shared private key

Ángel González keisial at
Thu Apr 23 03:55:24 AEST 2015

On 22/04/15 16:42, Reuben Hawkins wrote:
> Hi SSH-devs,
> This may be a bit off topic for this list, but....
> Would it be ok to share a private key in an installer script so long
> as the corresponding public key is setup like this...
> command="cat ~/.ssh/" ssh-rsa AAAA...
You would also need at least no-port-forwarding

I'd add all available restricting options.

> I'm looking for a secure way to get a user to share their public key
> through SSH which can be invoked from an installer on another
> host...for example...
> # ssh-keyscan server.local>  .ssh/known_hosts
> # ssh -i hardcoded_private_key server.local>  .ssh/authorized_keys
> Of course in this installer the key fingerprints will be examined by
> the user before any keys are actually put in known hosts and
> authorized_keys.
> Is this secure?  Is there a better way?
I see no obvious flaw. Everything depends on the integrity of the 
server, but you already knew that…

PS: Why ssh-keyscan? You can hardcode it directly in the known_hosts of 
.ssh or /etc

More information about the openssh-unix-dev mailing list