-4

Say you create an SSH key on host 1 and send the public part to host 2 so you can login from host 1 to host 2 without a password. If you then want to login from host 1 to a new host say host 3, what do you do?

Do you create a new key on host one and send that to host 3? Or will that mess up the relationship between host 1 and host 2? Or do you send the same public key to host 3?

I cant find a tutorial that explains what is going on simply enough for my brain to understand.

Thanks

Nigel Alderton
  • 992
  • 3
  • 9
  • 19

2 Answers2

1

If you then want to login from host 1 to a new host say host 3, what do you do?

If you want to:

  • establish a new SSH session from host 1 to host 3, you should add the public key of the user on host 1* to the authorized_keys file on host 3. Technically, it doesn't matter if it's the same key-pair as for host 2, or a different one.

  • connect from host 1 to host 2 and from within that session to connect to host 3, you need to add the public key of the user on host 1 (the same one which you use to connect to host 2) to the authorized_keys file on host 3 and enable SSH agent forwarding in SSH daemon on host 2 and add an option to use SSH agent forwarding when establishing a session from host 1 to host 2.

* Strictly speaking "the public key of host 1" means the public key of the key-pair that host 1 will use when connecting to the target. It can be the one in the default location ~/.ssh/id_rsa or explicitly specified with -i when establishing a session, or specified in the configuration file.

techraf
  • 4,243
  • 8
  • 29
  • 44
  • So are you saying there can be multiple private keys per host? And that you can have several private keys on one host, and each key relates to specific remote hosts? – Nigel Alderton Nov 18 '16 at 02:07
  • Yes, you can do either. You may use the same key for several hosts, or different key-pairs for different hosts. There are no technical limitations. – techraf Nov 18 '16 at 02:09
  • Also, it's not really 100% correct to use a shortcut phrase "host key", because you are probably referring to the key-pair stored under user's home directory, both: on source-host and target-host. – techraf Nov 18 '16 at 02:11
  • But if you have more than one key pair on your local host when you try to login to a remote host, how do you specify which pair to login using? – Nigel Alderton Nov 18 '16 at 02:15
  • It's explained in the last paragraph of the answer, please read. – techraf Nov 18 '16 at 02:16
  • So there's a default key? – Nigel Alderton Nov 18 '16 at 02:17
  • I did not use a phrase **default key** anywhere. I don't understand your question. – techraf Nov 18 '16 at 02:19
  • If you try to connect without specifying which key to use, it will prefer a specific key? Maybe the first one created? If you connect without using `-i`. – Nigel Alderton Nov 18 '16 at 02:20
  • It will **be the one in the default location `~/.ssh/id_rsa`**. I have already written that in the answer. – techraf Nov 18 '16 at 02:21
  • Thank you. The key in the "default location" is the first one created yes? – Nigel Alderton Nov 18 '16 at 02:23
  • No, it is not. **The key in the default location** is **the key in the default location** regardless how you create it, when you create it, or in which order. Default locations for keys are specified in the man page. – techraf Nov 18 '16 at 02:25
  • Oh ok. If there are no keys and you create the first key, does that go in the default location? – Nigel Alderton Nov 18 '16 at 02:40
  • @NigelAlderton If you generate a key-pair using `ssh-keygen`, it will ask you for the key location (and provide a hint where it will store the key if you just pressed Enter). And yes, if you press Enter without reading the message, it will be the default location. – techraf Nov 18 '16 at 02:53
1

If you then want to login from host 1 to a new host say host 3, what do you do?

Do you create a new key on host one and send that to host 3?

No i don't

Or will that mess up the relationship between host 1 and host 2?

Yes it will

Or do you send the same public key to host 3?

Yes i do

Edit : a private key is used to identifies a single host to ensure its identity.

However, of course :

How can multiple private keys be used with ssh?

What is the best practice: separate ssh-key per host and user VS one ssh-key for all hosts?

By the way, the common practice is one host = one key, so that you can revoke all at once if needed...For sure there is not a lot of place for granularity here, but depends on your security concerns.

Community
  • 1
krisFR
  • 13,280
  • 4
  • 36
  • 42