Solved

migrate bulk users to have passwordless ssh setup

Posted on 2011-09-23
10
614 Views
Last Modified: 2013-12-28
have one question about passwordless setup.
Case 1:
currently,for instance, many servers can do passwordless ssh  to SERVER A
Now,we are migrating all the stuff from Server A to Server B.
all those servers which  were connecting to Server A,now  need to connect to Server B.
Can i copy over the authorized_keys file from A to B ,so all those servers can connect to server B passwordlessly.
The idea is to avoid all those servers keys addition to server B /etc/ssh/auth_keys/<username> file.

Does it matter if platform(solaris to linux,vice versa)is different?

2nd case:
Server A connects to other servers using ssh which is  passwordless. ServerA will be replaced by server B.
do i need to send Servers' B  pub key to all those other servers have them add serverB pub key in their authorized key file?
Or to avoid this, can i just copy over the pub key pair from server A to Server B,so other servers wont have to make any change on their side.

please help.

Thank you






0
Comment
Question by:jayatallen
  • 3
  • 3
  • 2
10 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 36596700
Sorry you can not migrate the ssh key for server A to Server B, both ssh server has different keys.

You need to manually set it up again.

Please have a look at the following instaructions:
http://linuxproblem.org/art_9.html
and
http://www.cs.rpi.edu/research/groups/vision/doc/auto/ssh/ssh_public_key_authentication.html

Please make sure pam is not use in your new server, it can caue you more trouble with passwordlees ssh login setup.


0
 

Author Comment

by:jayatallen
ID: 36596874
thanks Yuzh for your reply.
I didnt ask me question clearly. for the 2nd case:
Server A connects to other servers using ssh which is  passwordless. ServerA will be replaced by server B.
do i need to send Servers' B  pub key to all those other servers have them add serverB pub key in their authorized key file?
Or to avoid this, can i just copy over the pub key pair from server A to Server B,so other servers wont have to make any change on their side.

Server B is the new server which will replace server A. I havent generated the keys on Server B . Can i copy over Server's A keys and use them for server B?

The reason for this is as Server A connects to many other servers through passwordless ssh. So all those "other servers" have Server A's key in there authorized_keys file. So if it possible to use the keys from server A, it will avoid to update authorized_keys for all those "others Servers"?

One more question:
are keys host(server) specific ? or are keys pair makes a unique combination which has nothing to do with the servers on which they are placed?

Please suggest.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 36597048
The pub key pair from server A  will not work for Server B, you need to generate key from the new  server and copy it to the client.

Why not write some instructions and give it to your users, and let them fix it up? they only need to type in their password one more time for server B.

>>are keys host(server) specific ?
Yes.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:jayatallen
ID: 36618927
thank you yuzh for your reply.
basically we recevies files (feed) for other servers and then we load those files in database using sheel scripts.thts why we have automated this process,
now atleast i know one thing, if i'm receiving files then no big deal . I can copy over my authorized_keys to new server
but for sending files out from my server, i will have to ask other servers to update their authorized_key file with my new server pub  key.
0
 
LVL 4

Accepted Solution

by:
Anacreo earned 500 total points
ID: 36712321
Server keys are portable, if you indeed have a new host you can definitely takes it pub keys...

In fact in a clustered environment your known host file can look like this:

10.10.0.10 10.10.0.11 10.10.0.12 hosta  ssh-rsa AAAAWmH2I6Ukeya=
10.10.0.20 10.10.0.21 10.10.0.22 hostb  ssh-rsa AAAAWmH2I6Ukeyb=

So if you want to run two servers with the same key you can simply update the ssh server keys on both to be the same, then update the known_hosts file in /etc/ssh/ to have one amalgamated line:
10.10.0.10 10.10.0.11 10.10.0.12 hosta 10.10.0.20 10.10.0.21 10.10.0.22 hostb ssh-rsa AAAAWmH2I6Ukeyb=

This is the right way to run SSH on multi-homed and clustered environments...
0
 
LVL 4

Expert Comment

by:Anacreo
ID: 36712331
You'll need to ensure that you have removed any entries from your known_hosts file so there are no conflicts..

Also my previous post should have said private keys instead of pub keys in the first line.
0
 

Author Comment

by:jayatallen
ID: 36714553
Hi Anac,

thank you very much for your answer. It works, just copying over existing keys from old server to new server enabled new server to have passwordless ssh connection to clients. (by clients  i mean those destination servers which were accessible from old server with passwordless ssh)
Good to know that ssh keys work in pair and independent of the host  and we move around key pair from one server to other.

Thank you Anac very much

0
 
LVL 4

Expert Comment

by:Anacreo
ID: 36718144
Glad you were able to get this to work!

I wouldn't start stamping out tons of machines with the same ssh key as it weakens your security model, and may raise an eye brow with a Sarbox auditor, but for a server migration or clustering go for it.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Security warnings have started to pop up excessively 4 53
windows 7 starter missing password 21 77
ticket bloat 3 27
number in printf 13 27
Ensuring effective and secure communication in the age of healthcare BYOD.
The 21st century solution to antiquated pagers.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question