Is there an easy way to change SSH keys on 20 servers?

abefroman · 02-21-2013, 08:24 PM

Is there an easy way to change SSH keys on 20 servers?

Since, when I change the key on the main box I won't be able to log in.

sag47 · 02-21-2013, 10:21 PM

For the last step you would need clusterssh (cssh command).

Create a text file called SERVERS where there is one server per line (e.g. user@someserver.com). Assuming you already have public key access to all of these servers and can login without being prompted for a password you could do something like the following.

Code:

cat SERVERS | while read server;do scp .ssh/new_key.pub ${server}: ;done

cssh $(cat SERVERS | tr '\n' ' ')

When you're using cssh on all of the servers at once run the following command sequence.

Code:

cat new_key.pub >> .ssh/authorized_keys

You should now be able to log into all of the servers using the new key.

Code:

ssh -i .ssh/new_key user@someserver.com

Then you can use cssh to delete the old public key out of ~/.ssh/authorized_keys on all of the servers using a text editor like vim/emacs/nano. It should get the job done quick and dirty.

abefroman · 02-21-2013, 10:29 PM

Quote:

Originally Posted by sag47

For the last step you would need clusterssh (cssh command).

Create a text file called SERVERS where there is one server per line (e.g. user@someserver.com). Assuming you already have public key access to all of these servers and can login without being prompted for a password you could do something like the following.

Code:

cat SERVERS | while read server;do scp .ssh/new_key.pub ${server}: ;done

cssh $(cat SERVERS | tr '\n' ' ')

When you're using cssh on all of the servers at once run the following command sequence.

Code:

cat new_key.pub >> .ssh/authorized_keys

You should now be able to log into all of the servers using the new key.

Code:

ssh -i .ssh/new_key user@someserver.com

Then you can use cssh to delete the old public key out of ~/.ssh/authorized_keys on all of the servers using a text editor like vim/emacs/nano. It should get the job done quick and dirty.

Just to confirm, for this to work, I would have to rename the old key on the local box, generate a new key rename that, put the old key back, run the commands, and then rename the new key?

sag47 · 02-21-2013, 11:48 PM

Yes, generate a new key with a new name so as to not overwrite the old key. You said yourself that you require access using the key so that would be the only way to do it.