From owner-freebsd-questions Fri Apr 9 7: 1:21 1999 Delivered-To: freebsd-questions@freebsd.org Received: from europe.std.com (europe.std.com [199.172.62.20]) by hub.freebsd.org (Postfix) with ESMTP id 2C1BA15285 for ; Fri, 9 Apr 1999 07:01:16 -0700 (PDT) (envelope-from lowell@world.std.com) Received: from world.std.com by europe.std.com (STD1.2/BZS-8-1.0) id JAA16362; Fri, 9 Apr 1999 09:59:13 -0400 (EDT) Received: by world.std.com (TheWorld/Spike-2.0) id AA08619; Fri, 9 Apr 1999 09:59:12 -0400 To: cjclark@home.com, freebsd-questions@freebsd.org Subject: Re: Using ssh on Multiple Machines References: <199904090205.WAA06262@cc942873-a.ewndsr1.nj.home.com> From: Lowell Gilbert Date: 09 Apr 1999 09:59:12 -0400 In-Reply-To: "Crist J. Clark"'s message of Thu, 8 Apr 1999 22:05:14 -0400 (EDT) Message-Id: Lines: 47 X-Mailer: Gnus v5.5/Emacs 20.2 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG "Crist J. Clark" writes: > I have had some trouble trying to figure out how to get SSH set up > the way I would like. I am fairly sure that the problem lies with the > fact that I am using a home directory containing my .ssh directory > that is NFS mounted across several machines. I am not having a lot of > success trying to decipher the ssh manpages. They throw around 'log > in' and do not always make it clear when logging in means getting a > secure connection without entering any passcodes, entering the ssh > passphrase, or entering the user's password on the remote machine. > > What I would like to do is be able remotely log in to a set of > different machines using ssh without needing any passwords or > passphrases. This set of machines however, all have the same home > directory for the user I will log in as. How can I set something like > this up? Just for the record, I think the the ssh man pages are *great.* Very clear, and still fairly concise given the huge amount of material they cover. The basic trick is that you create a .ssh/authorized_keys file containing the ssh keys you want to accept. In your situation with NFS distributed home directories, this will probably be a copy of the identity.pub file in the same directory. You then want to run all of your shells or remote commands under the ssh-agent (which has its own man page), and once you've given the agent the keyphrase to the private key they'll all be able to access the other machines invisibly. The agent forwards automatically by default, so you'll still have the authentication agent available on the other machines you've logged into (this is a potential security hole on a non-trusted machine, so make sure you configure your ssh to *not* forward the agent out of your NFS domain). How you run things under the agent depends on the rest of your environment. Personally, I load it under X, and my .xsession/.xinitrc file calls another startup file through the ssh-agent (i.e., there's a line "ssh-agent ~/.xsession.apps" in the .xsession) and the secondary startup file starts everything I want to have access to the agent -- most notably, the window manager. I hope this helps, but please don't use these hints to avoid understanding the man pages. It's really easy to break security by doing something unwise (e.g., don't ever set your DISPLAY variable if you're using ssh). Be well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message