rsync through multiple ssh hops with password authentication prompt

Manuel López-Ibáñez manuellopezibanez at
Thu Oct 20 18:02:46 GMT 2005

Wayne Davison wrote:
> On Thu, Oct 20, 2005 at 01:15:54AM +0100, Manuel L?pez-Ib??ez wrote:
>>For example, isn't it possible for the root of middle (or some
>>attacker) to get my keys and use them?
> No, that's not how ssh keys work at all.  Firstly, you only need to put
> the *public key* on the middle host and the destination host, not your
> private key (which only needs to be on your local system).  Secondly,
> you should have encrypted your private key on your own host, so that it
> must be decrypted with a pass phrase.  This makes everything work
> securely.  As long as ssh is configured to forward the ssh-agent data,
> the remote systems will allow a chain of ssh accesses that originates
> from your local system (which will have prompted you for the key's pass
> phrase only at the first use of the key).  This is a much better way to
> configure ssh than to try to do multiple hops using passwords.
> ..wayne..

OK. Then, should I carry my (encrypted) private key to everywhere? Could 
it be possible to leave the private (encrypted) key in middle and still 
forward the passphrase? This way I won't need to carry the private key 
everywhere, the key in middle would be encrypted and the passphrase 
prompt would be forwarded as before without confusing rsync.

I found a nice document [1] about securing rsync connections trough ssh 
using keys, however, it doesn't explain anything about ssh-agent 
forwarding or passphrase-protected keys.


Renovamos el Correo Yahoo! 
Nuevos servicios, más seguridad

More information about the rsync mailing list