Hello, I am looking for a way to have the server accept an ssh request only if the client machine has a shared key whether it be RSA, DSA or whatever. So for example... On server1, lets say I have never logged into it before and on my client machine, I type ssh whoever@10.10.10.10 and it comes up with "Authenticy of host x.x.x.x can't be established RSA key finger print is xx:xx:xx...." Is there a way to have it so that it will not even give you that option and you can only log in if you have that Key fingerprint on your client machine. I have done this before for a user on another server by generating a shared key with then use anyway, this is hard for me to explain but hope i have explained well enough and any help would greatly be appreciated!

The trick is that you have to bootstrap that whole mechanism. How do you get it there in the first place if you can't get there? Walk around with a floppy disk and distribute the keys?

The initial step of making that first connection causes the alert to come up so that you can take the extra effort to examine the details and see that you are making the connection that you think you are. It also alerts you if you somehow get directed to somewhere other than you expected.

By your scheme, your second step above would fail, because you had no way to get the key from there to you so that you could make the connection to there and give them your key so that they could then connect to you. Contorted. Yes. Has to start somewhere.

I totally understand and agree. However, in a small environment, walking around to each client might not be all that bad. And also, this would be a great scenario if you have a firewall and don't want to completely open up port 22, but if a employee wanted to ssh in remotely, you can give him the key. That way you can have port 22 open with no fear of a user having a weak password.

After posting, i thought of a better way to possibly explain my question. I know how I can share keys for particular users such root for example by creating a key on my local machine and copy it to /root/.ssh/authorized_keys (if I was using root as an example) and configure ssh to not allow PAM passwords.

I guess a better way of asking would be, is there a "global" authorized_keys so that it is not user specific (~/.ssh/authorized_keys) so as an administrator I can ssh in as whoever if need be without having to copy my public key to each user (if I were to use this method). My guess on this is that it is not possible, but a definite answer would be nice to put this issue to rest for me.
Thanks