regulating SSH keys between two machines

I have a situation where users log into a red hat advanced server machine.   They run an application which has a back end utility that must run on a separate server running SCO Unixware 7.1.  The utility must run as the particular user on the remote machine and to facilitate this I have generated public keys for all the users, moved them to the remote server and then added them to the users authorized_keys.  This is all working fine.  

What I am looking for are some suggestions on how to maintain these keys as new users are added.  Ideally I would like a routine that could be run from the appserver to create the key, copy the key over to the remote server and configure the .ssh directory, but I'm not sure this is such a good plan.

The one thought I had was to have keep a temporary generic identity on the application server and the matching generic public key on the remote server.  As new users are created, I would copy this identity into the application server's .ssh directory and the generic key into the remote users authorized_keys.  On the first login, a script could create a new identity and replace the authorized_keys on the remote server.

The other thought was to look at the pros, cons and configuration options with host based authentication.  I have had some difficulty trying this one out, so if anyone has a good how-to document, that information would be helpful.

Thanks for your help!



jjhalkoAsked:
Who is Participating?
 
LuxanaCommented:
0
 
revantineCommented:
I am going to make an assumption; you have ssh on the servers. I also realize this doesn't fully answer the question, but has helped my automation processes and can be tweaked for many purposes.
($ is a prompt)
$ ssh-keygen -t dsa
$ cat ~/.ssh/id_dsa.pub | ssh SERVERB 'sh -c "cat - >>~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"'

I have a backup server that obtains critical files and I use this method to replicate my public key without the multi-step dance that is typically key dissemination. You can also run remote commands using the part after the | and the output will echo to STDOUT. I use this to obtain mysql dumps and package list dumps by >file.backup.
0
 
wesly_chenCommented:
Hi,

   You might want to check the follwoing article which mentioned about authprogs, lets you control which machines can run authorized commands via SSH using SSH Identities.
http://www.hackinglinuxexposed.com/articles/20030115.html

Wesly
0
 
revantineCommented:
Be cautious about overwriting authorized_keys. Many tutorials concerning public keys will have you cat with a single > or cp/scp. It won't take but once of losing a major keys file to alter the strategy.
0
 
jjhalkoAuthor Commented:
Ok,  I put a solution in place so I am going to close this question.  

First Issue, we don't have right now a process to interact between the multiple servers.  Ie, if you are root or another system account, we don't have password-less keys to allow ssh by default to the remote servers.  Thus if you gain access into one system, you're not guarenteed to gain entry in another server, at least as a superuser.  
Thus, because of this, we can't use ssh to copy over the keys to the remote directory until this is done.  We can replace keys this way, but not add new keys.

Second, we have a scripting mechanims to create new users.  This helps since I can add a few lines to this script to make some changes.  What I chose to add was a line on the application server and the active server to create the .ssh directory with the correct permissions and create the necessary keys.  

Now the only problem is getting the key to the remote server.  My current solution is to have the adduser process copy the key to a shared mounted drive when the key is created.  Then, to run a routine cron job on the remote server to review this directory and if there is a new key, to copy the key into the appropriate directory and set the proper permissions.  It's not real-time, but it will handle the syncing of the keys on our servers.  

I appeciate all of your comments on this matter.  I'll share points for your participation.

Best Regards.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.