No, the user name of the user invoking ssh/sftp against the remote
server can be different.  For example in my case, my windows machine
has for some reason a shorted version of my normal UNIX username or in
this example using my account on pub400:

So if I run MS own ssh client against pub400, the '.config' in the
%%USER_profile%%\.ssh contains something like this:

---
Host pub400
    User ssd
    IdentityFile ~/.ssh/ssd@xxxxxxxxxx.ecdsa
---

Yes, i'm using elliptic curve keys.

Now i can simply dial pub400 from windows machine to pub400 (but with
password)

The next thing to do is copying ssd@xxxxxxxxxx.ecdsa,oub to pub400.com
and append the content to ~ssd/.ssh/authorized_keys at pub400.


You can't for example tell the ssh demon on the peer to use a specific
authorized_keys when connecting (that could become a pretty nice
security hole),  though pub400 admin could decide that authorized_keys
in each user profile should be named 'geheime_schlussel'

One security  check done by sshd is that 'authorized_keys' has
restricted readability for other users and that it is owned by the
'called' account.

I have my system set up such that private keys is local to it's system,
they aren't shared between systems.

For systems which i want to connect to using passwordless ssh, for
those i send over the chosen pubkey to them and then append it to
'authorized_keys' for that machine.

You could do the same deal for accounts on your own machine which needs
to connect to biz@xxxxxxxxxxxxx , and not use the burner account (and
with that it is far more easier to log WHO in your organization which
connects to otherhost.com)

The authorized_keys file can contain 'comments' for each accepted key
so the remote authorized_keys could contain something like this:
-----
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5.....   Danbrown@consult....
ssh-ed25519 AAAAC3NzaC1I1NTE5zdi.....   bethbrown@consult....
-----

Suddenly it becomes possible to check who sshed in as someone at
saturday night at 0310 (sshd logs which public key in authorized_keys
which matched the provided info from the caller.)

And i believe the file allows normal UNIX '#' comments.

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.