Re: ssh again..

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 12Jul2016 17:32, bruce <badouglas@xxxxxxxxx> wrote:
so on the box1
i have the priv key
on box1 i have have ssh-agent on box1

With your private key loaded. "ssh-add -l" will tell you if it is.

on box1, in the config file, do i need to have box2

To easily connect, perhaps. To connect with special options by default, yes. But as long as it is in DNS, it can be reached by name. And if it isn't, it can be reached by IP.

on box2 I don't need to have the pub key from box1, but i do have to have
what???

On box2 you need the public key from box1 in the authorized_keys for whatever user you will be coming in as on box2.

The private key: local to box1, used to prove you are who you say you are.

The public key: in the authorized_keys file on every target box, used to define who may connect.

and then whatever I have on box2, gets replicated on the other boxes in the
"chain"

Every "target" box needs the _public_ half of the keypair in the .ssh/authorized_keys file for whatever user you come in as.

If you have ssh-agent forwarding on, your ssh-agent service will be propagated through every ssh connection. Do this by putting:

 Host *
   ForwardAgent yes

in the "*" Host clause at the _bottom_ of your .ssh/config file. Assuming you want this on by default, which is a common choice for interactive users. It is off by default, and you can imagine why you might not want to on _by default_ in many circumstances. So that is a security policy decision for you. You might make this decision per host, and only forward the agent to hosts you decide to trust with it.

Note also that you need to enable ssh-agent forwarding in the .ssh/config on every host which will expect to forward the agent to the next box. It is consulted by the _local_ "ssh" command to decide these things.

Cheers,
Cameron Simpson <cs@xxxxxxxxxx>

I think I'm seeing part of this...



On Tue, Jul 12, 2016 at 4:13 PM, Gordon Messmer <gordon.messmer@xxxxxxxxx>
wrote:

On 07/12/2016 10:44 AM, Go Canes wrote:


    No, they don't.  Private keys belong on your closest system, on an
    encrypted volume.  Often, you will only need one.


If the OP uses ssh to go from system1:user1 to system2:user2, and then
wants to use ssh to go from system2:user2 to system3:user3, are you saying
that only system1:user requires a public key, and that system2:user2 can
ssh out without having *any* public key?



No, I said "private key".

If you are user1@system1 and you use ssh to log in to user2@system2, and
if you also have an ssh agent on system1 and instruct ssh to forward a
connection to the user2@system2 session, then you don't need a private
key in the user2@system2 home directory to connect to user3@system3.  You
only need to have the public key which corresponds to the private key
available to user1@system1 installed for user3@system3.  system3 will
request ssh authentication from user2@system2, and that request will be
forwarded back to the agent at user1@system1, which will answer it.

Using agent forwarding, you only need private keys on your workstation,
which you presumably have encrypted and otherwise made very secure against
an attacker obtaining your key files (which should, themselves, be
encrypted key files within the encrypted filesystem).

--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


--
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org



[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux