Howdy, We in the Ubuntu Server world have been using a handy little shell utility for a couple of releases now, called 'ssh-import-id' [1]. Whereas ssh-copy-id _pushes_ a public key from one system to another, ssh-import-id _pulls_ a public key from a secure key server and installs it. It takes one or more userid's as command line arguments, loops over them, sequentially attempts to retrieve public keys from a web api (using wget or curl), and can write to stdout or to file (~/.ssh/authorized_keys). We find this particularly handy in the cloud world, where systems are started from pristine images every time, and we need to a way to seed the system with credentials before the first authentication. Here, we can run something like 'ssh-import-id kirkland' during the boot process, and my public key will be installed by the time I log in. It's also really useful when and if you need to grant access to the system to others, or perhaps start a system in the cloud on behalf of someone else. Here, we can 'ssh-import-id kirkland smoser cjwatson', and each of these keys are retrieved and installed. We're using URL="https://launchpad.net/~%s/+sshkeys", where %s is a userid, but this URL could really be configurable and point to any public or private SSH public key server. An SSL connection to a https site with a valid certificate is, of course, essential to the security of the key retrieval. If there were a free/public SSH key server like pgp.mit.edu for PGP/GPG keys, that would probably make a good default (thought I haven't found anything like this). Seeing the ssh-copy-id utility in SSH's contrib/ directory, I'm hopeful you might consider this ssh-import-id tool for the project. Before we get into reviewing the code, can you tell me if this is something that would, or would not be interesting to openssh upstream? -- :-Dustin Dustin Kirkland Ubuntu Core Developer
--On 15 December 2010 12:01:22 -0600 Dustin Kirkland <kirkland at ubuntu.com> wrote:> Seeing the ssh-copy-id utility in SSH's contrib/ directory, I'm > hopeful you might consider this ssh-import-id tool for the project. > Before we get into reviewing the code, can you tell me if this is > something that would, or would not be interesting to openssh upstream?We'd use this if it took a username too, for a similar purpose. Currently we pull keys out of xml and go through some convoluted perl to add them to the right authorized_keys file of the right users, set the permissions and ownerships right, etc., which is pretty fiddly, and not that safe when someone next changes the desired permissions on authorized_keys, or uses a different path specified by the config file, or whatever. -- Alex Bligh
On Wed, Dec 15, 2010 at 12:01:22PM -0600, Dustin Kirkland wrote:> Howdy, > > We in the Ubuntu Server world have been using a handy little shell > utility for a couple of releases now, called 'ssh-import-id' [1]. > > Whereas ssh-copy-id _pushes_ a public key from one system to another, > ssh-import-id _pulls_ a public key from a secure key server and > installs it. > > It takes one or more userid's as command line arguments, loops over > them, sequentially attempts to retrieve public keys from a web api > (using wget or curl), and can write to stdout or to file > (~/.ssh/authorized_keys). > > We find this particularly handy in the cloud world, where systems are > started from pristine images every time, and we need to a way to seed > the system with credentials before the first authentication. Here, we > can run something like 'ssh-import-id kirkland' during the boot > process, and my public key will be installed by the time I log in. > > It's also really useful when and if you need to grant access to the > system to others, or perhaps start a system in the cloud on behalf of > someone else. Here, we can 'ssh-import-id kirkland smoser cjwatson', > and each of these keys are retrieved and installed. > > We're using URL="https://launchpad.net/~%s/+sshkeys", where %s is a > userid, but this URL could really be configurable and point to any > public or private SSH public key server. An SSL connection to a https > site with a valid certificate is, of course, essential to the security > of the key retrieval. If there were a free/public SSH key server like > pgp.mit.edu for PGP/GPG keys, that would probably make a good default > (thought I haven't found anything like this). > > Seeing the ssh-copy-id utility in SSH's contrib/ directory, I'm > hopeful you might consider this ssh-import-id tool for the project. > Before we get into reviewing the code, can you tell me if this is > something that would, or would not be interesting to openssh upstream?I'm not an OpenSSH developer, but: why not use SSH? Install *one* server's key, and pull the users' keys over that connection. This seems to have quite a few less moving parts, avoids a dependency on wget/libcurl/..., and doesn't crash and burn when another CA signs something it shouldn't. Joachim
On 12/15/2010 01:01 PM, Dustin Kirkland wrote:> If there were a free/public SSH key server like > pgp.mit.edu for PGP/GPG keys, that would probably make a good default > (thought I haven't found anything like this).You could use monkeysphere [0] on these hosts and use the HKP keyserver network (what i think you're referring to by pgp.mit.edu, above, though i recommend *not* using pgp.mit.edu until they fix their keyserver). If you know that your users' OpenPGP keys are going to all be signed by, say, your own OpenPGP key which has a fingerprint of $CA_FPR, you could put something like this in your preseed's late_command : aptitude install monkeysphere openssh-server monkeysphere-authentication add-identity-certifier "$CA_FPR" mkdir ~mary/.monkeysphere echo 'Mary Example <mary at example.org>' >> \ ~mary/.monkeysphere/authorized_user_ids monkeysphere-authentication update-users echo 'AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u' \ >> /etc/ssh/sshd_config /etc/init.d/ssh restart This also has the advantage that future runs of monkeysphere-authentication update-users will cause revoked keys to be disabled without any additional work from the user. hope this is useful. i'm one of the monkeysphere developers; feel free to come ask questions on the project mailing list, or in #monkeysphere on irc.oftc.net. Regards, --dkg [0] http://web.monkeysphere.info -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20101215/65aa766d/attachment.bin>
Thanks, everyone, for your insightful comments, discussion, and pointers to other utilities! In my reading of this thread, I do not see any concentrated interest in the ssh-import-id utility by the upstream openssh project itself. No worries by us -- we just thought we'd offer it, in case it were interesting to other Unixes and Linuxes besides Ubuntu. At this point, we are shipping the utility in a package of its own, and available in a bzr repository. You can find all of these linked from this project page: * https://launchpad.net/ssh-import-id The source code is available by branching with 'bzr branch lp:ssh-import-id', or browsing: * http://bazaar.launchpad.net/~ssh-import-id/ssh-import-id/trunk/files The current code there is licensed under the GPLv3, but we would gladly re-license it in the future to a compatible license, should openssh ever grow an interest in this tool. Thanks again for your consideration! Cheers, -- :-Dustin Dustin Kirkland Ubuntu Core Developer