What would be the best way to automate SSH key transfer?

Toggle sidebar Toggle sidebar
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
69,993
13,484
126
www.anyf.ca
I will be writing an application that will need to communicate between various servers using SSH and SFTP. I want to avoid having to have to do the SSH key thing manually as it's just tedious. Instead they will be held in a central location and automatically managed.

When introducing a new server to the cluster, what would be the best way to automate the key transfer? Doing it over plain text would not really be secure as if by small chance the key is intercepted then it could be used to later on hack into the system. I was thinking of just using a propitiatory encryption that uses a single key file that has to be the same on each server, then it would transfer the key using this encryption, but this somewhat defeats the purpose. I want to be able to install the program, connect to the web interface, and start managing right away, first step being to add the server to the cluster by specifying one of the other servers.

Also would it be a bad idea to store SSH keys in mysql? I'm thinking so, so instead I could store a unique ID, the it would point to a file path that only root has access to, does this sound good?

Come to think of it, how does SSL handle this? When you go to a secure site how is the "password" transferred before the page is encrypted, and how is it prevented that someone can steal this "password"?
 
Ken g6

Ken g6

Programming Moderator, Elite Member
Moderator
Dec 11, 1999
16,603
4,521
75
RedSquirrel said:
When you go to a secure site how is the "password" transferred before the page is encrypted, and how is it prevented that someone can steal this "password"?
Click to expand...
IANASE (I am not a Security Expert), but I think they use RSA public/private-key encryption to transfer the password.

Now, as to which key goes where...:hmm:
 
sourceninja

sourceninja

Diamond Member
Mar 8, 2005
8,805
65
91
I've always just had a script that did this. I just run the script and replace user and host with real values. If I need to do a bunch of servers, I use a loop. The only downside is that I have to type in the password for each server for the key to get installed.

cat ~/.ssh/id_dsa.pub | ssh -l user host.com 'cat >> ~/.ssh/authorized_keys'
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
69,993
13,484
126
www.anyf.ca
That could work. If I can figure out a way to pipe the password then I could even do it through my web interface. Would be a simple form where you enter the server name and username/password and it would do the rest. In fact I could make it install my app and compile it right on the spot, now that would be pretty sweet.
 
A

af1c0069ea05d4d64be330224

Junior Member
Dec 23, 2009
6
0
0
RedSquirrel said:
I will be writing an application that will need to communicate between various servers using SSH and SFTP. I want to avoid having to have to do the SSH key thing manually as it's just tedious. Instead they will be held in a central location and automatically managed.

When introducing a new server to the cluster, what would be the best way to automate the key transfer? Doing it over plain text would not really be secure as if by small chance the key is intercepted then it could be used to later on hack into the system. I was thinking of just using a propitiatory encryption that uses a single key file that has to be the same on each server, then it would transfer the key using this encryption, but this somewhat defeats the purpose. I want to be able to install the program, connect to the web interface, and start managing right away, first step being to add the server to the cluster by specifying one of the other servers.

Also would it be a bad idea to store SSH keys in mysql? I'm thinking so, so instead I could store a unique ID, the it would point to a file path that only root has access to, does this sound good?

Come to think of it, how does SSL handle this? When you go to a secure site how is the "password" transferred before the page is encrypted, and how is it prevented that someone can steal this "password"?
Click to expand...

Have you looked at the command "ssh-copy-id"?

(If not take a look at the man page for it. From a terminal enter:
Code: 
man ssh-copy-id
 
MrColin

MrColin

Platinum Member
May 21, 2003
2,403
3
81
A bash script that uses the "cat >>" command to append your key to my server and then disable password authentication on the server's sshd_conf file by copying a template conf file over the default should work. Puppet sounds promising too though.

AFAIK ssh-copy-id only works if you are using default port 22 as it won't currently accept a -p option.
 
Colt45

Colt45

Lifer
Apr 18, 2001
19,720
1
0
are you really going to be changing ssh keys often enough that this can't be done manually? o_O
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
69,993
13,484
126
www.anyf.ca
Colt45 said:
are you really going to be changing ssh keys often enough that this can't be done manually? o_O
Click to expand...

I do it often not on same machine but on different machines. It's just a pita to do it manually. I always get confused as to which key goes where, and syntax etc so it usually takes me an hour or so to actually get it going. If I can get it right programaticly and automate it, it will save lot of grief. The idea of my app is once it's fully complete it will take no more then 5 minutes to add a new server to the "cluster" and have that server up and running. Everything will be automated.
 
N

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
RedSquirrel said:
I do it often not on same machine but on different machines. It's just a pita to do it manually. I always get confused as to which key goes where, and syntax etc so it usually takes me an hour or so to actually get it going. If I can get it right programaticly and automate it, it will save lot of grief. The idea of my app is once it's fully complete it will take no more then 5 minutes to add a new server to the "cluster" and have that server up and running. Everything will be automated.
Click to expand...

That's where puppet, cfending, bfconfig, etc. really come in handy. You install the OS and relevant packages and tell the puppet server what you want the system to do. All of the appropriate packages and files are installed as per your recipe. Brilliant.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom