Re: [PLUG] Setting up SSH public key on OSX

[Julien Vehent <julien@linuxwall.info>]

Try using ssh-agent
and in ~/.ssh/config
ForwardAgent yes

No need to copy your key over, just forward the agent state :)

On 2011-11-17 14:18, Eric at Lucii.org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I tend to have a single key pair on my workstation and just place that 
> public
> key on each remote server that I need to connect to.   Occasionally I have 
> the
> need to move something from server to server so I'll generate a key pair 
> and
> copy the public key over.  That's rare and I remove the key when I'm done.
> Typically this is for BIG files - smaller stuff I just pull to my 
> workstation
> and then push out to the other server.
>
> I also tend to keep the same key pair on my laptop that I have on my
> workstation.
> Probably not good...
>
> Eric
>
>
> On 11/17/2011 12:52 PM, Paul Walker wrote:
> > Finally revisited this and got it working. The problem is that I was 
> > generating the key on the remote side then copying it down. Once I flipped 
> > the script everything worked fine.
> >
> > Follow-up question:
> >
> > Is it necessary / important to use different keys for different hosts? (I 
> > guess if the host is compromised then the key is compromised.)
> >
> > On an osx box, where do I configure additional keys?
> >
> > Thanks for the help!
> >
> > Paul Walker
> > toomodernmedia.com <http://toomodernmedia.com>
> >
> > On Sat, Oct 22, 2011 at 12:53 PM, sean finney <seanius@seanius.net 
> > <mailto:seanius@seanius.net>> wrote:
> >
> >     Hiya,
> >
> >     On Thu, Oct 20, 2011 at 12:37:25PM -0400, Paul Walker wrote:
> >     > I'm trying to set up a public key to connect to SSH using public 
> > key
> >     > authentication to improve my Git workflow....
> >     >
> >     > The remote server is Ubuntu 10.0.4.
> >     > I generate the keys with the command:
> >     >
> >     > ssh-keygen -t rsa -C "root@mydomain.com <mailto:root@mydomain.com>"
> >     >
> >     >
> >     > press return three times, then am pasting the contents of  
> > id_rsa.pub into a
> >     > newly created authorized_keys file in ~/.ssh/ on my local machine 
> > running
> >     > OSX...
> >
> >     I'm going to say a thing or two because I haven't seen anyone else do 
> > it,
> >     and i think it's prudent...
> >
> >     first, put a passphrase on your private key. if you want passwordless
> >     ssh, learn how to set up ssh-agent (or some mac keyring equivalent).
> >     without a password, anyone who gets access to your machine instantly
> >     has full acccess to that key and thus the remote account.
> >
> >     second, given the comment you put with the key, i'm going to make the
> >     assumption that you're pushing stuff as root, which is also another
> >     big NO-NO.  Instead you should use either a personal account or 
> > better, a
> >     dedicated "git" account with no other special privileges, to own the 
> > gits.
> >
> >     Then for bonus points, there's a lot of other neat things you can do 
> > with
> >     your remote authorized_keys file, to *really* lock it down.  for 
> > example,
> >     forcing a specific command, only allowing certain host/network 
> > blocks,
> >     block port forwarding, pty allocation, etc.  This might go a bit into
> >     advanced territory, but it's possible to even set up keypairs that 
> > can
> >     *only* be used for git push/pull commands.
> >
> >     You might consider this overkill, I guess that's subjective, but it's
> >     definitely good practice to understand how the tools can be used 
> > safely.
> >     The difference in damage-control is pretty significant, anyway...
> >
> >            sean
> >     
> > ___________________________________________________________________________
> >     Philadelphia Linux Users Group         --        
> > http://www.phillylinux.org
> >     Announcements - 
> > http://lists.phillylinux.org/mailman/listinfo/plug-announce
> >     General Discussion  --   
> > http://lists.phillylinux.org/mailman/listinfo/plug
> >
> >
> >
> >
> >
> > ___________________________________________________________________________
> > Philadelphia Linux Users Group         --        
> > http://www.phillylinux.org
> > Announcements - 
> > http://lists.phillylinux.org/mailman/listinfo/plug-announce
> > General Discussion  --   
> > http://lists.phillylinux.org/mailman/listinfo/plug
>
> - --
> #  Eric Lucas
> #
> #                "Oh, I have slipped the surly bond of earth
> #                 And danced the skies on laughter-silvered wings...
> #                                        -- John Gillespie Magee Jr
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk7FXhcACgkQ2sGpvXQrZ/6/ZgCgh/3TA9Pfv85qZzUfJOIcHUnq
> j2IAniwJzoGeQGwKhWTige717q8D8lXo
> =WAEV
> -----END PGP SIGNATURE-----
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        
> http://www.phillylinux.org
> Announcements - 
> http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   
> http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug