• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 643
  • Last Modified:

migrate bulk users to have passwordless ssh setup

have one question about passwordless setup.
Case 1:
currently,for instance, many servers can do passwordless ssh  to SERVER A
Now,we are migrating all the stuff from Server A to Server B.
all those servers which  were connecting to Server A,now  need to connect to Server B.
Can i copy over the authorized_keys file from A to B ,so all those servers can connect to server B passwordlessly.
The idea is to avoid all those servers keys addition to server B /etc/ssh/auth_keys/<username> file.

Does it matter if platform(solaris to linux,vice versa)is different?

2nd case:
Server A connects to other servers using ssh which is  passwordless. ServerA will be replaced by server B.
do i need to send Servers' B  pub key to all those other servers have them add serverB pub key in their authorized key file?
Or to avoid this, can i just copy over the pub key pair from server A to Server B,so other servers wont have to make any change on their side.

please help.

Thank you






0
jayatallen
Asked:
jayatallen
  • 3
  • 3
  • 2
1 Solution
 
yuzhCommented:
Sorry you can not migrate the ssh key for server A to Server B, both ssh server has different keys.

You need to manually set it up again.

Please have a look at the following instaructions:
http://linuxproblem.org/art_9.html
and
http://www.cs.rpi.edu/research/groups/vision/doc/auto/ssh/ssh_public_key_authentication.html

Please make sure pam is not use in your new server, it can caue you more trouble with passwordlees ssh login setup.


0
 
jayatallenAuthor Commented:
thanks Yuzh for your reply.
I didnt ask me question clearly. for the 2nd case:
Server A connects to other servers using ssh which is  passwordless. ServerA will be replaced by server B.
do i need to send Servers' B  pub key to all those other servers have them add serverB pub key in their authorized key file?
Or to avoid this, can i just copy over the pub key pair from server A to Server B,so other servers wont have to make any change on their side.

Server B is the new server which will replace server A. I havent generated the keys on Server B . Can i copy over Server's A keys and use them for server B?

The reason for this is as Server A connects to many other servers through passwordless ssh. So all those "other servers" have Server A's key in there authorized_keys file. So if it possible to use the keys from server A, it will avoid to update authorized_keys for all those "others Servers"?

One more question:
are keys host(server) specific ? or are keys pair makes a unique combination which has nothing to do with the servers on which they are placed?

Please suggest.
0
 
yuzhCommented:
The pub key pair from server A  will not work for Server B, you need to generate key from the new  server and copy it to the client.

Why not write some instructions and give it to your users, and let them fix it up? they only need to type in their password one more time for server B.

>>are keys host(server) specific ?
Yes.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
jayatallenAuthor Commented:
thank you yuzh for your reply.
basically we recevies files (feed) for other servers and then we load those files in database using sheel scripts.thts why we have automated this process,
now atleast i know one thing, if i'm receiving files then no big deal . I can copy over my authorized_keys to new server
but for sending files out from my server, i will have to ask other servers to update their authorized_key file with my new server pub  key.
0
 
AnacreoCommented:
Server keys are portable, if you indeed have a new host you can definitely takes it pub keys...

In fact in a clustered environment your known host file can look like this:

10.10.0.10 10.10.0.11 10.10.0.12 hosta  ssh-rsa AAAAWmH2I6Ukeya=
10.10.0.20 10.10.0.21 10.10.0.22 hostb  ssh-rsa AAAAWmH2I6Ukeyb=

So if you want to run two servers with the same key you can simply update the ssh server keys on both to be the same, then update the known_hosts file in /etc/ssh/ to have one amalgamated line:
10.10.0.10 10.10.0.11 10.10.0.12 hosta 10.10.0.20 10.10.0.21 10.10.0.22 hostb ssh-rsa AAAAWmH2I6Ukeyb=

This is the right way to run SSH on multi-homed and clustered environments...
0
 
AnacreoCommented:
You'll need to ensure that you have removed any entries from your known_hosts file so there are no conflicts..

Also my previous post should have said private keys instead of pub keys in the first line.
0
 
jayatallenAuthor Commented:
Hi Anac,

thank you very much for your answer. It works, just copying over existing keys from old server to new server enabled new server to have passwordless ssh connection to clients. (by clients  i mean those destination servers which were accessible from old server with passwordless ssh)
Good to know that ssh keys work in pair and independent of the host  and we move around key pair from one server to other.

Thank you Anac very much

0
 
AnacreoCommented:
Glad you were able to get this to work!

I wouldn't start stamping out tons of machines with the same ssh key as it weakens your security model, and may raise an eye brow with a Sarbox auditor, but for a server migration or clustering go for it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now