On 07/12/2016 02:32 PM, bruce wrote:
so on the box1
i have the priv key
on box1 i have have ssh-agent on box1
on box1, in the config file, do i need to have box2
You *can* specify agent forwarding in the configuration file, but I have
to disagree with users who recommended doing so. My opinion is that you
should use "ssh -A" to forward your agent specifically in sessions where
you intend to establish additional connections from the session you are
creating.
If you log in to a host that is compromised, and forward your agent, the
attacker could use your ssh agent to establish additional connections.
This is better than the situation of having a private key on the same
compromised host, because the key itself cannot be stolen and the agent
is only usable while you are connected. However, the cautious practice
is to reduce the threat further by not forwarding the agent when it is
not going to be used.
on box2 I don't need to have the pub key from box1, but i do have to
have what???
box2 does need to have the public key installed, as usual. It just
doesn't need a private key. Authentication requests will be proxied
(forwarded) back to your workstation, where the private key is available.
and then whatever I have on box2, gets replicated on the other boxes
in the "chain"
All of the hosts in the chain require the public key, just as they would
if you were connecting to them directly.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org