On Fri, Feb 24, 2017 at 11:33 PM, King Beowulf <[email protected]> wrote:
> On 02/24/2017 06:41 PM, Erik Lane wrote: > ----snip----- > >> > >> > > Is there any reason why the public and private keys need to be different > on > > the different computers? (Purely out of curiosity about the technical > > implementation.) It seems like you could create them on one computer and > > copy paste to the relevant files to make them both the same. I don't see > > any benefit to doing this, and some possible security risks, depending on > > the situation, but I'm just curious. > > Best practice is to have each host have its own key pair. If ssh stays > on your internal network and is not connected to the internet, you can > get by with a common set. With a unique set you can track logs to see > if anyone tries to get in... > > Yeah, those are good points. Like I said, I see no benefit at all, only downsides, but I wondered if it was possible. Though I guess if you had a lot of machines then you would still only have to have one entry in the authorized_keys file on each one. So I managed to come up with one benefit! :) No, it's not something I'll ever do, I was just curious if there was something that would confuse the system if the keys matched that way. > > > > I have had a couple instances where I actually needed to create the keys > as > > root as well. I was using rsync with sudo, (and the files were owned by a > > different user for Owncloud) so I had to have root create the keys, since > > that was what would be running the ssh transfer. Well, there might have > > been other options, I really don't know, but setting it up that way took > > care of it for me. Once I got it working I stopped looking for other ways > > to do it. :) > > > > having root do anything on the "cloud" (esp the way some distros > configure sudo) is absolutely insane. Nuts. Bonkers. > > At first I was confused, but then I remembered that I mentioned 'owncloud'... I don't have anything going out to any cloud services, well other than that we do use Gmail and Google's various other cloud stuff. I had Owncloud running on a Raspberry Pi, just for fun, and only exposed to my own LAN. It's firewalled from the internet. In fact I haven't used it for months - I was thinking of trying to get it up and running well enough to get away from doing Google drive type stuff, but then didn't spend enough time and effort to actually get it into good enough shape to really be useful. I don't know if it's mature enough to provide enough incentive to make my wife want to change. Thanks, Erik _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
