Re: rsync through multiple ssh hops with password authentication

Wayne Davison wrote:
> On Thu, Oct 20, 2005 at 01:15:54AM +0100, Manuel L?pez-Ib??ez wrote:
>
>>For example, isn't it possible for the root of middle (or some
>>attacker) to get my keys and use them?
>
>
> No, that's not how ssh keys work at all. Firstly, you only need to put
> the *public key* on the middle host and the destination host, not your
> private key (which only needs to be on your local system). Secondly,
> you should have encrypted your private key on your own host, so that it
> must be decrypted with a pass phrase. This makes everything work
> securely. As long as ssh is configured to forward the ssh-agent data,
> the remote systems will allow a chain of ssh accesses that originates
> from your local system (which will have prompted you for the key's pass
> phrase only at the first use of the key). This is a much better way to
> configure ssh than to try to do multiple hops using passwords.
>
> ..wayne..
>

OK. Then, should I carry my (encrypted) private key to everywhere? Could
it be possible to leave the private (encrypted) key in middle and still
forward the passphrase? This way I won't need to carry the private key
everywhere, the key in middle would be encrypted and the passphrase
prompt would be forwarded as before without confusing rsync.

I found a nice document [1] about securing rsync connections trough ssh
using keys, however, it doesn't explain anything about ssh-agent
forwarding or passphrase-protected keys.

[1] http://www.jdmz.net/ssh/


______________________________________________
Renovamos el Correo Yahoo!
Nuevos servicios, más seguridad
http://correo.yahoo.es
--
To unsubscribe or change options: https://lists.samba.org/mailman/listinfo/rsync
Before posting, read: http://www.catb.org/~esr/faqs/smart-questions.html