Re: Distributed Public Key

From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 11/15/03


Date: Sat, 15 Nov 2003 10:02:17 -0500


"Eous Phoros" <eous_phoros@hotmail.com> wrote in message
news:e9b12f2d.0311111520.3fde5d20@posting.google.com...
> Hello,
>
> I am currently working on implementing a ssh solution for my home. The
> enviroment will contain multiple subnets all with access to NIS. What
> I would like to do is store the public key file for a machine in some
> central location so that when I reinstall a machine I do not have to
> go back and delete the entry out of the ssh_known_hosts and will
> already be reconized by the other machines on the lan. I would think I
> should be able to use NIS to distribute this data to the clients using
> like a public key map but I haven't been able to figure out how to do
> that yet. Is this possible? Is there a better way to do it?

You *CAN*, by publishing the maps and letting the clients regularly scan for
the map, write it to disk, and restart sshd. It's amazingly bad practice.
You may as well put them on an FTP server, NIS has no good security
structure to control where its maps get written to.

How do you "install" your machines? If you're using an automated
installation procedure, such as a RedHat "kickstart" procedure, it's
possible to put the keys on the installation floppy image and install them
automatically.

Alternatively, if you're going to publish the files this way, you might
consider putting them on an rsync server that restricts access to specific
clients, although that also isn't great security.

Last, consider using a "push" model from your central server. After the
client is installed, remove the client's "known_hosts" entries from the
pushing account, use ssh to push the "old" private keys to the client and
restart its sshd, then restore the old "known_hosts" entries or load a new
set by logging into it again to test things.

If you don't flush the old public keys from the "known_hosts" list, you'll
have some problems when doing the push.



Relevant Pages

  • Uploading Public keys to SSH Secure Shell Server?
    ... In our server, we're using SSH Secure Shell Server product to be used ... one of our clients has sent me a SSH2 PUBLIC KEY file ... if any of you would explain to me how to install or add this Public Key ...
    (comp.security.ssh)
  • Re: Its me
    ... down systems because I market more upscale clients. ... If the average crook thinks someone has an alarm he will ... It cost money to install a system, ... Why wouldn't Bass, if he was so honest & caring, explain to his clients ...
    (alt.security.alarms)
  • Re: sbs 2003 Clients do not have internet access
    ... clients on your clients side, please make sure that firewall clients works ... If you did not install firewall clients on client side, ... |>This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: word reports an error when trying to print
    ... Hopefully it will continue to work - after re-starts of clients and server ... I install the printer on the server - and then I share it.. ... please refer to the following Microsoft ... newsgroups so that they can be resolved in an efficient and timely manner. ...
    (microsoft.public.windows.server.sbs)
  • RE: word reports an error when trying to print
    ... I install the printer on the server - and then I share it.. ... On the clients - I can make a 'print test page' OK.. ... please refer to the following Microsoft ... newsgroups so that they can be resolved in an efficient and timely manner. ...
    (microsoft.public.windows.server.sbs)