Re: Is there any solution, or even work on, limiting which keys gets forwarded where?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, Oct 15, 2015 at 07:02:58PM -0400, Nico Kadel-Garcia wrote:
> On Thu, Oct 15, 2015 at 10:34 AM, hubert depesz lubaczewski
> <depesz@xxxxxxxxxx> wrote:
> > Hi,
> >
> > I'm in a situation where I'm using multiple SSH keys, each to connect to
> > different set of servers.
> >
> > I can't load/unload keys on demand, as I usually am connected to at
> > least 2 of such sets.
> 
> I *just* went through some of this, to distinguish between github SSH
> "deploykeys" and my personal key when connected to a remote server for
> which I may wish to publish updates to github.
> 
> I personally now set up a .ssh/config with "Host" entries specified
> for different services and different "IdentityFile" services, to
> ensure use of one local key or the other for a particular "Host" as
> designated in .ssh/config. This does not require a real CNAME or valid
> DNS for the target host, and lends itself well to automated services
> where one upstream git repo requires a different SSH key than another.
> 
> This does mean a private key on the server, which is its own risk. But
> for automated, unattended git deployment, you make tradeoffs.

So it's unacceptable for me - I have to have access to production
servers - access to them, without password, from jump host, shouldn't be
possible, but we can use ssh agent - which solves the problem.

But the flip side is that using agent opens access to all keys in it
from any connected host :(

depesz
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux