Passwordless authentication between two domains.

Andrew DeFaria Andrew@DeFaria.com
Thu Nov 29 20:14:00 GMT 2012


On 11/29/2012 3:28 AM, David T-G wrote:
> Andrew, et al --
>
> ...and then Andrew DeFaria said...
> %
> % On 11/28/2012 1:21 PM, anulav2 wrote:
> % >Andrew,
> % >Keys will "ALWAYS" be different irrespective if it is two servers on same
> % >or different domain.
> % >That is the whole point of copying keys to remote servers authorized_keys
> % >file.
> % I don't think so. I do know the following - here at my current client
> % there are two distinct domains that I deal with - Irvine and San Jose.
> % My Windows laptop is in the Irvine domain. My home directory is on a
> % filer and is shared between my Windows laptop and the various Linux
> % server machines in Irvine. I generate a key and put it in my
> % ~/.ssh/authorized_keys and I can ssh to localhost or any of the Linux
> % servers. Additionally I can ssh from Linux to my laptop, passwordlessly.
>
> That makes sense; all of the machines in Irvine (including your laptop)
> are using the same id_dsa & id_dsa.pub & authorized_keys (or perhaps
> authorized_keys2 but we'll ignore that for the moment) files.
>
>
> %
> ...
> % However if I generate a key in San Jose and put it in
> % ~/.ssh/authorize_keys in Irvine then I can ssh from San Jose -> Irvine
> % without a password. This tells me that generated ssh keys are unique per
> % domain. For bilateral ssh passwordless logins between the two domains
> % you should have at least 2 lines in your ~/.ssh/authorized_keys file,
> % one for each domain:
> [snip]
>
> Incorrect.  ssh doesn't care a bit what domain (if at all) or even what
> OS you're using or where the key was generated.  This simply tells you
> that the shared home directory in San Jose is not the same as the one in
> Irvine.  If it were the same, then the very same id_dsa & id_dsa.pub &
> authorized_keys files would work the very same way; since it is different
> storage, however, you don't have the id_dsa key to match which would
> allow San Jose -> Irvine access.
>
> Try this in both Irvine & San Jose:
>
>    cd ~/.ssh
>    ls -ligo id_dsa* authorized_keys*
>
> I predict that you will find the inodes to be the same all over Irvine
> and the same all over San Jose *but* different between the two locations.
> You may find df or mount to be illustrative as well.
Oh I know I don't have the same home directory on both domains, in fact 
I stated that.

I think the part that was confusing me was that I didn't copy both the 
~/.ssh/id_dsa.pub and the ~/.ssh/id_dsa as a pair.

Thanks for the clarification and simplification.

So the op's problem is still a mystery...
-- 
Andrew DeFaria <http://defaria.com>
Is God willing to prevent evil, but not able? Then he is not omnipotent. 
Is he able, but not willing? then he is malevolent. Is he both able and 
willing? Then whence cometh evil? Is he neither able nor willing? Then 
why call him God?


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple



More information about the Cygwin mailing list