passwordless SSH Rsync [Was : DiskLayout/PartitioningPractices]
Ow Mun Heng
ow.mun.heng at wdc.com
Thu Jan 29 12:16:14 UTC 2004
> -----Original Message-----
> From: Rui Miguel Seabra [mailto:rms at 1407.org]
> Sent: Thursday, January 29, 2004 7:59 PM
> To: fedora-list at redhat.com
> Subject: RE: passwordless SSH Rsync [Was :
> DiskLayout/PartitioningPractices]
>
>
> On Thu, 2004-01-29 at 11:55, Ow Mun Heng wrote:
> > I do not want to have My Private key in all the servers.
> Only in Server1 and
> > get the other servers to request that from server1 using ssh-agent.
>
> If you want to have RSA based authentication (even if without a
> passphrase), then you have to do that.
>
> You need to have the public key in all servers to be accessed, and the
> private key in all clients that access.
>
One More Stab.. This is taken from the Bool Oreilly-Linux Server hacks
===================
Practically, this means that with an agent running (and with properly
configured ssh clients), it is possible to ssh to multiple machines without
requiring a copy of your private key on each intervening machine (or typing
in your password on every connection).
Assume we already have an authorized ssh key (see [Hack #66]) installed on
each homer, bart, and lisa. If you ssh to each machine from your local
machine, there's no problem:
rob at caligula:~$ ssh homer
rob at homer:~$ exit
logout
Connection to homer.oreillynet.com closed.
rob at caligula:~$ ssh bart
rob at bart:~$ exit
logout
Connection to bart.oreillynet.com closed.
rob at caligula:~$ ssh lisa
rob at lisa:~$ exit
But what happens when we try to ssh from homer directly to bart?
rob at caligula:~$ ssh homer
rob at homer:~$ ssh bart
rob at bart's password:
This is where ssh-agent comes in handy. Rather than expose your private key
to unnecessary risk by placing a copy on all of your servers, simply start
the agent on your local machine like this:
rob at caligula:~$ eval `ssh-agent`
Agent pid 8450
Then add your default ssh keys with the ssh-add command:
rob at caligula:~$ ssh-add
Identity added: /home/rob/.ssh/id_rsa (/home/rob/.ssh/id_rsa)
Identity added: /home/rob/.ssh/id_dsa (/home/rob/.ssh/id_dsa)
Identity added: /home/rob/.ssh/identity (rob at caligula)
You'll also need to check that homer, bart, and lisa are configured to
forward agent requests along. This is usually denied by default, but is
controlled with a line like this:
ForwardAgent yes
in your ~/.ssh/config or /usr/local/etc/ssh_config file. You can also
specify it from the command line with the -A switch.
Now, when you ssh from homer directly to bart, homer will first ask your
agent for any available credentials. Likewise, sshing from bart to lisa will
first cause bart to check with homer, who will forward the request back to
your agent again. This makes it easy to skate from machine to machine very
quickly:
rob at caligula:~$ ssh homer
rob at homer:~$ ssh bart
rob at bart:~$ ssh lisa
rob at lisa:~$
==============
That's what I want to achieve..
Yes.. No..?? Or is only DSA supported?? (I have no idea
what's the diff betw RSA and DSA.)
More information about the fedora-list
mailing list