m.seaman at infracaninophile.co.uk
Fri Jan 8 16:13:46 UTC 2010
> On Fri, 08 Jan 2010 10:13:52 -0500 Lowell Gilbert <freebsd-questions-local at be-well.ilk.org> articulated:
>> Carmel <carmel_ny at hotmail.com> writes:
>>> On Fri, 8 Jan 2010 14:58:23 +0100 Pieter de Goeje <pieter at service2media.com> articulated:
>>>> You might want to take a look at ssh-agent. I think PuTTY has an equivalent.
>>>> It lets you do remote logins without putting your key(s) everywhere. I've not
>>>> yet tried this myself, but I plan on testing it sometime.
>>> I use agent. All that agent does is cache your password so you do not
>>> have to re-enter it each time you make a connection.
>> The agent can be forwarded with the connection.
>> In your case, it would remove the need for a second key on the second machine.
> I was not aware of that. I will have to read up on how to accomplish it.
You just put the public key from Computer 1 in ~/.ssh/authorized_keys on
both the machines (Computer 2, Computer 3) where you want access. You'll
have to use 'ssh-keygen -i -f filename' to convert the pubkey from the SSH2
format Putty uses to the OpenSSH format FreeBSD uses, and you need to be
careful to make the authorized_keys file writable only by the account UID. You
can prepend the line in the authorized_keys files with from="hostname" to only
permit access from a specific host if you like. See the section
'AUTHORIZED_KEYS FILE FORMAT' in sshd(8) for details. You don't need to
install any private keys on Computer 2 or Computer 3.
Then when you load the key into the agent, be sure and check the 'Forward
the Agent' tickbox. Similarly, when you connect from computer 2 to computer
3 just add '-A' to the ssh command line, as in: 'ssh -A computer3' -- this
achieves the same agent forwarding under OpenSSH. Computer 3 will ask
computer 2 for authentication, and computer 2 will relay this request back to
computer 1 where there is access to your private key. You can hop through a
large number of machines this way, and so long as you keep forwarding the agent
it should all work.
Note that pageant, or ssh-agent (which is the FreeBSD equivalent) doesn't
cache the passphrase. It stores a decrypted copy of your private key in
memory. Don't leave the agent running on an unattended machine that anyone
else can access.
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 259 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20100108/b9e55822/signature.pgp
More information about the freebsd-questions