Solved

migrate bulk users to have passwordless ssh setup

Posted on 2011-09-23
10
627 Views
Last Modified: 2013-12-28
have one question about passwordless setup.
Case 1:
currently,for instance, many servers can do passwordless ssh  to SERVER A
Now,we are migrating all the stuff from Server A to Server B.
all those servers which  were connecting to Server A,now  need to connect to Server B.
Can i copy over the authorized_keys file from A to B ,so all those servers can connect to server B passwordlessly.
The idea is to avoid all those servers keys addition to server B /etc/ssh/auth_keys/<username> file.

Does it matter if platform(solaris to linux,vice versa)is different?

2nd case:
Server A connects to other servers using ssh which is  passwordless. ServerA will be replaced by server B.
do i need to send Servers' B  pub key to all those other servers have them add serverB pub key in their authorized key file?
Or to avoid this, can i just copy over the pub key pair from server A to Server B,so other servers wont have to make any change on their side.

please help.

Thank you






0
Comment
Question by:jayatallen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
10 Comments
 
LVL 38

Expert Comment

by:yuzh
ID: 36596700
Sorry you can not migrate the ssh key for server A to Server B, both ssh server has different keys.

You need to manually set it up again.

Please have a look at the following instaructions:
http://linuxproblem.org/art_9.html
and
http://www.cs.rpi.edu/research/groups/vision/doc/auto/ssh/ssh_public_key_authentication.html

Please make sure pam is not use in your new server, it can caue you more trouble with passwordlees ssh login setup.


0
 

Author Comment

by:jayatallen
ID: 36596874
thanks Yuzh for your reply.
I didnt ask me question clearly. for the 2nd case:
Server A connects to other servers using ssh which is  passwordless. ServerA will be replaced by server B.
do i need to send Servers' B  pub key to all those other servers have them add serverB pub key in their authorized key file?
Or to avoid this, can i just copy over the pub key pair from server A to Server B,so other servers wont have to make any change on their side.

Server B is the new server which will replace server A. I havent generated the keys on Server B . Can i copy over Server's A keys and use them for server B?

The reason for this is as Server A connects to many other servers through passwordless ssh. So all those "other servers" have Server A's key in there authorized_keys file. So if it possible to use the keys from server A, it will avoid to update authorized_keys for all those "others Servers"?

One more question:
are keys host(server) specific ? or are keys pair makes a unique combination which has nothing to do with the servers on which they are placed?

Please suggest.
0
 
LVL 38

Expert Comment

by:yuzh
ID: 36597048
The pub key pair from server A  will not work for Server B, you need to generate key from the new  server and copy it to the client.

Why not write some instructions and give it to your users, and let them fix it up? they only need to type in their password one more time for server B.

>>are keys host(server) specific ?
Yes.
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 

Author Comment

by:jayatallen
ID: 36618927
thank you yuzh for your reply.
basically we recevies files (feed) for other servers and then we load those files in database using sheel scripts.thts why we have automated this process,
now atleast i know one thing, if i'm receiving files then no big deal . I can copy over my authorized_keys to new server
but for sending files out from my server, i will have to ask other servers to update their authorized_key file with my new server pub  key.
0
 
LVL 4

Accepted Solution

by:
Anacreo earned 500 total points
ID: 36712321
Server keys are portable, if you indeed have a new host you can definitely takes it pub keys...

In fact in a clustered environment your known host file can look like this:

10.10.0.10 10.10.0.11 10.10.0.12 hosta  ssh-rsa AAAAWmH2I6Ukeya=
10.10.0.20 10.10.0.21 10.10.0.22 hostb  ssh-rsa AAAAWmH2I6Ukeyb=

So if you want to run two servers with the same key you can simply update the ssh server keys on both to be the same, then update the known_hosts file in /etc/ssh/ to have one amalgamated line:
10.10.0.10 10.10.0.11 10.10.0.12 hosta 10.10.0.20 10.10.0.21 10.10.0.22 hostb ssh-rsa AAAAWmH2I6Ukeyb=

This is the right way to run SSH on multi-homed and clustered environments...
0
 
LVL 4

Expert Comment

by:Anacreo
ID: 36712331
You'll need to ensure that you have removed any entries from your known_hosts file so there are no conflicts..

Also my previous post should have said private keys instead of pub keys in the first line.
0
 

Author Comment

by:jayatallen
ID: 36714553
Hi Anac,

thank you very much for your answer. It works, just copying over existing keys from old server to new server enabled new server to have passwordless ssh connection to clients. (by clients  i mean those destination servers which were accessible from old server with passwordless ssh)
Good to know that ssh keys work in pair and independent of the host  and we move around key pair from one server to other.

Thank you Anac very much

0
 
LVL 4

Expert Comment

by:Anacreo
ID: 36718144
Glad you were able to get this to work!

I wouldn't start stamping out tons of machines with the same ssh key as it weakens your security model, and may raise an eye brow with a Sarbox auditor, but for a server migration or clustering go for it.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Liquid Web and Plesk discuss how to simplify server management with a single tool  in their webinar.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question