neysx 05/10/21 10:39:42 Modified: xml/htdocs/doc/en/articles openssh-key-management-p3.xml Log: #110008 Removed duplicate text
Revision Changes Path 1.4 +3 -60 xml/htdocs/doc/en/articles/openssh-key-management-p3.xml file : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/openssh-key-management-p3.xml?rev=1.4&content-type=text/x-cvsweb-markup&cvsroot=gentoo plain: http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/openssh-key-management-p3.xml?rev=1.4&content-type=text/plain&cvsroot=gentoo diff : http://www.gentoo.org/cgi-bin/viewcvs.cgi/xml/htdocs/doc/en/articles/openssh-key-management-p3.xml.diff?r1=1.3&r2=1.4&cvsroot=gentoo Index: openssh-key-management-p3.xml =================================================================== RCS file: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p3.xml,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- openssh-key-management-p3.xml 9 Oct 2005 17:13:23 -0000 1.3 +++ openssh-key-management-p3.xml 21 Oct 2005 10:39:42 -0000 1.4 @@ -1,5 +1,5 @@ <?xml version='1.0' encoding="UTF-8"?> -<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p3.xml,v 1.3 2005/10/09 17:13:23 rane Exp $ --> +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/articles/openssh-key-management-p3.xml,v 1.4 2005/10/21 10:39:42 neysx Exp $ --> <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> <guide link="/doc/en/articles/openssh-key-management-p3.xml" disclaimer="articles"> @@ -20,8 +20,8 @@ document is an updated version of the original article, and contains various improvements made by the Gentoo Linux Documentation team --> -<version>1.1</version> -<date>2005-10-09</date> +<version>1.2</version> +<date>2005-10-21</date> <chapter> <title>Agent forwarding and keychain improvements</title> @@ -182,63 +182,6 @@ above: </p> -<figure link="/images/docs/l-ssh-4.jpg" caption="ssh-agent running only on lappy; a more secure configuration"/> - -<p> -Of course, the problem with this approach is that drobbins can now only -establish passwordless connections from lappy. Let's see how to enable -authentication forwarding and get around this problem. -</p> - -<p> -Assuming that all machines are running recent versions of OpenSSH, we can get -around this problem by using authentication forwarding. Authentication -forwarding allows remote ssh processes to contact the ssh-agent that is running -on your local trusted machine -- rather than requiring a version of ssh-agent -to be running on the same machine that you are sshing out from. This usually -allows you to run ssh-agent (and keychain) on a single machine, and means that -all ssh connections that originate (either directly or indirectly) from this -machine will use your local ssh-agent. -</p> - -<p> -To enable authentication forwarding, we add the following line to lappy and -trustbox's <path>/etc/ssh/ssh_config</path>. Note that this is the config file -for ssh (<path>ssh_config</path>), not the ssh daemon sshd -(<path>sshd_config</path>): -</p> - -<pre caption="Add this line to your /etc/ssh/ssh_config"> -ForwardAgent Yes -</pre> - -<p> -Now, to take advantage of authentication forwarding, drobbins can connect from -lappy to trustbox, and then from trustbox to notrust1 without supplying -passphrases for any of the connections. Both ssh processes "tap in" to the -ssh-agent running on lappy: -</p> - -<pre caption="Tapping lappy"> -$ <i>ssh [EMAIL PROTECTED]</i> -Last login: Wed Sep 26 13:42:08 2001 from lappy - -Welcome to trustbox! -$ <i>ssh [EMAIL PROTECTED]</i> -Last login: Tue Sep 25 12:03:40 2001 from trustbox - -Welcome to notrust1! -$ -</pre> - -<p> -If you try a similar configuration and find that agent forwarding isn't -working, try using <c>ssh -A</c> instead of plain old ssh to explicitly enable -authentication forwarding. Here's a diagram of what went on behind the scenes -when we logged in to trustbox and notrust1 using authentication forwarding, -above: -</p> - <figure link="/images/docs/l-ssh-5.jpg" caption="Agent forwarding in action"/> <p> -- [email protected] mailing list
