On 07/15/2017 07:05 PM, Cameron Simpson wrote: > On 16Jul2017 08:26, Ed Greshko <ed.greshko@xxxxxxxxxxx> wrote: >> In my host system I have copied my id_rsa.pub into the authorized_keys >> file. I then >> tar up my .ssh directory and sftp it to my VM when I create them. I >> then untar the >> file on the VM. From then on I can sftp/ssh to/from any system. > > This is actually rather hazard prone. Your _private_ key is also in the > .ssh directory (eg id_rsa, private companion to the public id_rsa.pub). > You should usually not want to copy your private key to other systems. > > It is better to copy exactly what you need to (just the authorized_keys > file, or even cut/paste the local id_rsa.pub contents into the remote > authorized_keys file). > > Normally you would start a local ssh-agent and add your local key to it. > Then ssh to the target host. If you have forwarded you ssh-agent then > your home machine's key is available for use to ssh again to some > further host. This is very much a desirable thing to do because the > protocol does _not_ provide the private key to the intermediate machine: > it just orchestrates the proof to the far machine that you have access > to the private key. The private key content remain only on the original > machine. > > To recap. > > Don't copy all of your .ssh directory; copy just what is required. > > Use an ssh-agent to forward authentication over your ssh connections; > that lets you use your private key _without_ copying it to any machine > beyond your original (eg your personal laptop). > > Use the authorized_keys file to express _your_ policy about who can > connect to a host. The public keys recorded here may log in. You can > have different keys (your laptop, your work machine, special keys for > special needs) and put _just_ the corresponding public keys on the > appropriate hosts. Or use ssh-copy-id to copy the .pub files to the ~/.ssh/authorized_keys files on the target machines (which is the "official" way to do it). ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, AllDigital ricks@xxxxxxxxxxxxxx - - AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 - - - - Time WAS on my side. Now it's behind me and pushing real hard! - ---------------------------------------------------------------------- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
