On Wed, Apr 22, 2015 at 10:55 AM, ?ngel Gonz?lez <keisial at gmail.com> wrote:> On 22/04/15 16:42, Reuben Hawkins wrote: >> >> Hi SSH-devs, >> >> This may be a bit off topic for this list, but.... >> >> Would it be ok to share a private key in an installer script so long >> as the corresponding public key is setup like this... >> >> command="cat ~/.ssh/id_rsa.pub" ssh-rsa AAAA... > > You would also need at least no-port-forwarding > > I'd add all available restricting options. > > >> I'm looking for a secure way to get a user to share their public key >> through SSH which can be invoked from an installer on another >> host...for example... >> >> # ssh-keyscan server.local> .ssh/known_hosts >> # ssh -i hardcoded_private_key server.local> .ssh/authorized_keys >> >> Of course in this installer the key fingerprints will be examined by >> the user before any keys are actually put in known hosts and >> authorized_keys. >> >> Is this secure? Is there a better way? > > I see no obvious flaw. Everything depends on the integrity of the server, > but you already knew that? > > > PS: Why ssh-keyscan? You can hardcode it directly in the known_hosts of .ssh > or /etc >ssh-keyscan because we don't know the server's host keys ahead of time. The user is going to install a server on some machine, another user is going to install a client. The clients must get the host keys in its known-host file and the server user's keys in its authorized keys file. ssh-keyscan gets the hostkeys from the server, and the hardcoded private key will get the server user's public key. Also, each server needs unique keys. I wouldn't want one of our customers to be able to trick another one of our customers into ssh'ing to the wrong server without a known_host identity changed message, so I can't hardcode a host key directly into the known_hosts files in either .ssh or /etc. Let me know if I'm missing something. :) Thanks in advance, Reuben
Hi, On Wed, Apr 22, 2015 at 01:26:06PM -0700, Reuben Hawkins wrote:> Let me know if I'm missing something. :)Signed keys from a common CA? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
On Wed, Apr 22, 2015 at 1:53 PM, Gert Doering <gert at greenie.muc.de> wrote:> Hi, > > On Wed, Apr 22, 2015 at 01:26:06PM -0700, Reuben Hawkins wrote: >> Let me know if I'm missing something. :) > > Signed keys from a common CA?I don't think the signed key helps in my particular case (I may be wrong, if so please correct me). I'm working on a management application and the next version's big feature is network security via SSH. My application is actually backwards from most other client/server models. It's backwards in that the "server" initiates connections to the "clients" (so the ssh client runs on the "server", sshd on the "clients") to make the clients do things (let's just say run updates as an example). I need to get the server user's public key into the client's authorized_keys file when the client software is installed. I can't think of a way to get the public key from the server other than the private key hardcoded into the installer and the corresponding hardcoded public key in the server's authorized_keys file like this... command="cat ~/.ssh/id_rsa.pub",other-safty-restrictions ssh-rsa AAAA.... With this anybody can get the server user's public key. My installer looks like this.... #!/bin/bash # install software ..... echo -n "who's your server? " read server # get host keys from server, verify key fingerprints, etc ssh-keyscan $server | update-known-hosts.sh # get admin user's public key from the server cat << EOF >> /tmp/known-private-key ssh-rsa AAAA.... single-use-key EOF ssh -i /tmp/known-private-key -o "BatchMode on" -T admin@$server | check-key > /home/client/.ssh/authorized_keys chmod 600 /home/client/.ssh/authorized_keys chown client:client /home/client/.ssh/authorized_keys exit 0 So it's the getting that public key out of admin at server's .ssh/id_[dsa|rsa|ecdsa|ed25519].pub that is the hurdle. Can a signed key from a common CA fit in this process somewhere? I do want to avoid forcing a requirement onto our customers to get keys signed by us, or anybody else.> > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de