ssh-import-id
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Dec 16 06:27:39 EST 2010
On 12/15/2010 01:01 PM, Dustin Kirkland wrote:
> If there were a free/public SSH key server like
> pgp.mit.edu for PGP/GPG keys, that would probably make a good default
> (thought I haven't found anything like this).
You could use monkeysphere [0] on these hosts and use the HKP keyserver
network (what i think you're referring to by pgp.mit.edu, above, though
i recommend *not* using pgp.mit.edu until they fix their keyserver).
If you know that your users' OpenPGP keys are going to all be signed by,
say, your own OpenPGP key which has a fingerprint of $CA_FPR, you could
put something like this in your preseed's late_command :
aptitude install monkeysphere openssh-server
monkeysphere-authentication add-identity-certifier "$CA_FPR"
mkdir ~mary/.monkeysphere
echo 'Mary Example <mary at example.org>' >> \
~mary/.monkeysphere/authorized_user_ids
monkeysphere-authentication update-users
echo 'AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u' \
>> /etc/ssh/sshd_config
/etc/init.d/ssh restart
This also has the advantage that future runs of
monkeysphere-authentication update-users
will cause revoked keys to be disabled without any additional work from
the user.
hope this is useful. i'm one of the monkeysphere developers; feel free
to come ask questions on the project mailing list, or in #monkeysphere
on irc.oftc.net.
Regards,
--dkg
[0] http://web.monkeysphere.info
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20101215/65aa766d/attachment.bin>
More information about the openssh-unix-dev
mailing list