RE: keys under ssh

Wed, 1 Mar 2000 18:40:17 -0800 

Good afternoon, Mike and all,

On Sun, 27 Feb 2000, Mike A. Harris wrote:

> On Tue, 22 Feb 2000, Carl J. Nobile wrote:
> >You need to add the ~/.ssh/identity.pub to ~/.ssh/authorized_keys on the
> >other machine and visa-versa.
> >
> >Read the man pages it's all in there.
> 
> visa-versa is not necessary.  Once you've copied user on HOST A's
> identity.pub into user on HOST B's authorized_key's file, then
> user on A can connect without password to HOST B.
> 
> You only need to copy visa-versa if you wish HOST B to be able to
> do the same in reverse.

        100% agreed.

> Also, when generating the keys with ssh-keygen, enter a blank RSA
> passphrase by just hitting enter, otherwise you won't be asked
> for a password, but you'll be asked for an RSA passphrase every
> time which is equally annoying.

        There's an easier way, and it's quite elegant.  Here's what I do.
        On my main workstation, I log in as myself and run:
ssh-agent >~/agent      #Start the ssh-agent
. ~/agent               #tell this shell and all subshells how to find it
ssh-add                 #Type in my passphrase once
startx                  #Go onto X

        Now, in all the subshells I start under X, I only need to type:
ssh the_remote_machine  #Assuming it has my key in ~/.ssh/authorized_keys
        or
scp -p a_file the_remote_machine
        and I'm in; no additional passphrase needed.
        Is this truly more useful than just having no passphrase at all?  
Yes, actually.  First, if someone got access to the private key file, they
wouldn't be able to use it without my passphrase.  Secondly, I can ssh to
one machine that has my public key, and from that machine ssh to _another_
machine that also has my public key; the middle machine can use the
ssh-agent on the original workstation to authenticate itself to the final
target machine.
        If I log into other terminals or X servers that aren't spawned
from that original shell, all I need to type is
. ~/agent
and I have the same access to the ssh-agent.
        Pretty nifty idea; thanks, Tatu!
        Cheers,
        - Bill

---------------------------------------------------------------------------
        "As a computer I find your faith in technology amusing."
(Courtesy of Gerhard Mack <[EMAIL PROTECTED]>)
--------------------------------------------------------------------------
William Stearns ([EMAIL PROTECTED]).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at: http://www.pobox.com/~wstearns/
--------------------------------------------------------------------------

Reply via email to