On Sun, Aug 31, 2008 at 10:48:16PM +0100, Brett Parker wrote:
*Then* I tried logging in back from the remote system to my home system, it just asked for my password, no public key authentication happened at all. I.e. it's *only* from systems listed in my authorized_keys file that public key authentication will happen, otherwise (if it's allowed) you just get password authentication.
*sigh* - right - had you added that machines ~/.ssh/id_rsa.pub to your local authorized_keys? no. So I don't expect that to work. Also, it will only ask you for a password *if* the system you are logging in to has that authentication method (it's easily turned off so that you end up with key only auth). If password/pam/Keyboard Interactive are all turned off, it will not ask for a password. It's only from *KEYS* listed in your authorized_keys file that access is allowed. *KEYS* can be copied between systems. *KEYS* are not tied to a particular system. *KEYS* are generated with a default comment of user@host with user set to the user that generated them and host set to the host of the machine they were generated on. Host *KEYS* and user *KEYS* are seperate, one identified the remote system, one identifies the remote user. ALL of this is documented in the man pages.
OK, I was a bit confused but not *totally* confused. At work we use host-based authentication which *does* check that you are logging in from a know host, i.e. one with a host key that the remote server can verify. If you are using that then what I said was about true.
As you say though public key authentication identifies the *user* but doesn't care what machine he is connecting from.