[NTLUG:Discuss] ssh keys

Kevin Brannen kbrannen at pwhome.com
Thu Mar 3 19:14:07 CST 2005 

Jack Snodgrass wrote:

>Say that I have a machine that I genreate a ssh key on. 
>I'm using the latest openssh v2 software. 
>
>I take the .pub part of the key and I scp it to 20 servers 
>that I need ssh access to and put it in the authorized_keys2 
>file for each server. Now I can use my ssh key to get to any 
>of those 20 servers. 
>
>Now... I need to access 10 more servers, so I scp my pub 
>key to those 10 new servers and update their authorized_keys2 
>files too.
>
>Next... I decide that I want to use another account/machine
>in addition to the one I'm using now, so I have to make a new 
>ssh-key, and transfer that to each of the 30 servers and add that 
>key to their authorized_keys2 file. 
>
>Is there a better way to do this? Are there 'key' servers that 
>you can upload a key to and it's sent ( or accessed ) by the
>machines that you login to so you just add a key to one place
>and everything you use knows about it? 
>  
>

I'm not aware of a "key server" of that type.  It seems to me that would 
sort of defeat the security, as things could be spoofed or intercepted 
in the middle.  The only way to securly have a "key server" would be to 
encrypt the transmission,  ssh would be a good mechanism but would 
require a key from each machine to authenicate and ... oh wait!  That's 
the problem you have now. :-)

The way I"ve avoided this in the past is to put the authorized_keys2 
file in place when the machine was built, i.e. it's part of the initial 
image I "ghost'd" (actually I used "dd" but same concept).  If that is 
done for root, you can automate all other additions (as root can do 
anything. :-)  From there you can do stuff like:

cat machine_list | while read mach
do
    cat new_ssh_id_key | ssh $mach "cat - >> ./.ssh/authorized_keys2"
done

or any one of several variations with other vars, ids, etc. as your 
situation requires.

I did that sort of thing on my last job and it make admining all the 
machines quite easy.  If you're not using "keychain", check out that 
utility; it can make your ssh key management a bit easier (even painless).

HTH,
Kevin

More information about the Discuss mailing list