to other systems I manage. > > Time to implement kerberos/IPA or ssh host-authentication ? > > > -jf > _______________________________________________ > infrastructure mailing list > infrastructure@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/infrastructure > _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
