On Fri, 27 May 2011 15:27:55 -0500 (CDT)
Mike McGrath <mmcgrath(a)redhat.com> wrote:
On Fri, 27 May 2011, Ricky Zhou wrote:
> Hey, just a note to let everybody know, we just switched all of our
> machines to disallow SSH password authentication, so if you were
> previously using passwords to login anywhere, you'll need to use key
> auth now.
>
Also a good time to remind people of ssh -A and the ProxyCommand
options.
Absolutely.
I would suggest NOT using agent forwarding by default, and only
enabling it when you absolutely need it (copying files between two
machines for example).
Host *
ForwardAgent no
You can override this with '-A' on your command line if you wish to
forward an agent for that session.
To get to internal machines, you can use ~/.ssh/config entries like:
Host puppet01 puppet1
puppet01.fedoraproject.org
Hostname %h
ProxyCommand ssh -q %r(a)bastion.fedoraproject.org /usr/bin/nc %h 22
This will ssh you to bastion and then in turn run nc (netcat) there
allowing you to directly get to an internal machine. You can also setup
wildcards in the Host line (see 'man ssh_config').
kevin