LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 09-15-2008, 08:13 AM   #1
kenneho
Member
 
Registered: May 2003
Location: Oslo, Norway
Distribution: Ubuntu, Red Hat Enterprise Linux
Posts: 655

Rep: Reputation: 40
Distributing SSH host keys for password-less login


Hello all,


I've generated SSH keys for one of my server (server A), and distributed the public key to the nodes in my network.

For password-less login to work, the nodes' host key must be saved on server A. As of now I have to log into each of the nodes from server A so that server A saves the node's host key.

I there a way to get around this? I'm thinking maybe I could generate a common host key for all of my nodes and just add this host key to server A, but I'm not sure if this would work.


Regards,
kenneho
 
Old 09-15-2008, 08:38 AM   #2
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
Generate keys without passwords on the clients you want to be able to acces the server from. Then add all their id.rsa.pub data to a single text file and name it authorized_keys. Put this in the server's /.ssh folder. Permissions are not an issue for this file.

Putting the ids together make sure there's no spaces between entries, and that there is a blank line (carriage return aka "enter") at the end of the file. e.g:

ssh-rsa AAAAB3NzaC1yc2EBaccdd9sEEfgj+fC6dzjc4wB7sL2+I9Bd4+LGkkdZ+kvfPqLpCYryVGiAxlKKw62eKNGehGFTj4bL+EJL/tahazktoqD3o9mAHFcjD+p0KyjPWMdTJoyFiZQYyyaBveAUki5zHVsm+FDa4NyRN86NCtC86PJSiMumJLsBp0iHynMRGiwQ63rRC 5vPx6amY3sWM23X5Gg1FmMqB4eh2P1nZV5Tkm8XEScKnF/irA2QvlSP6ejHZPQllvBs5hL98HxKhyzAEud9qkdFikV/7W3ZAXH11wEo/ACY1tVJiOSYE5qOY27/3QTILzVtMhjiYEeiwU0RdymYctJOl3aAsHIAxxioJm7kFWF4Q== data@data.compease
ssh-rsa AAAAB3NzaC1yc2Bcr+2Zhi6+9aaaZ0UQf7a55MbEmKwE7BS/yNIb3xxQmBGkeZ4+XgXOW89p1qfOEfrLIPBVfEFvbpMNUAOmOrDNO4hF++SVkDy5ZToDMNwXSVPSNEDwltUjrQKvss5GoaSEBdf4 h8EmPGqjQtiCGoTsWNly/gaRy8mGd5PdRxh+ODT+gjv8+7XMmMoLcUGik32bZhrrrIRmqQK/jZampiJDi9VSr2PsakFqIVEE02wN2Sf8kfPZeU6KR1EVqfyx5xj/szEO6jZAM0SwaiDGLU6gURYcpZM4vB4tgJhyE1+bkGb/rC7LvQn1BWjjGAm45Iqo7hyyNtoFBiie5+u6jR8MWDiSYV1zgrQIsw== lore@lore.compease
ssh-rsa AAAAB3NzaC1ycEat3+9grmAAA3AvtgGQMhJUg2nZDgP2dheeXdjiWV1EN1tlXedUUOeQaL58SY03OZ+NzmzkxlrFlAhAfN8r9o0S FfF5iD7/bUDo9xry8qbbhALIx2Bjin/t7nbp5x8Xblxc2fU/2++2TQget/RNNZPu/yqbFP9s1N+wBgi/gUqybsRll5m+wDqxjJiN32bwheQ7yj+Xi28njCcqkICc83TVehI2y0aMnZnQQSXZR9LshbeiDoRmPhRUhXMYlugNtgWtFf9J482W 67biHXMgwHxy6FWlUe12CxeLQ18tVv73UTKPK0v3uT1Nl4LT20NN2iyFsEqIROzHcNTZXEPocQ+sVhBHpntxAsCHVw== cou@troi.compease



Quote:
Originally Posted by kenneho View Post
Hello all,


I've generated SSH keys for one of my server (server A), and distributed the public key to the nodes in my network.

For password-less login to work, the nodes' host key must be saved on server A. As of now I have to log into each of the nodes from server A so that server A saves the node's host key.

I there a way to get around this? I'm thinking maybe I could generate a common host key for all of my nodes and just add this host key to server A, but I'm not sure if this would work.


Regards,
kenneho
 
Old 09-15-2008, 09:35 AM   #3
kenneho
Member
 
Registered: May 2003
Location: Oslo, Norway
Distribution: Ubuntu, Red Hat Enterprise Linux
Posts: 655

Original Poster
Rep: Reputation: 40
Please excuse my ignorance, but wouldn't this just install the node's public key on server A, making them able to log into server A? How would this solve the problem I'm having on server A where I have to manually accept the nodes' host key before password-less login will work?
 
Old 09-15-2008, 10:02 AM   #4
catworld
Member
 
Registered: Nov 2004
Location: Horseheads, New York
Distribution: Mandriva 2010.1 / KDE 4.5.2, Slax, Knoppix, Backtrack & etc...
Posts: 198

Rep: Reputation: 36
I thought your goal was to have the "nodes" able to log in to the server. Is this incorrect? If that IS the goal, all you need are the public keys in each other's authorized_keys file.

If the keys are shared in both directions the server of course would be able to log in to the "nodes," clients or what have you. I have never seen any need for any other than this. Of course you need to make the keys without passwords, otherwise you'd have to use an agent, or type the passwords in all the time.

Forgive me if I misunderstand your goal. Please elaborate, describe what you want to be able to do...
 
Old 09-15-2008, 10:15 AM   #5
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
I believe he wants the server to log into the nodes. Setting StrictHostKeyChecking no in /etc/ssh/ssh_config would result in keys automatically being accepted. This will, however, leave you slightly vulnerable to a MITM attack as SSH will still connect even if the host key is wrong, so I would only set it long enough to connect to each host once (so the keys get saved).
 
Old 09-16-2008, 01:22 AM   #6
kenneho
Member
 
Registered: May 2003
Location: Oslo, Norway
Distribution: Ubuntu, Red Hat Enterprise Linux
Posts: 655

Original Poster
Rep: Reputation: 40
Quote:
Originally Posted by Matir View Post
I believe he wants the server to log into the nodes. Setting StrictHostKeyChecking no in /etc/ssh/ssh_config would result in keys automatically being accepted. This will, however, leave you slightly vulnerable to a MITM attack as SSH will still connect even if the host key is wrong, so I would only set it long enough to connect to each host once (so the keys get saved).
This is correct - I want the server to log into the nodes.

catworld: I'm sorry that I didn't make this more clear in my previous posts.

Anyway, setting the StrictHostKeyChecking to "no" just for as long as it takes for the server to log into all the nodes would solve my problem, but since it's vulnerable to a MITM attack it may not be the best solution (I'd rather manually log into the servers first to save the host key).

Are there other alternatives maybe? I read somewhere that it is possible to install multiple host keys on a Linux box, so maybe it would be possible to generate one single host key and distribute it to all the nodes, and then install the key on the server?
 
Old 09-16-2008, 06:52 AM   #7
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
You probably could generate one set of SSH host keys, distribute them to all clients, and then generate a large known_hosts file by copying the fingerprint for each hostname/ip.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH host keys VS SSH keys kenneho Linux - Security 3 09-11-2008 06:03 AM
LXer: Distributing New SSH Keys Using Rsh On Linux And Unix LXer Syndicated Linux News 0 06-08-2008 08:42 PM
ssh login using keys bittus Linux - Newbie 5 11-30-2007 06:55 AM
Using SSH keys with different login name - is it possible? Micro420 Linux - Networking 5 02-04-2007 02:34 PM
Can't login using ssh keys linuxboy69 Linux - Software 2 03-19-2004 02:47 PM


All times are GMT -5. The time now is 03:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration