Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


regulating SSH keys between two machines

Posted on 2004-10-28
Medium Priority
Last Modified: 2013-12-06
I have a situation where users log into a red hat advanced server machine.   They run an application which has a back end utility that must run on a separate server running SCO Unixware 7.1.  The utility must run as the particular user on the remote machine and to facilitate this I have generated public keys for all the users, moved them to the remote server and then added them to the users authorized_keys.  This is all working fine.  

What I am looking for are some suggestions on how to maintain these keys as new users are added.  Ideally I would like a routine that could be run from the appserver to create the key, copy the key over to the remote server and configure the .ssh directory, but I'm not sure this is such a good plan.

The one thought I had was to have keep a temporary generic identity on the application server and the matching generic public key on the remote server.  As new users are created, I would copy this identity into the application server's .ssh directory and the generic key into the remote users authorized_keys.  On the first login, a script could create a new identity and replace the authorized_keys on the remote server.

The other thought was to look at the pros, cons and configuration options with host based authentication.  I have had some difficulty trying this one out, so if anyone has a good how-to document, that information would be helpful.

Thanks for your help!

Question by:jjhalko
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

revantine earned 500 total points
ID: 12436164
I am going to make an assumption; you have ssh on the servers. I also realize this doesn't fully answer the question, but has helped my automation processes and can be tweaked for many purposes.
($ is a prompt)
$ ssh-keygen -t dsa
$ cat ~/.ssh/id_dsa.pub | ssh SERVERB 'sh -c "cat - >>~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"'

I have a backup server that obtains critical files and I use this method to replicate my public key without the multi-step dance that is typically key dissemination. You can also run remote commands using the part after the | and the output will echo to STDOUT. I use this to obtain mysql dumps and package list dumps by >file.backup.
LVL 38

Assisted Solution

wesly_chen earned 250 total points
ID: 12436360

   You might want to check the follwoing article which mentioned about authprogs, lets you control which machines can run authorized commands via SSH using SSH Identities.

LVL 10

Accepted Solution

Luxana earned 250 total points
ID: 12449649

Assisted Solution

revantine earned 500 total points
ID: 12450165
Be cautious about overwriting authorized_keys. Many tutorials concerning public keys will have you cat with a single > or cp/scp. It won't take but once of losing a major keys file to alter the strategy.

Author Comment

ID: 12487185
Ok,  I put a solution in place so I am going to close this question.  

First Issue, we don't have right now a process to interact between the multiple servers.  Ie, if you are root or another system account, we don't have password-less keys to allow ssh by default to the remote servers.  Thus if you gain access into one system, you're not guarenteed to gain entry in another server, at least as a superuser.  
Thus, because of this, we can't use ssh to copy over the keys to the remote directory until this is done.  We can replace keys this way, but not add new keys.

Second, we have a scripting mechanims to create new users.  This helps since I can add a few lines to this script to make some changes.  What I chose to add was a line on the application server and the active server to create the .ssh directory with the correct permissions and create the necessary keys.  

Now the only problem is getting the key to the remote server.  My current solution is to have the adduser process copy the key to a shared mounted drive when the key is created.  Then, to run a routine cron job on the remote server to review this directory and if there is a new key, to copy the key into the appropriate directory and set the proper permissions.  It's not real-time, but it will handle the syncing of the keys on our servers.  

I appeciate all of your comments on this matter.  I'll share points for your participation.

Best Regards.


Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question