Public keys best practice question
Hi everyone,
I am setting up a yum update server using the script below kindly provided by andreas.
My question is what is the best way to distribute the public key from the central Distribution server to all the client servers. The central distro server is a RHEL server.
Can the public key belong to the root user or should it be another key for just yum updates.
#!/bin/bash
hosts=$(cat $1)
for i in $hosts ;do
ssh root@$i -t sudo '/usr/bin/yum update -y'
done
then call script with
./scriptname filename.txt
filename.txt should have one ip in one line
each line one ip
I am setting up a yum update server using the script below kindly provided by andreas.
My question is what is the best way to distribute the public key from the central Distribution server to all the client servers. The central distro server is a RHEL server.
Can the public key belong to the root user or should it be another key for just yum updates.
#!/bin/bash
hosts=$(cat $1)
for i in $hosts ;do
ssh root@$i -t sudo '/usr/bin/yum update -y'
done
then call script with
./scriptname filename.txt
filename.txt should have one ip in one line
each line one ip
ASKER
Not working as a regular user.
I copied the public key to a test server, which I previously copied the root public key to as well.
This time it's under a user account/home/testuser1/.ss
I ran the above script and I am being prompted for a root password.
When I run it as root, it just installs the updates.
I copied the public key to a test server, which I previously copied the root public key to as well.
This time it's under a user account/home/testuser1/.ss
I ran the above script and I am being prompted for a root password.
When I run it as root, it just installs the updates.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
oh I cant believe I did this, see the script shows root@ ? I changed it to the user ID now it runs : )
ASKER
how would I trap the hostname of the server I'm connecting to in the script
#!/bin/bash
hosts=$(cat $1)
for i in $hosts ;do
ssh ec2-user@$i -t sudo '/usr/bin/yum update -y' >> logs
done
So the script pipes out the updates that were run, but it dosnt show what server they were run on, anyway to do that?
#!/bin/bash
hosts=$(cat $1)
for i in $hosts ;do
ssh ec2-user@$i -t sudo '/usr/bin/yum update -y' >> logs
done
So the script pipes out the updates that were run, but it dosnt show what server they were run on, anyway to do that?
just add an echo line infront of the ssh command in the script.
Just add
echo $i >> logs
and you have the ip b4 the yum log
Just add
echo $i >> logs
and you have the ip b4 the yum log
What are you distributing?
SSH public key or YUM/RPM signing key?
SSH public key or YUM/RPM signing key?
ASKER
I am initially wanting to trigger yum updates on my servers which will be in the hosts file.
I also need to reset root passwords on the client servers.
Eventually, I want to be able to implement yum updates from my own repository.
So as a first step, I need to get the public key from the central server out to all the client servers.
I also need to reset root passwords on the client servers.
Eventually, I want to be able to implement yum updates from my own repository.
So as a first step, I need to get the public key from the central server out to all the client servers.
ASKER
Andreas ,I"ll be implementing this today, let me get back to you then, and thanks!
You can use spacewalk or any configuration management solution like puppet to do that.
ASKER
Andreas,
I created a "update" user on the central server, and the keys then added the .pub key to the target server,
the script now works.
I would just like to fix logging
When I add echo $i >> logs the script does not run
#!/bin/bash
hosts=$(cat $1)
for i in $hosts ;do
ssh root@$i -t sudo '/usr/bin/yum update -y' echo $i >> logs
done
I created a "update" user on the central server, and the keys then added the .pub key to the target server,
the script now works.
I would just like to fix logging
When I add echo $i >> logs the script does not run
#!/bin/bash
hosts=$(cat $1)
for i in $hosts ;do
ssh root@$i -t sudo '/usr/bin/yum update -y' echo $i >> logs
done
ASKER
this seems to work, it creates a log and sorts it by ip address and date
#!/bin/bash
hosts=$(cat $1)
for i in $hosts ;do
ssh root@$i -t sudo '/usr/bin/yum update -y' >> logs/"$i"log.`date +%d`
done
#!/bin/bash
hosts=$(cat $1)
for i in $hosts ;do
ssh root@$i -t sudo '/usr/bin/yum update -y' >> logs/"$i"log.`date +%d`
done
ASKER
One last question, how can I change this script to update just a single package, as in the case with recent ssl package vulnerability
You need to restart all services that has it open...
ssh x@y "yum upgrade -y openssl"
With "recent" ssl vulnerability aka POODLE you had to reconfigure all SSL-aware software to avoid using SSLv3.
ssh x@y "yum upgrade -y openssl"
With "recent" ssl vulnerability aka POODLE you had to reconfigure all SSL-aware software to avoid using SSLv3.
ASKER
great thanks!
You can dig some ideas from centos-announce mailing lists.
What I wanted to say:
if you upgrade openssl - it is still loaded by openssh, apache, ftpd, anything, so you have to politely restart them all/
if you disable SSLv3 in configuration obvioulsy you need to restart that service.
On the other hand debian and behind its tail ubuntu completely disabled SSLv3 already by now.
What I wanted to say:
if you upgrade openssl - it is still loaded by openssh, apache, ftpd, anything, so you have to politely restart them all/
if you disable SSLv3 in configuration obvioulsy you need to restart that service.
On the other hand debian and behind its tail ubuntu completely disabled SSLv3 already by now.
ssh-copy-id command. You need to enter the password of the target server once for installing the pub key on the client server.
You can run the coordination of this from a user account in the update server which has its own key, it doesnt need to be the root account. As a rule of thumb its always recommended to do as much things as a user as possible and use roor only when really necessary only.
So use own account + own priv/pub-key piar for the logons on the clients.
Its NOT necessary to have one key per client server. If your central server gots hacked you have other problems. If the clients get hacked the pub key ther eis useless for the attacker. It wont enable him to access other systems or your central update server.