On 22/04/15 16:42, Reuben Hawkins wrote:
Hi SSH-devs,
This may be a bit off topic for this list, but....
Would it be ok to share a private key in an installer script so long
as the corresponding public key is setup like this...
command="cat ~/.ssh/id_rsa.pub" ssh-rsa AAAA...
You would also need at least no-port-forwarding
I'd add all available restricting options.
I'm looking for a secure way to get a user to share their public key
through SSH which can be invoked from an installer on another
host...for example...
# ssh-keyscan server.local> .ssh/known_hosts
# ssh -i hardcoded_private_key server.local> .ssh/authorized_keys
Of course in this installer the key fingerprints will be examined by
the user before any keys are actually put in known hosts and
authorized_keys.
Is this secure? Is there a better way?
I see no obvious flaw. Everything depends on the integrity of the
server, but you already knew that…
PS: Why ssh-keyscan? You can hardcode it directly in the known_hosts of
.ssh or /etc
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev