On 07/12/2016 02:32 PM, bruce wrote:
so on the box1 i have the priv key on box1 i have have ssh-agent on box1 on box1, in the config file, do i need to have box2
You *can* specify agent forwarding in the configuration file, but I have to disagree with users who recommended doing so. My opinion is that you should use "ssh -A" to forward your agent specifically in sessions where you intend to establish additional connections from the session you are creating.
If you log in to a host that is compromised, and forward your agent, the attacker could use your ssh agent to establish additional connections. This is better than the situation of having a private key on the same compromised host, because the key itself cannot be stolen and the agent is only usable while you are connected. However, the cautious practice is to reduce the threat further by not forwarding the agent when it is not going to be used.
on box2 I don't need to have the pub key from box1, but i do have to have what???
box2 does need to have the public key installed, as usual. It just doesn't need a private key. Authentication requests will be proxied (forwarded) back to your workstation, where the private key is available.
and then whatever I have on box2, gets replicated on the other boxes in the "chain"
All of the hosts in the chain require the public key, just as they would if you were connecting to them directly.
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org