Solved

migrate bulk users to have passwordless ssh setup

Posted on 2011-09-23
10
609 Views
Last Modified: 2013-12-28
have one question about passwordless setup.
Case 1:
currently,for instance, many servers can do passwordless ssh  to SERVER A
Now,we are migrating all the stuff from Server A to Server B.
all those servers which  were connecting to Server A,now  need to connect to Server B.
Can i copy over the authorized_keys file from A to B ,so all those servers can connect to server B passwordlessly.
The idea is to avoid all those servers keys addition to server B /etc/ssh/auth_keys/<username> file.

Does it matter if platform(solaris to linux,vice versa)is different?

2nd case:
Server A connects to other servers using ssh which is  passwordless. ServerA will be replaced by server B.
do i need to send Servers' B  pub key to all those other servers have them add serverB pub key in their authorized key file?
Or to avoid this, can i just copy over the pub key pair from server A to Server B,so other servers wont have to make any change on their side.

please help.

Thank you






0
Comment
Question by:jayatallen
  • 3
  • 3
  • 2
10 Comments
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
Sorry you can not migrate the ssh key for server A to Server B, both ssh server has different keys.

You need to manually set it up again.

Please have a look at the following instaructions:
http://linuxproblem.org/art_9.html
and
http://www.cs.rpi.edu/research/groups/vision/doc/auto/ssh/ssh_public_key_authentication.html

Please make sure pam is not use in your new server, it can caue you more trouble with passwordlees ssh login setup.


0
 

Author Comment

by:jayatallen
Comment Utility
thanks Yuzh for your reply.
I didnt ask me question clearly. for the 2nd case:
Server A connects to other servers using ssh which is  passwordless. ServerA will be replaced by server B.
do i need to send Servers' B  pub key to all those other servers have them add serverB pub key in their authorized key file?
Or to avoid this, can i just copy over the pub key pair from server A to Server B,so other servers wont have to make any change on their side.

Server B is the new server which will replace server A. I havent generated the keys on Server B . Can i copy over Server's A keys and use them for server B?

The reason for this is as Server A connects to many other servers through passwordless ssh. So all those "other servers" have Server A's key in there authorized_keys file. So if it possible to use the keys from server A, it will avoid to update authorized_keys for all those "others Servers"?

One more question:
are keys host(server) specific ? or are keys pair makes a unique combination which has nothing to do with the servers on which they are placed?

Please suggest.
0
 
LVL 38

Expert Comment

by:yuzh
Comment Utility
The pub key pair from server A  will not work for Server B, you need to generate key from the new  server and copy it to the client.

Why not write some instructions and give it to your users, and let them fix it up? they only need to type in their password one more time for server B.

>>are keys host(server) specific ?
Yes.
0
 

Author Comment

by:jayatallen
Comment Utility
thank you yuzh for your reply.
basically we recevies files (feed) for other servers and then we load those files in database using sheel scripts.thts why we have automated this process,
now atleast i know one thing, if i'm receiving files then no big deal . I can copy over my authorized_keys to new server
but for sending files out from my server, i will have to ask other servers to update their authorized_key file with my new server pub  key.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 4

Accepted Solution

by:
Anacreo earned 500 total points
Comment Utility
Server keys are portable, if you indeed have a new host you can definitely takes it pub keys...

In fact in a clustered environment your known host file can look like this:

10.10.0.10 10.10.0.11 10.10.0.12 hosta  ssh-rsa AAAAWmH2I6Ukeya=
10.10.0.20 10.10.0.21 10.10.0.22 hostb  ssh-rsa AAAAWmH2I6Ukeyb=

So if you want to run two servers with the same key you can simply update the ssh server keys on both to be the same, then update the known_hosts file in /etc/ssh/ to have one amalgamated line:
10.10.0.10 10.10.0.11 10.10.0.12 hosta 10.10.0.20 10.10.0.21 10.10.0.22 hostb ssh-rsa AAAAWmH2I6Ukeyb=

This is the right way to run SSH on multi-homed and clustered environments...
0
 
LVL 4

Expert Comment

by:Anacreo
Comment Utility
You'll need to ensure that you have removed any entries from your known_hosts file so there are no conflicts..

Also my previous post should have said private keys instead of pub keys in the first line.
0
 

Author Comment

by:jayatallen
Comment Utility
Hi Anac,

thank you very much for your answer. It works, just copying over existing keys from old server to new server enabled new server to have passwordless ssh connection to clients. (by clients  i mean those destination servers which were accessible from old server with passwordless ssh)
Good to know that ssh keys work in pair and independent of the host  and we move around key pair from one server to other.

Thank you Anac very much

0
 
LVL 4

Expert Comment

by:Anacreo
Comment Utility
Glad you were able to get this to work!

I wouldn't start stamping out tons of machines with the same ssh key as it weakens your security model, and may raise an eye brow with a Sarbox auditor, but for a server migration or clustering go for it.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now