> -----Original Message----- > From: Rui Miguel Seabra [mailto:rms@xxxxxxxx] > Sent: Thursday, January 29, 2004 7:59 PM > To: fedora-list@xxxxxxxxxx > Subject: RE: passwordless SSH Rsync [Was : > DiskLayout/PartitioningPractices] > > > On Thu, 2004-01-29 at 11:55, Ow Mun Heng wrote: > > I do not want to have My Private key in all the servers. > Only in Server1 and > > get the other servers to request that from server1 using ssh-agent. > > If you want to have RSA based authentication (even if without a > passphrase), then you have to do that. > > You need to have the public key in all servers to be accessed, and the > private key in all clients that access. > One More Stab.. This is taken from the Bool Oreilly-Linux Server hacks =================== Practically, this means that with an agent running (and with properly configured ssh clients), it is possible to ssh to multiple machines without requiring a copy of your private key on each intervening machine (or typing in your password on every connection). Assume we already have an authorized ssh key (see [Hack #66]) installed on each homer, bart, and lisa. If you ssh to each machine from your local machine, there's no problem: rob@caligula:~$ ssh homer rob@homer:~$ exit logout Connection to homer.oreillynet.com closed. rob@caligula:~$ ssh bart rob@bart:~$ exit logout Connection to bart.oreillynet.com closed. rob@caligula:~$ ssh lisa rob@lisa:~$ exit But what happens when we try to ssh from homer directly to bart? rob@caligula:~$ ssh homer rob@homer:~$ ssh bart rob@bart's password: This is where ssh-agent comes in handy. Rather than expose your private key to unnecessary risk by placing a copy on all of your servers, simply start the agent on your local machine like this: rob@caligula:~$ eval `ssh-agent` Agent pid 8450 Then add your default ssh keys with the ssh-add command: rob@caligula:~$ ssh-add Identity added: /home/rob/.ssh/id_rsa (/home/rob/.ssh/id_rsa) Identity added: /home/rob/.ssh/id_dsa (/home/rob/.ssh/id_dsa) Identity added: /home/rob/.ssh/identity (rob@caligula) You'll also need to check that homer, bart, and lisa are configured to forward agent requests along. This is usually denied by default, but is controlled with a line like this: ForwardAgent yes in your ~/.ssh/config or /usr/local/etc/ssh_config file. You can also specify it from the command line with the -A switch. Now, when you ssh from homer directly to bart, homer will first ask your agent for any available credentials. Likewise, sshing from bart to lisa will first cause bart to check with homer, who will forward the request back to your agent again. This makes it easy to skate from machine to machine very quickly: rob@caligula:~$ ssh homer rob@homer:~$ ssh bart rob@bart:~$ ssh lisa rob@lisa:~$ ============== That's what I want to achieve.. Yes.. No..?? Or is only DSA supported?? (I have no idea what's the diff betw RSA and DSA.)
