Distributed Public Key

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I am currently working on implementing a ssh solution for my home. The
enviroment will contain multiple subnets all with access to NIS. What
I would like to do is store the public key file for a machine in some
central location so that when I reinstall a machine I do not have to
go back and delete the entry out of the ssh_known_hosts and will
already be reconized by the other machines on the lan. I would think I
should be able to use NIS to distribute this data to the clients using
like a public key map but I haven't been able to figure out how to do
that yet. Is this possible? Is there a better way to do it?

Thankyou for your help


Re: Distributed Public Key

Quoted text here. Click to load it

You *CAN*, by publishing the maps and letting the clients regularly scan for
the map, write it to disk, and restart sshd. It's amazingly bad practice.
You may as well put them on an FTP server, NIS has no good security
structure to control where its maps get written to.

How do you "install" your machines? If you're using an automated
installation procedure, such as a RedHat "kickstart" procedure, it's
possible to put the keys on the installation floppy image and install them

Alternatively, if you're going to publish the files this way, you might
consider putting them on an rsync server that restricts access to specific
clients, although that also isn't great security.

Last, consider using a "push" model from your central server. After the
client is installed, remove the client's "known_hosts" entries from the
pushing account, use ssh to push the "old" private keys to the client and
restart its sshd, then restore the old "known_hosts" entries or load a new
set by logging into it again to test things.

If you don't flush the old public keys from the "known_hosts" list, you'll
have some problems when doing the push.

Site Timeline