On Wed, Apr 22, 2015 at 1:53 PM, Gert Doering <gert@xxxxxxxxxxxxxx> wrote: > Hi, > > On Wed, Apr 22, 2015 at 01:26:06PM -0700, Reuben Hawkins wrote: >> Let me know if I'm missing something. :) > > Signed keys from a common CA? I don't think the signed key helps in my particular case (I may be wrong, if so please correct me). I'm working on a management application and the next version's big feature is network security via SSH. My application is actually backwards from most other client/server models. It's backwards in that the "server" initiates connections to the "clients" (so the ssh client runs on the "server", sshd on the "clients") to make the clients do things (let's just say run updates as an example). I need to get the server user's public key into the client's authorized_keys file when the client software is installed. I can't think of a way to get the public key from the server other than the private key hardcoded into the installer and the corresponding hardcoded public key in the server's authorized_keys file like this... command="cat ~/.ssh/id_rsa.pub",other-safty-restrictions ssh-rsa AAAA.... With this anybody can get the server user's public key. My installer looks like this.... #!/bin/bash # install software ..... echo -n "who's your server? " read server # get host keys from server, verify key fingerprints, etc ssh-keyscan $server | update-known-hosts.sh # get admin user's public key from the server cat << EOF >> /tmp/known-private-key ssh-rsa AAAA.... single-use-key EOF ssh -i /tmp/known-private-key -o "BatchMode on" -T admin@$server | check-key > /home/client/.ssh/authorized_keys chmod 600 /home/client/.ssh/authorized_keys chown client:client /home/client/.ssh/authorized_keys exit 0 So it's the getting that public key out of admin@server's .ssh/id_[dsa|rsa|ecdsa|ed25519].pub that is the hurdle. Can a signed key from a common CA fit in this process somewhere? I do want to avoid forcing a requirement onto our customers to get keys signed by us, or anybody else. > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert@xxxxxxxxxxxxxx > fax: +49-89-35655025 gert@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev