ssh-import-id

Dustin Kirkland kirkland at ubuntu.com
Thu Dec 16 06:44:18 EST 2010 

On Wed, Dec 15, 2010 at 1:07 PM, Joachim Schipper
<joachim at joachimschipper.nl> wrote:
> On Wed, Dec 15, 2010 at 12:01:22PM -0600, Dustin Kirkland wrote:
>> Howdy,
>>
>> We in the Ubuntu Server world have been using a handy little shell
>> utility for a couple of releases now, called 'ssh-import-id' [1].
>>
>> Whereas ssh-copy-id _pushes_ a public key from one system to another,
>> ssh-import-id _pulls_ a public key from a secure key server and
>> installs it.
>>
>> It takes one or more userid's as command line arguments, loops over
>> them, sequentially attempts to retrieve public keys from a web api
>> (using wget or curl), and can write to stdout or to file
>> (~/.ssh/authorized_keys).
>>
>> We find this particularly handy in the cloud world, where systems are
>> started from pristine images every time, and we need to a way to seed
>> the system with credentials before the first authentication.  Here, we
>> can run something like 'ssh-import-id kirkland' during the boot
>> process, and my public key will be installed by the time I log in.
>>
>> It's also really useful when and if you need to grant access to the
>> system to others, or perhaps start a system in the cloud on behalf of
>> someone else.  Here, we can 'ssh-import-id kirkland smoser cjwatson',
>> and each of these keys are retrieved and installed.
>>
>> We're using URL="https://launchpad.net/~%s/+sshkeys", where %s is a
>> userid, but this URL could really be configurable and point to any
>> public or private SSH public key server.  An SSL connection to a https
>> site with a valid certificate is, of course, essential to the security
>> of the key retrieval.  If there were a free/public SSH key server like
>> pgp.mit.edu for PGP/GPG keys, that would probably make a good default
>> (thought I haven't found anything like this).
>>
>> Seeing the ssh-copy-id utility in SSH's contrib/ directory, I'm
>> hopeful you might consider this ssh-import-id tool for the project.
>> Before we get into reviewing the code, can you tell me if this is
>> something that would, or would not be interesting to openssh upstream?
>
> I'm not an OpenSSH developer, but: why not use SSH? Install *one*
> server's key, and pull the users' keys over that connection. This seems
> to have quite a few less moving parts, avoids a dependency on
> wget/libcurl/..., and doesn't crash and burn when another CA signs
> something it shouldn't.

Hi Joachim,

It's a bootstrapping issue.  How do you get that "one" server's key there?

If you can retrieve a key securely over https from a trusted server
with a valid SSL certificate, you could put something like this your
unattended boot scripts:
  wget -O- https://example.com/~username/pub_ssh_key >>
/home/username/.ssh/authorized_keys

ssh-import-id is a wrapper around that wget above, with better error
handling, key sanitation, etc.

-- 
:-Dustin

Dustin Kirkland
Ubuntu Core Developer

More information about the openssh-unix-dev mailing list