shared private key

[Reuben Hawkins]

On Wed, Apr 22, 2015 at 10:55 AM, Ángel González <keisial at gmail.com> wrote:
> On 22/04/15 16:42, Reuben Hawkins wrote:
>>
>> Hi SSH-devs,
>>
>> This may be a bit off topic for this list, but....
>>
>> Would it be ok to share a private key in an installer script so long
>> as the corresponding public key is setup like this...
>>
>> command="cat ~/.ssh/id_rsa.pub" ssh-rsa AAAA...
>
> You would also need at least no-port-forwarding
>
> I'd add all available restricting options.
>
>
>> I'm looking for a secure way to get a user to share their public key
>> through SSH which can be invoked from an installer on another
>> host...for example...
>>
>> # ssh-keyscan server.local>  .ssh/known_hosts
>> # ssh -i hardcoded_private_key server.local>  .ssh/authorized_keys
>>
>> Of course in this installer the key fingerprints will be examined by
>> the user before any keys are actually put in known hosts and
>> authorized_keys.
>>
>> Is this secure?  Is there a better way?
>
> I see no obvious flaw. Everything depends on the integrity of the server,
> but you already knew that…
>
>
> PS: Why ssh-keyscan? You can hardcode it directly in the known_hosts of .ssh
> or /etc
>
ssh-keyscan because we don't know the server's host keys ahead of
time.  The user is going to install a server on some machine, another
user is going to install a client.  The clients must get the host keys
in its known-host file and the server user's keys in its authorized
keys file.

ssh-keyscan gets the hostkeys from the server, and the hardcoded
private key will get the server user's public key.

Also, each server needs unique keys.  I wouldn't want one of our
customers to be able to trick another one of our customers into
ssh'ing to the wrong server without a known_host identity changed
message, so I can't hardcode a host key directly into the known_hosts
files in either .ssh or /etc.

Let me know if I'm missing something.  :)

Thanks in advance,
Reuben