SSH Key Gen/Install Script. Automates Mass Distribution of SSH Keys (opens in new tab)

(blog.mediafederation.com)

45 pointsa904guy15y ago19 comments

19 comments

14 comments · 5 top-level

duskwuff15y ago· 4 in thread

Wait, it's creating a separate public key in your home directory on every device listed, all with the same (plaintext!) passphrase, then sets up every device to SSH to any other one? Smells like bad practice!

a904guyOP15y ago

For your comment that was edited stating: "the script was storing passwords in plain-text in the user home folder", There is no plaintext passphrases stored anywhere... and you can use different passwords per each device per the config file. This script follows the exact procedure for ssh-keys defined by OpenSSHD in general, ssh-keys are more secure than logging in using a password in general. As for the reverse connections, I have a version that utilizes the reverse key in the config array that keeps them from distributing across server, only to and from the localhost. I took it out to roll this version out as I still haven't tested it fully.

duskwuff15y ago

> There is no plaintext passphrases stored anywhere...

Sure there are - in the config file, and in the command line.

  59: `ssh-keygen -q -f ~/.ssh/id_{$server['type']} -t {$server['type']} -N '{$server['remote_pass']}'`;
  71: $server['conn']->shell("ssh-keygen -q -f ~/.ssh/id_{$server['type']} -t {$server['type']} -N '{$server['remote_pass']}'");

It gets even better - if you forgot to set REMOTE_PASS in the config file, it defaults to empty, and you end up with a passwordless key on most of your machines:

  39: $_SERVERS[$k]['remote_pass'] = ($_SERVERS[$k]['remote_pass']) ? $_SERVERS[$k]['remote_pass'] : '' ;

Even if you're only copying keys "to and from the localhost", you've still just given all your servers access -- likely without a password -- to your desktop computer.

1 more reply

vvatsa15y ago

PHP => Pretty Huge Problem

a904guyOP15y ago

The language doesn't really matter, especially considering its a single use app. It can be done via any LibSSH2 binding, or even with a more complex expect binding.

The reason for php is simple, I had already wrote the libssh2 code for what I needed. I submitted it, in hopes it saves someone else the time.

theBobMcCormick15y ago· 2 in thread

Are you really generating a separate keypair for each server? Why?

Why not generate one key pair on your management host, and then use the standard "ssh-copy-id" command to push the public key out to each managed server?

a904guyOP15y ago

For the ability to remove a key from a single device/server. Considering the keys are tagged with user+host, removal is easily identifiable. A single key solution isn't ideal for my configuration.

Using ssh-copy-id is the standard method, but doesn't suite what I wanted.

theBobMcCormick15y ago

Why would you want to remove a key on the management server? Why have all keys copied to all servers?

You say ssh-copy-id doesn't suite what you want, but you could easily create a much shorter script that just loops over the list of server and runs ssh-copy-id.

seanieb15y ago· 2 in thread

It seems to be down for me.

Here's the Google cache: http://webcache.googleusercontent.com/search?q=cache%3Ahttp%...

a904guyOP15y ago

MediaTemple VPS... Time to migrate to my rackspace server.

mtmatt15y ago

Saw that you were having some issues. Took a look, and everything seemed to be working fine. Let us know if we can help out with anything.

kilburn15y ago· 1 in thread

An option in the config file to specify key length would be good IMHO.

a904guyOP15y ago

Ahh! good catch, Thank you. I'll zdd that in tomorrow.

lobster_johnson15y ago

This seems wrong and overengineered for so many reasons. PHP, really? A simple one-line script will suffice to copy keys with ssh-copy-id or similar. (It gets even simpler if you use something like dsh or Capistrano.)

j / k navigate · click thread line to collapse

19 comments

14 comments · 5 top-level

duskwuff15y ago· 4 in thread

a904guyOP15y ago

duskwuff15y ago

> There is no plaintext passphrases stored anywhere...

Sure there are - in the config file, and in the command line.

  59: `ssh-keygen -q -f ~/.ssh/id_{$server['type']} -t {$server['type']} -N '{$server['remote_pass']}'`;
  71: $server['conn']->shell("ssh-keygen -q -f ~/.ssh/id_{$server['type']} -t {$server['type']} -N '{$server['remote_pass']}'");

It gets even better - if you forgot to set REMOTE_PASS in the config file, it defaults to empty, and you end up with a passwordless key on most of your machines:

  39: $_SERVERS[$k]['remote_pass'] = ($_SERVERS[$k]['remote_pass']) ? $_SERVERS[$k]['remote_pass'] : '' ;

Even if you're only copying keys "to and from the localhost", you've still just given all your servers access -- likely without a password -- to your desktop computer.

1 more reply

vvatsa15y ago

PHP => Pretty Huge Problem

a904guyOP15y ago

The language doesn't really matter, especially considering its a single use app. It can be done via any LibSSH2 binding, or even with a more complex expect binding.

The reason for php is simple, I had already wrote the libssh2 code for what I needed. I submitted it, in hopes it saves someone else the time.

theBobMcCormick15y ago· 2 in thread

Are you really generating a separate keypair for each server? Why?

Why not generate one key pair on your management host, and then use the standard "ssh-copy-id" command to push the public key out to each managed server?

a904guyOP15y ago

For the ability to remove a key from a single device/server. Considering the keys are tagged with user+host, removal is easily identifiable. A single key solution isn't ideal for my configuration.

Using ssh-copy-id is the standard method, but doesn't suite what I wanted.

theBobMcCormick15y ago

Why would you want to remove a key on the management server? Why have all keys copied to all servers?

You say ssh-copy-id doesn't suite what you want, but you could easily create a much shorter script that just loops over the list of server and runs ssh-copy-id.

seanieb15y ago· 2 in thread

It seems to be down for me.

Here's the Google cache: http://webcache.googleusercontent.com/search?q=cache%3Ahttp%...

a904guyOP15y ago

MediaTemple VPS... Time to migrate to my rackspace server.

mtmatt15y ago

Saw that you were having some issues. Took a look, and everything seemed to be working fine. Let us know if we can help out with anything.

kilburn15y ago· 1 in thread

An option in the config file to specify key length would be good IMHO.

a904guyOP15y ago

Ahh! good catch, Thank you. I'll zdd that in tomorrow.

lobster_johnson15y ago

j / k navigate · click thread line to collapse