On 07/07/2016 06:07 PM, bruce wrote:
What do I need to add to the local box, or to box1 / box2 to permit me to hop from box1 to box2 without having to add a key from/between box1 and box2?
You need to install the public key on all five systems.
if ssh forwarding is the soln, what has to be added to which files, on which boxes?
SSH agent forwarding requires that you have an agent. If your workstation is running GNOME, then you have an SSH agent. Otherwise, you might need to set one up, and that process depends on what your desktop is.
An SSH agent loads your private keys and performs SSH key authentication on behalf of your SSH clients. If you use "ssh -A" to connect to a system (for example, box1), then your shell session on that system will also have a socket that it connected (forwarded) to the SSH agent on your workstation. When you make another connection (for example, from the session on box1 to the host box2), the key authentication traffic is passed between the new host and your workstation.
Forwarding, then, avoids copying your private key to systems other than your workstation, reducing the opportunity for theft of the private key. Forwarding is still vulnerable to misuse if you forward the socket to a system hat has been compromised, but only for as long as you have an open SSH connection to that system. Your keys should be generated on your workstation, and your private key should never be copied to any other system.
So, make sure your public key is installed on all of the systems you want to use as SSH servers, make sure your workstation has an SSH agent running, and use "ssh -A" to connect when you are going to hop to another system.
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
