On 07/12/2016 10:44 AM, Go Canes wrote:
No, they don't. Private keys belong on your closest system, on an
encrypted volume. Often, you will only need one.
If the OP uses ssh to go from system1:user1 to system2:user2, and then
wants to use ssh to go from system2:user2 to system3:user3, are you
saying that only system1:user requires a public key, and that
system2:user2 can ssh out without having *any* public key?
No, I said "private key".
If you are user1@system1 and you use ssh to log in to user2@system2, and
if you also have an ssh agent on system1 and instruct ssh to forward a
connection to the user2@system2 session, then you don't need a private
key in the user2@system2 home directory to connect to user3@system3.
You only need to have the public key which corresponds to the private
key available to user1@system1 installed for user3@system3. system3
will request ssh authentication from user2@system2, and that request
will be forwarded back to the agent at user1@system1, which will answer it.
Using agent forwarding, you only need private keys on your workstation,
which you presumably have encrypted and otherwise made very secure
against an attacker obtaining your key files (which should, themselves,
be encrypted key files within the encrypted filesystem).
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
