Thanks for your responses!
Quote:
Originally Posted by smoker
Apart from anything else, accessing your private key over a network basically destroys the security of ssh. You should also only need 1 copy of the public key in authorized_keys.
|
Ok, I moved the key pair to a folder that is not exported(outside of the home directory for my user) and changed IdentityFile property in the .ssh/config file to the needed location(call it someOtherLocation/id_rsa.pub). So now I have a pair of keys(id_rsa & id_rsa.pub) in someOtherLocation on host1 and ~/.ssh/authorized_keys file that holds the public key and it is shared between the hosts. And the result is the same - password-less host1 to host2 and password prompt for host1 to host1.
Everything I do is:
ssh-keygen -q -f /someOtherLocation/id_rsa
ssh-copy-id -i /someOtherLocation/id_rsa.pub host1
So for host1 to host1 I expect this to work, but it does not. It works for host1 to host2, since they have authorized_keys file shared in the exported directory.
thats the debug output for ssh on host1
Code:
-bash-4.1$ ssh -v host1
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data ~/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to host1 [::1] port 22.
debug1: Connection established.
debug1: identity file /someOtherLocation/.ssh/id_rsa type 1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'host1' is known and matches the RSA host key.
debug1: Found key in ~/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_503' not found
debug1: Unspecified GSS failure. Minor code may provide more information
Credentials cache file '/tmp/krb5cc_503' not found
debug1: Unspecified GSS failure. Minor code may provide more information
debug1: Next authentication method: publickey
debug1: Offering public key: /someOtherLocation/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: password
This scenario works for other user that does not use mounted directory as a home folder, but I need it in this way.