On Sun, Feb 23, 2003 at 11:00:34AM +0100, dick hoogendijk wrote:
> On 22 Feb Matthew Seaman wrote:
> > Generate an ssh key in the usual way:
> > 
> >     # ssh-keygen -b 1024 -t rsa 
> > 
> > which will prompt you for a passphrase. Enter one. The command will
> > create two files:
> > 
> >     id_rsa (the private key) and 
> > 
> >     id_rsa.pub (the public key)
> > 
> > Move 'id_rsa' in /root/.ssh and make sure it has the right ownership
> [cut the rest of the info]
> It works great! Very simple if you know how to act ;)
> I understand that I have to copy my public key to all machines I want to
> have a remote login-to. So far so good..
> But what do I do ON another machine (in my intranet)? Do I use *another*
> private key there or can I just use the one I have on my "main" machine?
> Thanks for all your help. Keeping copies of them :-))

For a root-owned key pair like I described, you should probably use a
distinct key pair on each of your machines.  Remember this root owned
ssh key pair is practically identical to the root password in terms of
what it will allow you do to a machine.  Keep it secure.  Don't create
one unless you actually need to use it.

For general use by your own UID however, yes, copying the private key
around the place can be useful.  You may not need to do that though --
if you keep your account's private key on the machine on your desktop
and use ssh exclusively for remote access you only need to run one
copy of the ssh-agent there, and you can arrange for "agent
forwarding" by ssh so that even if you hop from machine to machine
several layers deep, everything eventually refers back to the
ssh-agent on your desktop for authorization.  See the paragraph about
"ForwardAgent" in the ssh_config(5) man page.

Of course, for this scheme to work effectively, you've got to
distribute the public key to all of the machines you might be
interested in logging into and add it the the appropriate
authorized_keys file on those machines.  Remember, the authorized_keys
file can belong to a completely different account on the remote
machine, and there can be as many keys as you like in the
authorized_keys file.  That's actually quite a good way of providing
shared access to a login account without having to share a single
password between everyone.



Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to