Re: Distributed Public Key

From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 11/15/03


Date: Sat, 15 Nov 2003 10:02:17 -0500


"Eous Phoros" <eous_phoros@hotmail.com> wrote in message
news:e9b12f2d.0311111520.3fde5d20@posting.google.com...
> Hello,
>
> I am currently working on implementing a ssh solution for my home. The
> enviroment will contain multiple subnets all with access to NIS. What
> I would like to do is store the public key file for a machine in some
> central location so that when I reinstall a machine I do not have to
> go back and delete the entry out of the ssh_known_hosts and will
> already be reconized by the other machines on the lan. I would think I
> should be able to use NIS to distribute this data to the clients using
> like a public key map but I haven't been able to figure out how to do
> that yet. Is this possible? Is there a better way to do it?

You *CAN*, by publishing the maps and letting the clients regularly scan for
the map, write it to disk, and restart sshd. It's amazingly bad practice.
You may as well put them on an FTP server, NIS has no good security
structure to control where its maps get written to.

How do you "install" your machines? If you're using an automated
installation procedure, such as a RedHat "kickstart" procedure, it's
possible to put the keys on the installation floppy image and install them
automatically.

Alternatively, if you're going to publish the files this way, you might
consider putting them on an rsync server that restricts access to specific
clients, although that also isn't great security.

Last, consider using a "push" model from your central server. After the
client is installed, remove the client's "known_hosts" entries from the
pushing account, use ssh to push the "old" private keys to the client and
restart its sshd, then restore the old "known_hosts" entries or load a new
set by logging into it again to test things.

If you don't flush the old public keys from the "known_hosts" list, you'll
have some problems when doing the push.