Hello all,


I've generated SSH keys for one of my server (server A), and distributed the public key to the nodes in my network.

For password-less login to work, the nodes' host key must be saved on server A. As of now I have to log into each of the nodes from server A so that server A saves the node's host key.

I there a way to get around this? I'm thinking maybe I could generate a common host key for all of my nodes and just add this host key to server A, but I'm not sure if this would work.


Regards,
kenneho

Generate keys without passwords on the clients you want to be able to acces the server from. Then add all their id.rsa.pub data to a single text file and name it authorized_keys. Put this in the server's /.ssh folder. Permissions are not an issue for this file.

Putting the ids together make sure there's no spaces between entries, and that there is a blank line (carriage return aka "enter") at the end of the file. e.g:

ssh-rsa AAAAB3NzaC1yc2EBaccdd9sEEfgj+fC6dzjc4wB7sL2+I9Bd4+LGkkdZ+kvfPqLpCYryVGiAxlKKw62eKNGehGFTj4bL+EJL/tahazktoqD3o9mAHFcjD+p0KyjPWMdTJoyFiZQYyyaBveAUki5zHVsm+FDa4NyRN86NCtC86PJSiMumJLsBp0iHynMRGiwQ63rRC 5vPx6amY3sWM23X5Gg1FmMqB4eh2P1nZV5Tkm8XEScKnF/irA2QvlSP6ejHZPQllvBs5hL98HxKhyzAEud9qkdFikV/7W3ZAXH11wEo/ACY1tVJiOSYE5qOY27/3QTILzVtMhjiYEeiwU0RdymYctJOl3aAsHIAxxioJm7kFWF4Q== data@data.compease
ssh-rsa AAAAB3NzaC1yc2Bcr+2Zhi6+9aaaZ0UQf7a55MbEmKwE7BS/yNIb3xxQmBGkeZ4+XgXOW89p1qfOEfrLIPBVfEFvbpMNUAOmOrDNO4hF++SVkDy5ZToDMNwXSVPSNEDwltUjrQKvss5GoaSEBdf4 h8EmPGqjQtiCGoTsWNly/gaRy8mGd5PdRxh+ODT+gjv8+7XMmMoLcUGik32bZhrrrIRmqQK/jZampiJDi9VSr2PsakFqIVEE02wN2Sf8kfPZeU6KR1EVqfyx5xj/szEO6jZAM0SwaiDGLU6gURYcpZM4vB4tgJhyE1+bkGb/rC7LvQn1BWjjGAm45Iqo7hyyNtoFBiie5+u6jR8MWDiSYV1zgrQIsw== lore@lore.compease
ssh-rsa AAAAB3NzaC1ycEat3+9grmAAA3AvtgGQMhJUg2nZDgP2dheeXdjiWV1EN1tlXedUUOeQaL58SY03OZ+NzmzkxlrFlAhAfN8r9o0S FfF5iD7/bUDo9xry8qbbhALIx2Bjin/t7nbp5x8Xblxc2fU/2++2TQget/RNNZPu/yqbFP9s1N+wBgi/gUqybsRll5m+wDqxjJiN32bwheQ7yj+Xi28njCcqkICc83TVehI2y0aMnZnQQSXZR9LshbeiDoRmPhRUhXMYlugNtgWtFf9J482W 67biHXMgwHxy6FWlUe12CxeLQ18tVv73UTKPK0v3uT1Nl4LT20NN2iyFsEqIROzHcNTZXEPocQ+sVhBHpntxAsCHVw== cou@troi.compease

Please excuse my ignorance, but wouldn't this just install the node's public key on server A, making them able to log into server A? How would this solve the problem I'm having on server A where I have to manually accept the nodes' host key before password-less login will work?

I thought your goal was to have the "nodes" able to log in to the server. Is this incorrect? If that IS the goal, all you need are the public keys in each other's authorized_keys file.

If the keys are shared in both directions the server of course would be able to log in to the "nodes," clients or what have you. I have never seen any need for any other than this. Of course you need to make the keys without passwords, otherwise you'd have to use an agent, or type the passwords in all the time.

Forgive me if I misunderstand your goal. Please elaborate, describe what you want to be able to do...

I believe he wants the server to log into the nodes. Setting StrictHostKeyChecking no in /etc/ssh/ssh_config would result in keys automatically being accepted. This will, however, leave you slightly vulnerable to a MITM attack as SSH will still connect even if the host key is wrong, so I would only set it long enough to connect to each host once (so the keys get saved).

This is correct - I want the server to log into the nodes.

catworld: I'm sorry that I didn't make this more clear in my previous posts.

Anyway, setting the StrictHostKeyChecking to "no" just for as long as it takes for the server to log into all the nodes would solve my problem, but since it's vulnerable to a MITM attack it may not be the best solution (I'd rather manually log into the servers first to save the host key).

Are there other alternatives maybe? I read somewhere that it is possible to install multiple host keys on a Linux box, so maybe it would be possible to generate one single host key and distribute it to all the nodes, and then install the key on the server?

You probably could generate one set of SSH host keys, distribute them to all clients, and then generate a large known_hosts file by copying the fingerprint for each hostname/ip.