shared private key

[Ángel González]

On 22/04/15 16:42, Reuben Hawkins wrote:
> Hi SSH-devs,
>
> This may be a bit off topic for this list, but....
>
> Would it be ok to share a private key in an installer script so long
> as the corresponding public key is setup like this...
>
> command="cat ~/.ssh/id_rsa.pub" ssh-rsa AAAA...
You would also need at least no-port-forwarding

I'd add all available restricting options.


> I'm looking for a secure way to get a user to share their public key
> through SSH which can be invoked from an installer on another
> host...for example...
>
> # ssh-keyscan server.local>  .ssh/known_hosts
> # ssh -i hardcoded_private_key server.local>  .ssh/authorized_keys
>
> Of course in this installer the key fingerprints will be examined by
> the user before any keys are actually put in known hosts and
> authorized_keys.
>
> Is this secure?  Is there a better way?
I see no obvious flaw. Everything depends on the integrity of the 
server, but you already knew that…


PS: Why ssh-keyscan? You can hardcode it directly in the known_hosts of 
.ssh or /etc