Re: Key Selection with agent

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi guys 

Yes i was Regfering to provide the key via the agent. 

First placeing the Key on a Remote system might be insecure. Your workstation can be assumed as Trusted enviroment. 
Second 
You can have multiple Keyes in use 
And obsolet one system (System group) 

Third you will not have failed Logins due to wrong keys . 

Will be useable for a wider Range of People 

So The question is must this be done in The Remote System or can The agent have The rule 

On The other Hand when using Gss api and kerberos can we forward the tgt or the request back to The workstation ? 

As we assume The workstation as an Trusted Source . 

----

Patrick Marc Preuss Mobil: 0172/7411263 | Email: patrick.preuss@xxxxxx

> Am 10.10.2014 um 21:50 schrieb Iain Morgan <imorgan@xxxxxxxxxxxx>:
> 
>> On Mon, Oct 06, 2014 at 11:50:21 +1100, Damien Miller wrote:
>>> On Sat, 4 Oct 2014, Patrick Marc Preuss wrote:
>>> 
>>> Hi All
>>> 
>>> is it possible to select the presented key based on the hash?
>> 
>> I don't know what hash you are talking about.
>> 
>>> The Situation is following:
>>> 
>>> Workstatation is running the Agent with some keys
>>> Need to use a jump host to connect to other hosts.
>> 
>> You can use something like the following in your ~/.ssh/config
>> 
>> Host foo
>>    IdentitiesOnly yes
>>    IdentityFile ~/.ssh/id_foo.pub
>> 
>> Host bar
>>    IdentitiesOnly yes
>>    IdentityFile ~/.ssh/id_bar.pub
>> 
>> ssh will use the specified key from the agent, even if it offers others.
>> 
>> Unfortunately there is no way to select/filter keys when an agent is
>> forwarded yet. It would be a nice feature though.
>> 
>> -d
> 
> If you place a copy of the public key on a remote system, and add
> appropriate entries for IdentiesOnly and IdentityFile into the
> ~/.ssh/config on that system, you can control which key is used when
> connecting to other systems.
> 
> What would be nice is if you could specify a key fingerprint with
> IdentityFile rather than having to provide the actual public key. This
> may have been what Patrick was referring to.
> 
> -- 
> Iain Morgan
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux