How do I automatically make a ssh key?

cereal83 · 09-20-2005, 11:18 AM

Hey all,

I am wondering how I can automatically make an ssh key with like a script or something. I know ssh -t dsa will make me a key but I need to have it done automatically so I can create a new key every 24 hours or so and run the script in the cron.

If anybody knows, that would be great.

Thanks

Matir · 09-20-2005, 11:35 AM

Why not use ssh-keygen? And why are you creating a new key every 24 hours?

cereal83 · 09-20-2005, 11:45 AM

ohh ok I made a mistake upthere. I know the command to make a new key is ssh-keygen -t dsa but when i do that I have to physically press enter on the keyboard about 3 times and I need it to be automated. Like I need it to be in a script

I have no idea why I need to make a new key every 24 hours. I do some volunteer work for a computer company and they asked me to look into it. I googled but found nothing so I am coming here and asking to see if anybody knows.

Thanks

Matir · 09-20-2005, 11:52 AM

If you're looking for keys with blank passphrases, try passing -N "" to the ssh-keygen command. -N is supposed to specify the new passphrase.

I haven't tried this, but it seems like it should work.

*still trying to imagine a need for daily keys*

cereal83 · 09-20-2005, 11:59 AM

Ok so now if I use ssh-keygen -N "" -t dsa it works but I still have to hit enter to accept where it's going to save to. Is there anyway around that?

I think they want new keys so often because they think ssh can be hacked easily and if they make new keys every 24 hours, it will prevent that from happening since they have never worked with ssh before. Thats what I think but they won't say anything

Matir · 09-20-2005, 12:04 PM

Well, the biggest insecurity in this whole plan is the passphrase less keys.

And obviously, changing keys so often makes management a pain.

But, we're here to help.

The -f option to ssh-keygen specifies the keyfile. So, I think you can try:

Code:

ssh-keygen -t dsa -N "" -f SSHKEY

Krugger · 09-20-2005, 12:35 PM

So you want a script. Here is one:

spawn ssh-keygen -t rsa -f /home/[lindex $argv 0]/.ssh/id_rsa
expect "Enter passphrase (empty for no passphrase)::"
send "/r"
expect "Enter passphrase again:"
send "/r"
expect eof

Use can use it in another script like this:

su -c "expect -f path_to_script/script $new_user"

This script will generate a ssh key pair. Now you have to copy the public key(id_rsa.pub) to the authorized key file.

Matir · 09-20-2005, 12:39 PM

Krugger: while I always forget about expect, do you see any significant advantage to the expect script over my single command above? I'm not challenging your results, just wondering what I am missing.

cereal83 · 09-20-2005, 01:37 PM

Matir,

Thanks for that code, it works like a charm. I know they should use a passphrase but they are just testing it now to see how it works.

Krugger, I could use that and thats for pointing it out but that 1 little line of code it good enough for me.. Thanks

Thanks again guys!

Matir · 09-20-2005, 01:49 PM

No problem, glad I was able to help. Make sure you educate these people on security. Laziness is always the weakest link in security.

Krugger · 09-20-2005, 02:07 PM

Actually I think your way is better. I already had the thread opened and I don't think your post was there yet we posted pretty close to each other. (30 minute differance)

I just use expect and send because it doesn't make you read too many man pages for the options.

Matir · 09-20-2005, 02:16 PM

Krugger: fair enough. By the way, does expect/send work with the "passwd" program?