[NTLUG:Discuss] ssh keys

Thu Mar 3 20:36:17 CST 2005

On Mar 3, 2005, at 7:14 PM, Kevin Brannen wrote:
> Jack Snodgrass wrote:
>> Say that I have a machine that I genreate a ssh key on. I'm using the 
>> latest openssh v2 software.
>> I take the .pub part of the key and I scp it to 20 servers that I 
>> need ssh access to and put it in the authorized_keys2 file for each 
>> server. Now I can use my ssh key to get to any of those 20 servers.
>> Now... I need to access 10 more servers, so I scp my pub key to those 
>> 10 new servers and update their authorized_keys2 files too.
>>
>> Next... I decide that I want to use another account/machine
>> in addition to the one I'm using now, so I have to make a new 
>> ssh-key, and transfer that to each of the 30 servers and add that key 
>> to their authorized_keys2 file.
>> Is there a better way to do this? Are there 'key' servers that you 
>> can upload a key to and it's sent ( or accessed ) by the
>> machines that you login to so you just add a key to one place
>> and everything you use knows about it?
>
> I'm not aware of a "key server" of that type.  It seems to me that 
> would sort of defeat the security, as things could be spoofed or 
> intercepted in the middle.  The only way to securly have a "key 
> server" would be to encrypt the transmission,  ssh would be a good 
> mechanism but would require a key from each machine to authenicate and 
> ... oh wait!  That's the problem you have now. :-)
>
> The way I"ve avoided this in the past is to put the authorized_keys2 
> file in place when the machine was built, i.e. it's part of the 
> initial image I "ghost'd" (actually I used "dd" but same concept).  If 
> that is done for root, you can automate all other additions (as root 
> can do anything. :-)  From there you can do stuff like:

ssh as root?  That is bad.  Have an automation account with limited 
sudo access, specifically to run one or two commands.  Then you have 
that account already installed on the ghost image, or added as part of 
the install process.  The sudo access would be to add packages, for 
instance, then you could have the user accounts as packages, like as an 
RPM.  only allow the automation account to rum rpm passwordless via 
sudo. then you when you run 'ssh host "sudo rpm -i 
http://central.server/user.rpm"' the user's credentials and ssh keys 
are installed.

I just don't like the idea of having ssh as root enabled anywhere.   I 
don't even know the root password on a machine or 2 I admin.  no reason 
to.

> cat machine_list | while read mach
> do
>    cat new_ssh_id_key | ssh $mach "cat - >> ./.ssh/authorized_keys2"
> done
>
> or any one of several variations with other vars, ids, etc. as your 
> situation requires.
>
> I did that sort of thing on my last job and it make admining all the 
> machines quite easy.  If you're not using "keychain", check out that 
> utility; it can make your ssh key management a bit easier (even 
> painless).
>
> HTH,
> Kevin
>
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
>