On 16Jul2017 08:26, Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote:
In my host system I have copied my id_rsa.pub into the authorized_keys file.
I then
tar up my .ssh directory and sftp it to my VM when I create them. I then untar the
file on the VM. From then on I can sftp/ssh to/from any system.
This is actually rather hazard prone. Your _private_ key is also in the .ssh
directory (eg id_rsa, private companion to the public id_rsa.pub). You should
usually not want to copy your private key to other systems.
It is better to copy exactly what you need to (just the authorized_keys file,
or even cut/paste the local id_rsa.pub contents into the remote authorized_keys
file).
Normally you would start a local ssh-agent and add your local key to it. Then
ssh to the target host. If you have forwarded you ssh-agent then your home
machine's key is available for use to ssh again to some further host. This is
very much a desirable thing to do because the protocol does _not_ provide the
private key to the intermediate machine: it just orchestrates the proof to the
far machine that you have access to the private key. The private key content
remain only on the original machine.
To recap.
Don't copy all of your .ssh directory; copy just what is required.
Use an ssh-agent to forward authentication over your ssh connections; that lets
you use your private key _without_ copying it to any machine beyond your
original (eg your personal laptop).
Use the authorized_keys file to express _your_ policy about who can connect to
a host. The public keys recorded here may log in. You can have different keys
(your laptop, your work machine, special keys for special needs) and put _just_
the corresponding public keys on the appropriate hosts.
Cheers,
Cameron Simpson <cs@xxxxxxxxxx>
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
