ssh-import-id

Dustin Kirkland kirkland at ubuntu.com
Thu Dec 16 06:52:09 EST 2010


On Wed, Dec 15, 2010 at 1:27 PM, Daniel Kahn Gillmor
<dkg at fifthhorseman.net> wrote:
> On 12/15/2010 01:01 PM, Dustin Kirkland wrote:
>> If there were a free/public SSH key server like
>> pgp.mit.edu for PGP/GPG keys, that would probably make a good default
>> (thought I haven't found anything like this).
>
> You could use monkeysphere [0] on these hosts and use the HKP keyserver
> network (what i think you're referring to by pgp.mit.edu, above, though
> i recommend *not* using pgp.mit.edu until they fix their keyserver).

Hi Daniel,

Right, I simply meant that I wasn't aware of any HKP keyserver network
specifically for public SSH keys.

> If you know that your users' OpenPGP keys are going to all be signed by,
> say, your own OpenPGP key which has a fingerprint of $CA_FPR, you could
> put something like this in your preseed's late_command :
>
>  aptitude install monkeysphere openssh-server
>  monkeysphere-authentication add-identity-certifier "$CA_FPR"
>  mkdir ~mary/.monkeysphere
>  echo 'Mary Example <mary at example.org>' >> \
>    ~mary/.monkeysphere/authorized_user_ids
>
>  monkeysphere-authentication update-users
>  echo 'AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u' \
>     >> /etc/ssh/sshd_config
>  /etc/init.d/ssh restart
>
> This also has the advantage that future runs of
>
>  monkeysphere-authentication update-users
>
> will cause revoked keys to be disabled without any additional work from
> the user.
>
> hope this is useful.  i'm one of the monkeysphere developers; feel free
> to come ask questions on the project mailing list, or in #monkeysphere
> on irc.oftc.net.

Thanks for the pointers.  I'll give monkeysphere a try.

Still, it's not quite addressing the problem I think ssh-import-id
solves for us -- dead simple, fast, secure retrieval of a public SSH
keys by nothing more than a user name inserted into a URL.

-- 
:-Dustin

Dustin Kirkland
Ubuntu Core Developer


More information about the openssh-unix-dev mailing list