On Wed, Apr 22, 2015 at 10:55 AM, Ángel González <keisial@xxxxxxxxx> wrote: > On 22/04/15 16:42, Reuben Hawkins wrote: >> >> Hi SSH-devs, >> >> This may be a bit off topic for this list, but.... >> >> Would it be ok to share a private key in an installer script so long >> as the corresponding public key is setup like this... >> >> command="cat ~/.ssh/id_rsa.pub" ssh-rsa AAAA... > > You would also need at least no-port-forwarding > > I'd add all available restricting options. > > >> I'm looking for a secure way to get a user to share their public key >> through SSH which can be invoked from an installer on another >> host...for example... >> >> # ssh-keyscan server.local> .ssh/known_hosts >> # ssh -i hardcoded_private_key server.local> .ssh/authorized_keys >> >> Of course in this installer the key fingerprints will be examined by >> the user before any keys are actually put in known hosts and >> authorized_keys. >> >> Is this secure? Is there a better way? > > I see no obvious flaw. Everything depends on the integrity of the server, > but you already knew that… > > > PS: Why ssh-keyscan? You can hardcode it directly in the known_hosts of .ssh > or /etc > ssh-keyscan because we don't know the server's host keys ahead of time. The user is going to install a server on some machine, another user is going to install a client. The clients must get the host keys in its known-host file and the server user's keys in its authorized keys file. ssh-keyscan gets the hostkeys from the server, and the hardcoded private key will get the server user's public key. Also, each server needs unique keys. I wouldn't want one of our customers to be able to trick another one of our customers into ssh'ing to the wrong server without a known_host identity changed message, so I can't hardcode a host key directly into the known_hosts files in either .ssh or /etc. Let me know if I'm missing something. :) Thanks in advance, Reuben _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev