regulating SSH keys between two machines

Posted on 2004-10-28
Last Modified: 2013-12-06
I have a situation where users log into a red hat advanced server machine.   They run an application which has a back end utility that must run on a separate server running SCO Unixware 7.1.  The utility must run as the particular user on the remote machine and to facilitate this I have generated public keys for all the users, moved them to the remote server and then added them to the users authorized_keys.  This is all working fine.  

What I am looking for are some suggestions on how to maintain these keys as new users are added.  Ideally I would like a routine that could be run from the appserver to create the key, copy the key over to the remote server and configure the .ssh directory, but I'm not sure this is such a good plan.

The one thought I had was to have keep a temporary generic identity on the application server and the matching generic public key on the remote server.  As new users are created, I would copy this identity into the application server's .ssh directory and the generic key into the remote users authorized_keys.  On the first login, a script could create a new identity and replace the authorized_keys on the remote server.

The other thought was to look at the pros, cons and configuration options with host based authentication.  I have had some difficulty trying this one out, so if anyone has a good how-to document, that information would be helpful.

Thanks for your help!

Question by:jjhalko
    LVL 2

    Assisted Solution

    I am going to make an assumption; you have ssh on the servers. I also realize this doesn't fully answer the question, but has helped my automation processes and can be tweaked for many purposes.
    ($ is a prompt)
    $ ssh-keygen -t dsa
    $ cat ~/.ssh/ | ssh SERVERB 'sh -c "cat - >>~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"'

    I have a backup server that obtains critical files and I use this method to replicate my public key without the multi-step dance that is typically key dissemination. You can also run remote commands using the part after the | and the output will echo to STDOUT. I use this to obtain mysql dumps and package list dumps by >file.backup.
    LVL 38

    Assisted Solution


       You might want to check the follwoing article which mentioned about authprogs, lets you control which machines can run authorized commands via SSH using SSH Identities.

    LVL 10

    Accepted Solution

    LVL 2

    Assisted Solution

    Be cautious about overwriting authorized_keys. Many tutorials concerning public keys will have you cat with a single > or cp/scp. It won't take but once of losing a major keys file to alter the strategy.

    Author Comment

    Ok,  I put a solution in place so I am going to close this question.  

    First Issue, we don't have right now a process to interact between the multiple servers.  Ie, if you are root or another system account, we don't have password-less keys to allow ssh by default to the remote servers.  Thus if you gain access into one system, you're not guarenteed to gain entry in another server, at least as a superuser.  
    Thus, because of this, we can't use ssh to copy over the keys to the remote directory until this is done.  We can replace keys this way, but not add new keys.

    Second, we have a scripting mechanims to create new users.  This helps since I can add a few lines to this script to make some changes.  What I chose to add was a line on the application server and the active server to create the .ssh directory with the correct permissions and create the necessary keys.  

    Now the only problem is getting the key to the remote server.  My current solution is to have the adduser process copy the key to a shared mounted drive when the key is created.  Then, to run a routine cron job on the remote server to review this directory and if there is a new key, to copy the key into the appropriate directory and set the proper permissions.  It's not real-time, but it will handle the syncing of the keys on our servers.  

    I appeciate all of your comments on this matter.  I'll share points for your participation.

    Best Regards.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Course: JavaScript Coding - Massive 12-Part Bundle

    Regardless of your programming skill level, you'll go from basics to advanced concepts in a vast array of JavaScript subjects including Sammy.js, Agility.js, Ember.js, Node.js, jQuery, AJAX, Extjs, AngularJS, Knockout.js, and JSON.

    If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
    Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
    Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
    Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

    860 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now