On Tue, Jul 12, 2016 at 4:13 PM, Gordon Messmer <gordon.messmer@gmail.com> wrote:

On 07/12/2016 10:44 AM, Go Canes wrote:

No, they don't. Private keys belong on your closest system, on an
encrypted volume. Often, you will only need one.

If the OP uses ssh to go from system1:user1 to system2:user2, and then wants to use ssh to go from system2:user2 to system3:user3, are you saying that only system1:user requires a public key, and that system2:user2 can ssh out without having *any* public key?

No, I said "private key".

My bad - I *meant* private key, but obviously my fingers typed out "public" instead.

If you are user1@system1 and you use ssh to log in to user2@system2, and if you also have an ssh agent on system1 and instruct ssh to forward a connection to the user2@system2 session, then you don't need a private key in the user2@system2 home directory to connect to user3@system3. You only need to have the public key which corresponds to the private key available to user1@system1 installed for user3@system3. system3 will request ssh authentication from user2@system2, and that request will be forwarded back to the agent at user1@system1, which will answer it.

Using agent forwarding, you only need private keys on your workstation, which you presumably have encrypted and otherwise made very secure against an attacker obtaining your key files (which should, themselves, be encrypted key files within the encrypted filesystem).

I was not familiar with agent forwarding in this manner. Thank you for the explanation. Hopefully it will also be useful to the OP.