Date: Sun, 23 Feb 2003 10:33:48 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: fbsd backup 2 remote Message-ID: <20030223103347.GC12731@happy-idiot-talk.infracaninophi> In-Reply-To: <20030223100034.GA10205@nagual.st> References: <20030222145404.GA251@pooh.nagual.st> <20030222160437.GA5430@happy-idiot-talk.infracaninophi> <20030222210343.GA18760@nagual.st> <20030222214628.GB7546@happy-idiot-talk.infracaninophi> <20030223100034.GA10205@nagual.st>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Feb 23, 2003 at 11:00:34AM +0100, dick hoogendijk wrote: > On 22 Feb Matthew Seaman wrote: > > Generate an ssh key in the usual way: > > > > # ssh-keygen -b 1024 -t rsa > > > > which will prompt you for a passphrase. Enter one. The command will > > create two files: > > > > id_rsa (the private key) and > > > > id_rsa.pub (the public key) > > > > Move 'id_rsa' in /root/.ssh and make sure it has the right ownership > > [cut the rest of the info] > > It works great! Very simple if you know how to act ;) > > I understand that I have to copy my public key to all machines I want to > have a remote login-to. So far so good.. > But what do I do ON another machine (in my intranet)? Do I use *another* > private key there or can I just use the one I have on my "main" machine? > > Thanks for all your help. Keeping copies of them :-)) For a root-owned key pair like I described, you should probably use a distinct key pair on each of your machines. Remember this root owned ssh key pair is practically identical to the root password in terms of what it will allow you do to a machine. Keep it secure. Don't create one unless you actually need to use it. For general use by your own UID however, yes, copying the private key around the place can be useful. You may not need to do that though -- if you keep your account's private key on the machine on your desktop and use ssh exclusively for remote access you only need to run one copy of the ssh-agent there, and you can arrange for "agent forwarding" by ssh so that even if you hop from machine to machine several layers deep, everything eventually refers back to the ssh-agent on your desktop for authorization. See the paragraph about "ForwardAgent" in the ssh_config(5) man page. Of course, for this scheme to work effectively, you've got to distribute the public key to all of the machines you might be interested in logging into and add it the the appropriate authorized_keys file on those machines. Remember, the authorized_keys file can belong to a completely different account on the remote machine, and there can be as many keys as you like in the authorized_keys file. That's actually quite a good way of providing shared access to a login account without having to share a single password between everyone. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030223103347.GC12731>