Solved

Public keys best practice question

Posted on 2015-01-02
16
121 Views
Last Modified: 2015-01-05
Hi everyone,

I am setting up a yum update server using the script below kindly provided by andreas.

My question is what is the best way to distribute the public key from the central Distribution server to all the client servers. The central distro server is a RHEL server.

Can the public key belong to the root user or should it be another key for just yum updates.


#!/bin/bash
hosts=$(cat $1)
for i in $hosts ;do
ssh root@$i -t sudo '/usr/bin/yum update -y'
done
then call script with
./scriptname filename.txt
filename.txt should have one ip in one line
each line one ip
0
Comment
Question by:Peter Kuczynski
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 4
  • 3
16 Comments
 
LVL 12

Expert Comment

by:andreas
ID: 40528407
To copy the keys you can use the command

ssh-copy-id command. You need to enter the password of the target server once for installing the pub key on the client server.

You can run the coordination of this from a user account in the update server which has its own key, it doesnt need to be the root account. As a rule of thumb its always recommended to do as much things as a user as possible and use roor only when really necessary only.

So use own account + own priv/pub-key piar for the logons on the clients.

Its NOT necessary to have one key per client server. If your central server gots hacked you have other problems. If the clients get hacked the pub key ther eis useless for the attacker. It wont enable him to access other systems or your central update server.
0
 
LVL 1

Author Comment

by:Peter Kuczynski
ID: 40528480
Not working as a regular user.
I copied the public key to a test server, which I previously copied the root public key to as well.
This time it's under a user account/home/testuser1/.ssh/authorized_keys

I ran the above script and I am being prompted for a root password.

When I run it as root, it just installs the updates.
0
 
LVL 12

Accepted Solution

by:
andreas earned 500 total points
ID: 40528487
when you access the server you need ROOT. but ON the central server you dont.

so on central server you setup a user called

update


there in /home/update/.ssh/ you create the ssh keys as usual.

then you copy the public key file to the client server to the root accounts authorized_keys file

you can use the ssh-copy-id command for this:

ssh-copy-id root@clientserver1

afterwards you should be able to run ssh root@clientserver1 without password.

then you can call the script, as you are connecting as root you can skip the sudo on the central server
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:Peter Kuczynski
ID: 40528524
oh I cant believe I did this, see the script shows root@ ? I changed it to the user ID now it runs : )
0
 
LVL 1

Author Comment

by:Peter Kuczynski
ID: 40528531
how would I trap the hostname of the server I'm connecting to in the script

#!/bin/bash
hosts=$(cat $1)
for i in $hosts ;do
ssh ec2-user@$i -t sudo '/usr/bin/yum update -y' >> logs
done

So the script pipes out the updates that were run, but it dosnt show what server they were run on, anyway to do that?
0
 
LVL 12

Expert Comment

by:andreas
ID: 40528534
just add an echo line infront of the ssh command in the script.
Just add

echo $i >> logs

and you have the ip b4 the yum log
0
 
LVL 62

Expert Comment

by:gheist
ID: 40528832
What are you distributing?
SSH public key or YUM/RPM signing key?
0
 
LVL 1

Author Comment

by:Peter Kuczynski
ID: 40529320
I am initially wanting to trigger yum updates on my servers which will be in the hosts file.
I also need to reset root passwords on the client servers.

Eventually, I want to be able to implement yum updates from my own repository.
So as a first step, I need to get the public key from the central server out to all the client servers.
0
 
LVL 1

Author Comment

by:Peter Kuczynski
ID: 40531373
Andreas ,I"ll be implementing this today, let me get back to you then, and thanks!
0
 
LVL 62

Expert Comment

by:gheist
ID: 40531414
You can use spacewalk or any configuration management solution like puppet to do that.
0
 
LVL 1

Author Comment

by:Peter Kuczynski
ID: 40531887
Andreas,
I created a "update" user on the central server, and the keys then added the .pub key to the target server,
the script now works.
I would just like to fix logging
When I add echo $i >> logs the script does not run

#!/bin/bash
hosts=$(cat $1)
for i in $hosts ;do
ssh root@$i -t sudo '/usr/bin/yum update -y' echo $i >> logs
done
0
 
LVL 1

Author Comment

by:Peter Kuczynski
ID: 40531949
this seems to work, it creates a log and sorts it by ip address and date

#!/bin/bash
hosts=$(cat $1)

for i in $hosts ;do

ssh root@$i -t sudo '/usr/bin/yum update -y' >> logs/"$i"log.`date +%d`


done
0
 
LVL 1

Author Comment

by:Peter Kuczynski
ID: 40531988
One last question, how can I change this script to update just a single package, as in the case with recent ssl package vulnerability
0
 
LVL 62

Expert Comment

by:gheist
ID: 40532121
You need to restart all services that has it open...
ssh x@y "yum upgrade -y openssl"
With "recent" ssl vulnerability aka POODLE you had to reconfigure all SSL-aware software to avoid using SSLv3.
0
 
LVL 1

Author Comment

by:Peter Kuczynski
ID: 40532478
great thanks!
0
 
LVL 62

Expert Comment

by:gheist
ID: 40532496
You can dig some ideas from centos-announce mailing lists.
What I wanted to say:
if you upgrade openssl - it is still loaded by openssh, apache, ftpd, anything, so you have to politely restart them all/
if you disable SSLv3 in configuration obvioulsy you need to restart that service.

On the other hand debian and behind its tail ubuntu completely disabled SSLv3 already by now.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Authenticate using sesu from script 7 160
Internal CA server 6 134
Can't "Unset" Proxy in Apache headers for PCI compliance... 4 94
VMware machine is not booting 6 130
Using 'screen' for session sharing, The Simple Edition Step 1: user starts session with command: screen Step 2: other user (logged in with same user account) connects with command: screen -x Done. Both users are connected to the same CLI sessio…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question