Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

migrate bulk users to have passwordless ssh setup

Posted on 2011-09-23
10
Medium Priority
?
633 Views
Last Modified: 2013-12-28
have one question about passwordless setup.
Case 1:
currently,for instance, many servers can do passwordless ssh  to SERVER A
Now,we are migrating all the stuff from Server A to Server B.
all those servers which  were connecting to Server A,now  need to connect to Server B.
Can i copy over the authorized_keys file from A to B ,so all those servers can connect to server B passwordlessly.
The idea is to avoid all those servers keys addition to server B /etc/ssh/auth_keys/<username> file.

Does it matter if platform(solaris to linux,vice versa)is different?

2nd case:
Server A connects to other servers using ssh which is  passwordless. ServerA will be replaced by server B.
do i need to send Servers' B  pub key to all those other servers have them add serverB pub key in their authorized key file?
Or to avoid this, can i just copy over the pub key pair from server A to Server B,so other servers wont have to make any change on their side.

please help.

Thank you






0
Comment
Question by:jayatallen
  • 3
  • 3
  • 2
8 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 36596700
Sorry you can not migrate the ssh key for server A to Server B, both ssh server has different keys.

You need to manually set it up again.

Please have a look at the following instaructions:
http://linuxproblem.org/art_9.html
and
http://www.cs.rpi.edu/research/groups/vision/doc/auto/ssh/ssh_public_key_authentication.html

Please make sure pam is not use in your new server, it can caue you more trouble with passwordlees ssh login setup.


0
 

Author Comment

by:jayatallen
ID: 36596874
thanks Yuzh for your reply.
I didnt ask me question clearly. for the 2nd case:
Server A connects to other servers using ssh which is  passwordless. ServerA will be replaced by server B.
do i need to send Servers' B  pub key to all those other servers have them add serverB pub key in their authorized key file?
Or to avoid this, can i just copy over the pub key pair from server A to Server B,so other servers wont have to make any change on their side.

Server B is the new server which will replace server A. I havent generated the keys on Server B . Can i copy over Server's A keys and use them for server B?

The reason for this is as Server A connects to many other servers through passwordless ssh. So all those "other servers" have Server A's key in there authorized_keys file. So if it possible to use the keys from server A, it will avoid to update authorized_keys for all those "others Servers"?

One more question:
are keys host(server) specific ? or are keys pair makes a unique combination which has nothing to do with the servers on which they are placed?

Please suggest.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 36597048
The pub key pair from server A  will not work for Server B, you need to generate key from the new  server and copy it to the client.

Why not write some instructions and give it to your users, and let them fix it up? they only need to type in their password one more time for server B.

>>are keys host(server) specific ?
Yes.
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 

Author Comment

by:jayatallen
ID: 36618927
thank you yuzh for your reply.
basically we recevies files (feed) for other servers and then we load those files in database using sheel scripts.thts why we have automated this process,
now atleast i know one thing, if i'm receiving files then no big deal . I can copy over my authorized_keys to new server
but for sending files out from my server, i will have to ask other servers to update their authorized_key file with my new server pub  key.
0
 
LVL 4

Accepted Solution

by:
Anacreo earned 2000 total points
ID: 36712321
Server keys are portable, if you indeed have a new host you can definitely takes it pub keys...

In fact in a clustered environment your known host file can look like this:

10.10.0.10 10.10.0.11 10.10.0.12 hosta  ssh-rsa AAAAWmH2I6Ukeya=
10.10.0.20 10.10.0.21 10.10.0.22 hostb  ssh-rsa AAAAWmH2I6Ukeyb=

So if you want to run two servers with the same key you can simply update the ssh server keys on both to be the same, then update the known_hosts file in /etc/ssh/ to have one amalgamated line:
10.10.0.10 10.10.0.11 10.10.0.12 hosta 10.10.0.20 10.10.0.21 10.10.0.22 hostb ssh-rsa AAAAWmH2I6Ukeyb=

This is the right way to run SSH on multi-homed and clustered environments...
0
 
LVL 4

Expert Comment

by:Anacreo
ID: 36712331
You'll need to ensure that you have removed any entries from your known_hosts file so there are no conflicts..

Also my previous post should have said private keys instead of pub keys in the first line.
0
 

Author Comment

by:jayatallen
ID: 36714553
Hi Anac,

thank you very much for your answer. It works, just copying over existing keys from old server to new server enabled new server to have passwordless ssh connection to clients. (by clients  i mean those destination servers which were accessible from old server with passwordless ssh)
Good to know that ssh keys work in pair and independent of the host  and we move around key pair from one server to other.

Thank you Anac very much

0
 
LVL 4

Expert Comment

by:Anacreo
ID: 36718144
Glad you were able to get this to work!

I wouldn't start stamping out tons of machines with the same ssh key as it weakens your security model, and may raise an eye brow with a Sarbox auditor, but for a server migration or clustering go for it.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question