X-Recipient: archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status: No, hits=-3.3 required=5.0	tests=AWL,BAYES_00,KHOP_THREADED,RP_MATCHES_RCVD,SPF_HELO_PASS
X-Spam-Check-By: sourceware.org
To: cygwin AT cygwin DOT com
From: Andrew DeFaria <Andrew AT DeFaria DOT com>
Subject: Re: Passwordless authentication between two domains.
Date: Wed, 28 Nov 2012 15:59:55 -0800
Lines: 50
Message-ID: <k968hu$fll$1@ger.gmane.org>
References: <1353433612060-94427 DOT post AT n5 DOT nabble DOT com> <k8ghdb$kps$1 AT ger DOT gmane DOT org> <1354127875 DOT 88050 DOT YahooMailNeo AT web122106 DOT mail DOT ne1 DOT yahoo DOT com> <20121128200904 DOT M70718 AT ds DOT net> <1354134069143-94590 DOT post AT n5 DOT nabble DOT com> <k95si1$5a7$1 AT ger DOT gmane DOT org> <1354136009 DOT 21649 DOT YahooMailNeo AT web122105 DOT mail DOT ne1 DOT yahoo DOT com> <k95ujm$o61$1 AT ger DOT gmane DOT org> <1354137687 DOT 39813 DOT YahooMailNeo AT web122104 DOT mail DOT ne1 DOT yahoo DOT com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Thunderbird/17.0
In-Reply-To: <1354137687.39813.YahooMailNeo@web122104.mail.ne1.yahoo.com>
X-IsSubscribed: yes
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
Precedence: bulk
List-Id: <cygwin.cygwin.com>
List-Unsubscribe: <mailto:cygwin-unsubscribe-archive-cygwin=delorie DOT com AT cygwin DOT com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com

On 11/28/2012 1:21 PM, anulav2 wrote:
> Andrew,
> Keys will "ALWAYS" be different irrespective if it is two servers on same or different domain.
> That is the whole point of copying keys to remote servers authorized_keys file.
I don't think so. I do know the following - here at my current client 
there are two distinct domains that I deal with - Irvine and San Jose. 
My Windows laptop is in the Irvine domain. My home directory is on a 
filer and is shared between my Windows laptop and the various Linux 
server machines in Irvine. I generate a key and put it in my 
~/.ssh/authorized_keys and I can ssh to localhost or any of the Linux 
servers. Additionally I can ssh from Linux to my laptop, passwordlessly.

If I take that key and put it into the ~/.ssh/authorized_keys in San 
Jose then this allows me to ssh into from Irvine to San Jose without a 
password. But I cannot ssh from San Jose -> Irvine without being 
prompted for a password.

However if I generate a key in San Jose and put it in 
~/.ssh/authorize_keys in Irvine then I can ssh from San Jose -> Irvine 
without a password. This tells me that generated ssh keys are unique per 
domain. For bilateral ssh passwordless logins between the two domains 
you should have at least 2 lines in your ~/.ssh/authorized_keys file, 
one for each domain:

ssh-dss 
AAAAB3NzaC1kc3MAAACBANIhaC5kcPP9paO1PgxbXmeoCTT/COtutXPQKcE85/ut6cvVCL4Ctwv0Uz04q+XdB75qvL+0pbfsg6kRkE6xSJpiOzNXe/ED+EXv1xnp5otlAi3AAAAFQD6ej4gmxyMdsn+Yf7E6TR7RsDfbQAAAIEAsQ5y+xF0fhjORxzivaFVZW2znN0eF5rRNONG7aN/2j9Fu3sTV8YRgjvOSL755Kg0r6a+fu3OMjWMaUFG4BGPTLH8jW3YlWJvTiYhq/3BR8nBh9by0NEiy3UTPyPYTZ8SZPaTABhDcfkQD1qum6TlIBDBlX5gI3Q/abtGGZoo3+AAAACBAIQyf+LdDWl2Pq32NJC6ijufpynK1aOiPlUnvDoFh9snrQ+4JpgWDUsj7dRjbNZbu19PnamGnYduo2xz1USAu6+ePAXiW16m9512SpjKGIRSlnrjXcN+Ys8wJGtdGK0uk0c5q4wyd2Yh/BLsyneV8mWCIKGsi7PZ7gHd1vAqYjNa 
adefaria AT Irvine
ssh-dss 
AAAAB3NzaC1kc3MAAACBGc2XQc9lkE4sacaUKWJBG+hIZFFGejIn4Q366boqkM+pSbx4k5j9UhLhke+nQO7L0lPDJ+TeBbzuSweOTzCN1DSOQEb9wQEeOIPR3WzhZSt7oEsoPDdWC2hUns4MoKKOtTO1Bje0E1c5LYd3hou7AAAAFQDCbH96A9u3EeJLe5OtlkItob2MhwAAAIEAoz4dtm9nqOH+YgNqxRmuyy3f46zSr/ALY747aOpRpxRnGcbZPO6bJHevkN7oomQwSzbHqJbsOzSMpjs9yrxQUAklGsdL7STC4HpheHUKyqGvZB1SP5pQ+thqPo4GQTIpEZxsmsrb5dRNOZstdWqeYQtsu0qYqvHOnxOSWsC5V3wAAACBALY5CD58gt12E4logCHko7p+k8KUS8eAapwbThhH6rsOWjnhBLEDqL4qWn3w8Lk+1vkGIkhZ5Iysbx81Tk6njhnklAFHHtp4MBxuuJbbqLGrM9SKMG1kQDfjFGowkZsLpf2jw37vy0fo/LfJ1NEGpVq6fI3U+O48PUcr2dEpO6UD 
adefaria AT San Jose

Note that the 3rd field is treated as a comment so I changed it to 
adefaria AT Irvine and adefaria AT San Jose. Note 2: The above keys have been 
modified to protect them.

Why don't you try what I suggest and then report back if it worked.
>   Else one could just "cat" its own key in its own authorized_keys file, right?
But one can just "cat" their own key to their own authorized_keys file. 
That's why permissions on ~/.ssh are of paramount importance to ssh - it 
needs to make sure that "Tom" didn't go into "Jane"'s 
~/.ssh/authorized_keys file and insert themselves.

It is true that if you run ssh-keygen on different machines in the same 
domain you'll get different keys, but within the context of that domain 
any one of those keys will work. That's why sharing your home directory 
is a good thing and that's why I always work to get my home directory 
shared between Windows and Linux systems.
-- 
Andrew DeFaria <http://defaria.com>
I'm a tagline virus, please copy me to your signature file


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple