Hi Brandon, SSH doesn't work that way. There is not a ability to be a "witness". SSH keys are independent of the local user account. All that's necessary is for a particular user to have the public key in its authorized keys file and then SSH will use public key authentication vs password based authentication. Check out /var/log/secure to see how you are logging in. Look at /home/*/.ssh/authorized_keys to see who has what keys. Cheers, Harry On 05/14/2013 12:38 PM, Lucas, Brandon wrote: > Hi all - > > I have a question about SSH that I can't seem to figure out. Here is the situation: > > 4 servers on RHEL 6.3 > > One server has a local account ("teddy"). SSH key pairs have been set up between this "teddy" account and the other 3 servers on a different local account common to the other 3 servers ("bear"), but not present on the "teddy" server. These 3 servers do not have a "teddy" account. > > Now, I am able to ssh without password between the 3 "bear" servers using the "bear" account without a password. This behavior is undesired as it bypasses some key controls. > > I figure what must be happening here is that since the 3 "bear" servers have the same public key that points to the "teddy" server, they must be using that fourth server as some type of "witness" to verify the identity of the user making the ssh connection, bypassing the password for the "bear" account. I have disabled AgentForwarding on all 4 servers in question, as well as X11Forwarding. This has not helped. > > What is going on here and how do I avoid it? > > Brandon > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list