Re-generate ssh keys when password is changed for Service Accounts?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Re-generate ssh keys when password is changed for Service Accounts?
Have a Bash script where a service account uses scp to move files from a server to a logging server without logging in via ssh keys.
Recently had to change the password on the service account due to password policies, however the script stopped working.
Did some troubleshooting and re-generated the ssh keys and then it worked again.
I didn't find any info online, however if I change the password for accounts that are tied to ssh keys/scripts, will we have to generate ssh keys each time this is done?
I thought ssh keys were system to system and had nothing to do with the actual user on the system. However maybe I'm incorrect and they are a combination of user@system-name-or-address. Meanwhile I don't see how this is tied to the password for the user account.
Except that you have to type the password, even the newer one, however I do not feel it requires generation of new keys.
ssh keys are independent of passwords, however from the information from the OP we have on idea on how exactly the scp script is authenticating so it's difficult to say what the actual issue is.
Things that came to mind is that there could be a passphrase on the the private key or that there's something making use of ssh-agent to provide authentication.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
I can confirm that ssh (and friends like rsync and scp) must continue to work with public/private key authentication, regardless of password set.
That is the point of key authentication. If I want access to a system without password exchange between me and the remote administrator, he creates a new user account for me with an unknown password. I send the public key. He places it in ~/.ssh/authorized_keys. And I try to avoid changing my public key ever, unless I fear my private key is compromised.
After that, I log in without a password and change my password. Logins after that continue as before.
I can't possibly imagine what could cause the key authentication to stop working. If only the password has changed. I do not have experience with passphrases.
It might be worth to re-test this. It is a nuisance to re-create and distribute keys.
We suffered from a SAN failure (both controllers failed) and still in the process of cleanup. I'm guessing this is part of the cleanup, as I wouldn't think that ssh keys would fail when setting a password for a service account that expires every 365 days.
thanks
Quote:
Originally Posted by jlinkels
I can confirm that ssh (and friends like rsync and scp) must continue to work with public/private key authentication, regardless of password set.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.