On Tue, Jul 12, 2016 at 4:13 PM, Gordon Messmer <gordon.messmer@gmail.com> wrote:

On 07/12/2016 10:44 AM, Go Canes wrote:

No, they don't. Private keys belong on your closest system, on an
encrypted volume. Often, you will only need one.

If the OP uses ssh to go from system1:user1 to system2:user2, and then wants to use ssh to go from system2:user2 to system3:user3, are you saying that only system1:user requires a public key, and that system2:user2 can ssh out without having *any* public key?

No, I said "private key".

If you are user1@system1 and you use ssh to log in to user2@system2, and if you also have an ssh agent on system1 and instruct ssh to forward a connection to the user2@system2 session, then you don't need a private key in the user2@system2 home directory to connect to user3@system3. You only need to have the public key which corresponds to the private key available to user1@system1 installed for user3@system3. system3 will request ssh authentication from user2@system2, and that request will be forwarded back to the agent at user1@system1, which will answer it.

Using agent forwarding, you only need private keys on your workstation, which you presumably have encrypted and otherwise made very secure against an attacker obtaining your key files (which should, themselves, be encrypted key files within the encrypted filesystem).

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org