This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Passwordless authentication between two domains.


Andrew, et al --

...and then Andrew DeFaria said...
% 
% On 11/28/2012 1:21 PM, anulav2 wrote:
% >Andrew,
% >Keys will "ALWAYS" be different irrespective if it is two servers on same 
% >or different domain.
% >That is the whole point of copying keys to remote servers authorized_keys 
% >file.
% I don't think so. I do know the following - here at my current client 
% there are two distinct domains that I deal with - Irvine and San Jose. 
% My Windows laptop is in the Irvine domain. My home directory is on a 
% filer and is shared between my Windows laptop and the various Linux 
% server machines in Irvine. I generate a key and put it in my 
% ~/.ssh/authorized_keys and I can ssh to localhost or any of the Linux 
% servers. Additionally I can ssh from Linux to my laptop, passwordlessly.

That makes sense; all of the machines in Irvine (including your laptop)
are using the same id_dsa & id_dsa.pub & authorized_keys (or perhaps
authorized_keys2 but we'll ignore that for the moment) files.


% 
...
% However if I generate a key in San Jose and put it in 
% ~/.ssh/authorize_keys in Irvine then I can ssh from San Jose -> Irvine 
% without a password. This tells me that generated ssh keys are unique per 
% domain. For bilateral ssh passwordless logins between the two domains 
% you should have at least 2 lines in your ~/.ssh/authorized_keys file, 
% one for each domain:
[snip]

Incorrect.  ssh doesn't care a bit what domain (if at all) or even what
OS you're using or where the key was generated.  This simply tells you
that the shared home directory in San Jose is not the same as the one in
Irvine.  If it were the same, then the very same id_dsa & id_dsa.pub &
authorized_keys files would work the very same way; since it is different
storage, however, you don't have the id_dsa key to match which would
allow San Jose -> Irvine access.

Try this in both Irvine & San Jose:

  cd ~/.ssh
  ls -ligo id_dsa* authorized_keys*

I predict that you will find the inodes to be the same all over Irvine
and the same all over San Jose *but* different between the two locations.
You may find df or mount to be illustrative as well.


HTH & Happy Holidays

:-D
-- 
David T-G
See http://justpickone.org/davidtg/email/
See http://justpickone.org/davidtg/tofu.txt

Attachment: pgp00000.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]