regulating SSH keys between two machines

Posted on 2004-10-28
Medium Priority
Last Modified: 2013-12-06
I have a situation where users log into a red hat advanced server machine.   They run an application which has a back end utility that must run on a separate server running SCO Unixware 7.1.  The utility must run as the particular user on the remote machine and to facilitate this I have generated public keys for all the users, moved them to the remote server and then added them to the users authorized_keys.  This is all working fine.  

What I am looking for are some suggestions on how to maintain these keys as new users are added.  Ideally I would like a routine that could be run from the appserver to create the key, copy the key over to the remote server and configure the .ssh directory, but I'm not sure this is such a good plan.

The one thought I had was to have keep a temporary generic identity on the application server and the matching generic public key on the remote server.  As new users are created, I would copy this identity into the application server's .ssh directory and the generic key into the remote users authorized_keys.  On the first login, a script could create a new identity and replace the authorized_keys on the remote server.

The other thought was to look at the pros, cons and configuration options with host based authentication.  I have had some difficulty trying this one out, so if anyone has a good how-to document, that information would be helpful.

Thanks for your help!

Question by:jjhalko

Assisted Solution

revantine earned 500 total points
ID: 12436164
I am going to make an assumption; you have ssh on the servers. I also realize this doesn't fully answer the question, but has helped my automation processes and can be tweaked for many purposes.
($ is a prompt)
$ ssh-keygen -t dsa
$ cat ~/.ssh/id_dsa.pub | ssh SERVERB 'sh -c "cat - >>~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"'

I have a backup server that obtains critical files and I use this method to replicate my public key without the multi-step dance that is typically key dissemination. You can also run remote commands using the part after the | and the output will echo to STDOUT. I use this to obtain mysql dumps and package list dumps by >file.backup.
LVL 38

Assisted Solution

wesly_chen earned 250 total points
ID: 12436360

   You might want to check the follwoing article which mentioned about authprogs, lets you control which machines can run authorized commands via SSH using SSH Identities.

LVL 10

Accepted Solution

Luxana earned 250 total points
ID: 12449649

Assisted Solution

revantine earned 500 total points
ID: 12450165
Be cautious about overwriting authorized_keys. Many tutorials concerning public keys will have you cat with a single > or cp/scp. It won't take but once of losing a major keys file to alter the strategy.

Author Comment

ID: 12487185
Ok,  I put a solution in place so I am going to close this question.  

First Issue, we don't have right now a process to interact between the multiple servers.  Ie, if you are root or another system account, we don't have password-less keys to allow ssh by default to the remote servers.  Thus if you gain access into one system, you're not guarenteed to gain entry in another server, at least as a superuser.  
Thus, because of this, we can't use ssh to copy over the keys to the remote directory until this is done.  We can replace keys this way, but not add new keys.

Second, we have a scripting mechanims to create new users.  This helps since I can add a few lines to this script to make some changes.  What I chose to add was a line on the application server and the active server to create the .ssh directory with the correct permissions and create the necessary keys.  

Now the only problem is getting the key to the remote server.  My current solution is to have the adduser process copy the key to a shared mounted drive when the key is created.  Then, to run a routine cron job on the remote server to review this directory and if there is a new key, to copy the key into the appropriate directory and set the proper permissions.  It's not real-time, but it will handle the syncing of the keys on our servers.  

I appeciate all of your comments on this matter.  I'll share points for your participation.

Best Regards.


Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Welcome back to our beginners guide of the popular Unix tool, cron. If you missed part one where we introduced this tool, the link is below. We left off learning how to build a simple script to schedule automatic back ups. Now, we’ll learn how to se…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

601 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question