regulating SSH keys between two machines
Posted on 2004-10-28
I have a situation where users log into a red hat advanced server machine. They run an application which has a back end utility that must run on a separate server running SCO Unixware 7.1. The utility must run as the particular user on the remote machine and to facilitate this I have generated public keys for all the users, moved them to the remote server and then added them to the users authorized_keys. This is all working fine.
What I am looking for are some suggestions on how to maintain these keys as new users are added. Ideally I would like a routine that could be run from the appserver to create the key, copy the key over to the remote server and configure the .ssh directory, but I'm not sure this is such a good plan.
The one thought I had was to have keep a temporary generic identity on the application server and the matching generic public key on the remote server. As new users are created, I would copy this identity into the application server's .ssh directory and the generic key into the remote users authorized_keys. On the first login, a script could create a new identity and replace the authorized_keys on the remote server.
The other thought was to look at the pros, cons and configuration options with host based authentication. I have had some difficulty trying this one out, so if anyone has a good how-to document, that information would be helpful.
Thanks for your help!