From owner-freebsd-questions Sun Feb 23 2:33:55 2003 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB0FF37B401 for ; Sun, 23 Feb 2003 02:33:52 -0800 (PST) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B27043F75 for ; Sun, 23 Feb 2003 02:33:51 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) by smtp.infracaninophile.co.uk (8.12.7/8.12.7) with ESMTP id h1NAXm5U013242 for ; Sun, 23 Feb 2003 10:33:48 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.7/8.12.7/Submit) id h1NAXmSd013241 for freebsd-questions@freebsd.org; Sun, 23 Feb 2003 10:33:48 GMT Date: Sun, 23 Feb 2003 10:33:48 +0000 From: Matthew Seaman To: freebsd-questions Subject: Re: fbsd backup 2 remote Message-ID: <20030223103347.GC12731@happy-idiot-talk.infracaninophi> Mail-Followup-To: Matthew Seaman , freebsd-questions References: <20030222145404.GA251@pooh.nagual.st> <20030222160437.GA5430@happy-idiot-talk.infracaninophi> <20030222210343.GA18760@nagual.st> <20030222214628.GB7546@happy-idiot-talk.infracaninophi> <20030223100034.GA10205@nagual.st> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030223100034.GA10205@nagual.st> User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-3.3 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_02_03, TO_LOCALPART_EQ_REAL,USER_AGENT,USER_AGENT_MUTT version=2.44 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, Feb 23, 2003 at 11:00:34AM +0100, dick hoogendijk wrote: > On 22 Feb Matthew Seaman wrote: > > Generate an ssh key in the usual way: > > > > # ssh-keygen -b 1024 -t rsa > > > > which will prompt you for a passphrase. Enter one. The command will > > create two files: > > > > id_rsa (the private key) and > > > > id_rsa.pub (the public key) > > > > Move 'id_rsa' in /root/.ssh and make sure it has the right ownership > > [cut the rest of the info] > > It works great! Very simple if you know how to act ;) > > I understand that I have to copy my public key to all machines I want to > have a remote login-to. So far so good.. > But what do I do ON another machine (in my intranet)? Do I use *another* > private key there or can I just use the one I have on my "main" machine? > > Thanks for all your help. Keeping copies of them :-)) For a root-owned key pair like I described, you should probably use a distinct key pair on each of your machines. Remember this root owned ssh key pair is practically identical to the root password in terms of what it will allow you do to a machine. Keep it secure. Don't create one unless you actually need to use it. For general use by your own UID however, yes, copying the private key around the place can be useful. You may not need to do that though -- if you keep your account's private key on the machine on your desktop and use ssh exclusively for remote access you only need to run one copy of the ssh-agent there, and you can arrange for "agent forwarding" by ssh so that even if you hop from machine to machine several layers deep, everything eventually refers back to the ssh-agent on your desktop for authorization. See the paragraph about "ForwardAgent" in the ssh_config(5) man page. Of course, for this scheme to work effectively, you've got to distribute the public key to all of the machines you might be interested in logging into and add it the the appropriate authorized_keys file on those machines. Remember, the authorized_keys file can belong to a completely different account on the remote machine, and there can be as many keys as you like in the authorized_keys file. That's actually quite a good way of providing shared access to a login account without having to share a single password between everyone. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message