shared private key

Reuben Hawkins reubenhwk at gmail.com
Thu Apr 23 07:51:02 AEST 2015


On Wed, Apr 22, 2015 at 1:53 PM, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Wed, Apr 22, 2015 at 01:26:06PM -0700, Reuben Hawkins wrote:
>> Let me know if I'm missing something.  :)
>
> Signed keys from a common CA?

I don't think the signed key helps in my particular case (I may be
wrong, if so please correct me).

I'm working on a management application and the next version's big
feature is network security via SSH.  My application is actually
backwards from most other client/server models.  It's backwards in
that the "server" initiates connections to the "clients" (so the ssh
client runs on the "server", sshd on the "clients") to make the
clients do things (let's just say run updates as an example).  I need
to get the server user's public key into the client's authorized_keys
file when the client software is installed.  I can't think of a way to
get the public key from the server other than the private key
hardcoded into the installer and the corresponding hardcoded public
key in the server's authorized_keys file like this...

command="cat ~/.ssh/id_rsa.pub",other-safty-restrictions ssh-rsa AAAA....

With this anybody can get the server user's public key.

My installer looks like this....

#!/bin/bash
# install software
.....
echo -n "who's your server? "
read server

# get host keys from server, verify key fingerprints, etc
ssh-keyscan $server | update-known-hosts.sh

# get admin user's public key from the server
cat << EOF >> /tmp/known-private-key
ssh-rsa AAAA....  single-use-key
EOF
ssh -i /tmp/known-private-key -o "BatchMode on" -T admin@$server |
check-key > /home/client/.ssh/authorized_keys
chmod 600 /home/client/.ssh/authorized_keys
chown client:client /home/client/.ssh/authorized_keys

exit 0

So it's the getting that public key out of admin at server's
.ssh/id_[dsa|rsa|ecdsa|ed25519].pub that is the hurdle.

Can a signed key from a common CA fit in this process somewhere?  I do
want to avoid forcing a requirement onto our customers to get keys
signed by us, or anybody else.


>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de


More information about the openssh-unix-dev mailing list