I still have a need to "for s in $list_of_servers ssh -A $s '.' done" I've (admittedly, conceptual only) a couple problem with this approach I'd love to hear folks' thoughts about, with regards to "touch-to-use".ġ. If someone else has root, and you don't trust that person, then both are problematic (and which is worse is debatable). If you're the only one who has access to the remote server, neither option is problematic. But so does putting a private key on a remote server. SSH agent forwarding does have subtle security issues. Not sure what other use cases exist, but these two alone I think justify the existence of agent forwarding. There are obvious benefits to being able to transfer directly between these two instances, on the same private network, versus bringing the data to your local (where you might not even have sufficient disk space) and pushing it back up. Now suppose I want to copy a large database snapshot between two instances on EC2. If I'm pushing & pulling code from GitHub to/from this development instance I'm gonna need to either have a private key on that development instance or have agent forwarding back to my local. So I'm an engineer, and instead of developing on my local I do development on an EC2 instance in AWS (there are a variety of reasons this may be preferential or even required). that you run into trouble.Ĭonsider a remote development instance. It's when you want to use some other tool that tunnels over SSH - scp, git, sftp, rsync, etc. In general I'd say SSHing from a remote box to another remote box is a non-issue since you can always use some sort of tunneling/bastioning to make that work. I have an SSH key for each "thing", and each key is kept in a different keyring via, _precisely_ to avoid that problem.Īs an example, an attacker gaining root on my Oracle Cloud free server will not be able to clone all my Github repos with it: I only use that key to connect to that server, and while I may have the github key unlocked at the same time - that's on a different keyring which the server has no visibility of. My "github" key only grants access to my github repos, not to my bitbucket repos or to my DigitalOcean servers, or my Scaleway servers. Using a private key per system or set of systems means that such an attacker would only gain access to what that key grants them access to. If a bad guy gets root on one server you're currently connected via ssh with, and forwarding said key via, they can also access (unless otherwise firewalled) all systems that ssh key grants them access to. To tunnel vnc over ssh to a remote mac(I do this with mac) You can also use Host * at the beginning of your config to do this for all hosts If you always want to use a password to log into a machine, but want to be able to log in in other windows to the same machine without a password:ĬontrolPath will multiplex all activity to that host through one tcp connection IdentitiesOnly means it will only send that one identity for that one machine (otherwise it will try all of them, like a janitor trying to open a locker with a big keychain of identical keys) Or if your machine doesn't have ssh-copy-id (older macs) Ĭat ~/.ssh/id_x_ed25519.pub | ssh x "cat >. Use ssh-copy-id to copy the identity to the target machine so it lets you in: To do automatic login, I generate identities for some machines I give hosts short names so you can `ssh x` I always create and heavily use ~/.ssh/config
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |