On 12Jul2016 17:32, bruce <badouglas@xxxxxxxxx> wrote:
so on the box1
i have the priv key
on box1 i have have ssh-agent on box1
With your private key loaded. "ssh-add -l" will tell you if it is.
on box1, in the config file, do i need to have box2
To easily connect, perhaps. To connect with special options by default, yes.
But as long as it is in DNS, it can be reached by name. And if it isn't, it can
be reached by IP.
on box2 I don't need to have the pub key from box1, but i do have to have
what???
On box2 you need the public key from box1 in the authorized_keys for whatever
user you will be coming in as on box2.
The private key: local to box1, used to prove you are who you say you are.
The public key: in the authorized_keys file on every target box, used to define
who may connect.
and then whatever I have on box2, gets replicated on the other boxes in the
"chain"
Every "target" box needs the _public_ half of the keypair in the
.ssh/authorized_keys file for whatever user you come in as.
If you have ssh-agent forwarding on, your ssh-agent service will be propagated
through every ssh connection. Do this by putting:
Host *
ForwardAgent yes
in the "*" Host clause at the _bottom_ of your .ssh/config file. Assuming you
want this on by default, which is a common choice for interactive users. It is
off by default, and you can imagine why you might not want to on _by default_
in many circumstances. So that is a security policy decision for you. You might
make this decision per host, and only forward the agent to hosts you decide to
trust with it.
Note also that you need to enable ssh-agent forwarding in the .ssh/config on
every host which will expect to forward the agent to the next box. It is
consulted by the _local_ "ssh" command to decide these things.
Cheers,
Cameron Simpson <cs@xxxxxxxxxx>
I think I'm seeing part of this...
On Tue, Jul 12, 2016 at 4:13 PM, Gordon Messmer <gordon.messmer@xxxxxxxxx>
wrote:
On 07/12/2016 10:44 AM, Go Canes wrote:
No, they don't. Private keys belong on your closest system, on an
encrypted volume. Often, you will only need one.
If the OP uses ssh to go from system1:user1 to system2:user2, and then
wants to use ssh to go from system2:user2 to system3:user3, are you saying
that only system1:user requires a public key, and that system2:user2 can
ssh out without having *any* public key?
No, I said "private key".
If you are user1@system1 and you use ssh to log in to user2@system2, and
if you also have an ssh agent on system1 and instruct ssh to forward a
connection to the user2@system2 session, then you don't need a private
key in the user2@system2 home directory to connect to user3@system3. You
only need to have the public key which corresponds to the private key
available to user1@system1 installed for user3@system3. system3 will
request ssh authentication from user2@system2, and that request will be
forwarded back to the agent at user1@system1, which will answer it.
Using agent forwarding, you only need private keys on your workstation,
which you presumably have encrypted and otherwise made very secure against
an attacker obtaining your key files (which should, themselves, be
encrypted key files within the encrypted filesystem).
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
--
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org