Solved

RHEL5 and ssh key mangement

Posted on 2010-09-22
6
385 Views
Last Modified: 2012-05-10
Right now we have about 15 RHEL5 boxes and we use keys with SSH. However, when someone leaves the organization or comes it would be handy to just put there key in one location and have it pushed out to the servers.

Is there a way to do this with RHEL so that there won't be as much work when keys need to be changed?
0
Comment
Question by:willlandymore
  • 4
  • 2
6 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 33738194
You could maintain the authorized_keys and authorized_keys2 in a central location
When a user leaves you can remove their keys from those files and push them out.

Make sure that each user has their own key.

Are the servers centrally managed i.e. using openldap for user management?



0
 
LVL 1

Author Comment

by:willlandymore
ID: 33738455
no, no openLDAP.

I don't mind paying for something if they have it off the shelf or putting in another solution, but I don't have a sweet clue as to how to set it up. :)
0
 
LVL 77

Expert Comment

by:arnold
ID: 33738790
It is not clear what you are looking for.

Presumably you have a central server that has access to all others.

Does each user have their own login on each server or you use the ssh rsa/dsa key to get the user access into a shared account?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 1

Author Comment

by:willlandymore
ID: 33738820
each user has their own key and login on each box. I'm just looking for a way not to have to manage each host's keys and do it from one place and push it out to the rest of them, but I've never set something up like this so I'm a little fuzzy on where to start.
0
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 33740599
OK, Have each user provide you their public keys (RSA1, RSA, DSA)
you would need to keep track which is whose.

Then you would use those keys to create an authorized_keys and authorized_keys2.
You would then use a simple shell script that goes through the list of hosts and scps these two files to the user@host:/home/user/.ssh/
scp authorized_keys authorized_keys2 user@$host:/home/user/.ssh/

When a user leaves, you rebuild the two files by excluding that user's public keys, and push them out again.
0
 
LVL 77

Expert Comment

by:arnold
ID: 33743935
A similar process can be used to manage the local logins.
Note you should use cksum or md5sum as a mechanism to verify that the complete file made it through.  Using NFS shares could also be an option. I.e. each server has a cron job running as root monitoring the NFS share for an update file.

Not sure but you can also look at using puppet among other things to perhaps manage the systems from a central point.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Delete email that have a topic like  Cpanel 3 69
nagios 1 22
Anything Suspicious in this Report Email on Linux Server 4 39
linux redhat 7.2 10 44
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now