Re: shared private key

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, Apr 22, 2015 at 1:53 PM, Gert Doering <gert@xxxxxxxxxxxxxx> wrote:
> Hi,
>
> On Wed, Apr 22, 2015 at 01:26:06PM -0700, Reuben Hawkins wrote:
>> Let me know if I'm missing something.  :)
>
> Signed keys from a common CA?

I don't think the signed key helps in my particular case (I may be
wrong, if so please correct me).

I'm working on a management application and the next version's big
feature is network security via SSH.  My application is actually
backwards from most other client/server models.  It's backwards in
that the "server" initiates connections to the "clients" (so the ssh
client runs on the "server", sshd on the "clients") to make the
clients do things (let's just say run updates as an example).  I need
to get the server user's public key into the client's authorized_keys
file when the client software is installed.  I can't think of a way to
get the public key from the server other than the private key
hardcoded into the installer and the corresponding hardcoded public
key in the server's authorized_keys file like this...

command="cat ~/.ssh/id_rsa.pub",other-safty-restrictions ssh-rsa AAAA....

With this anybody can get the server user's public key.

My installer looks like this....

#!/bin/bash
# install software
.....
echo -n "who's your server? "
read server

# get host keys from server, verify key fingerprints, etc
ssh-keyscan $server | update-known-hosts.sh

# get admin user's public key from the server
cat << EOF >> /tmp/known-private-key
ssh-rsa AAAA....  single-use-key
EOF
ssh -i /tmp/known-private-key -o "BatchMode on" -T admin@$server |
check-key > /home/client/.ssh/authorized_keys
chmod 600 /home/client/.ssh/authorized_keys
chown client:client /home/client/.ssh/authorized_keys

exit 0

So it's the getting that public key out of admin@server's
.ssh/id_[dsa|rsa|ecdsa|ed25519].pub that is the hurdle.

Can a signed key from a common CA fit in this process somewhere?  I do
want to avoid forcing a requirement onto our customers to get keys
signed by us, or anybody else.


>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert@xxxxxxxxxxxxxx
> fax: +49-89-35655025                        gert@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux