The recommended method is using agent forwarding at this time
according to http://infrastructure.fedoraproject.org/infra/docs/sshaccess.txt
I agree that this is not the best solution, but it's no worse than
keeping the private key on the machine, because the private key is on
the filesystem for extended periods of time, while your agent is only
forwarded for the duration of your shell session (which with most ISPs
is cut at a certain point).
On Tue, Oct 4, 2011 at 00:27, Jan-Frode Myklebust <janfrode(a)tanso.net> wrote:
I'm also guilty of putting private keys on bastion, but not a
key that gives access to anything else. I didn't want to do agent
forwarding (and thereby giving root@bastion access to jump around to
other systems I'm admining), and AFAIR I needed pubkey logins to jump
to puppet01.. So I created a set of keys for usage within the fedora
infrastructure. Maybe not optimal security-wise for fedora, but I didn't
quite see how I would be able to do this securely for all ("ssh-add -c"
being too cumbersome).
IMHO there's something lacking in the infrastructure policy. How are
people supposed to do authentication between f.ex. bastion and
puppet01? If we can't use passwords and can't have private-keys on
bastion -- do you require agent forwarding ? I think agent forwarding is
worse than keeping a private key on bastion, since it means a security
breach within fedora can easily spread to other systems I manage.
Time to implement kerberos/IPA or ssh host-authentication ?
infrastructure mailing list