Wayne Davison wrote:
On Thu, Oct 20, 2005 at 01:15:54AM +0100, Manuel L?pez-Ib??ez wrote:
For example, isn't it possible for the root of middle (or some
attacker) to get my keys and use them?
No, that's not how ssh keys work at all. Firstly, you only need to put
the *public key* on the middle host and the destination host, not your
private key (which only needs to be on your local system). Secondly,
you should have encrypted your private key on your own host, so that it
must be decrypted with a pass phrase. This makes everything work
securely. As long as ssh is configured to forward the ssh-agent data,
the remote systems will allow a chain of ssh accesses that originates
from your local system (which will have prompted you for the key's pass
phrase only at the first use of the key). This is a much better way to
configure ssh than to try to do multiple hops using passwords.
..wayne..
OK. Then, should I carry my (encrypted) private key to everywhere? Could
it be possible to leave the private (encrypted) key in middle and still
forward the passphrase? This way I won't need to carry the private key
everywhere, the key in middle would be encrypted and the passphrase
prompt would be forwarded as before without confusing rsync.
I found a nice document [1] about securing rsync connections trough ssh
using keys, however, it doesn't explain anything about ssh-agent
forwarding or passphrase-protected keys.
[1] http://www.jdmz.net/ssh/
______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es
--
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html
