Find the answer to your Linux question:
Results 1 to 4 of 4
I have already written a script to handle this, but am always looking to improve. The dependency of my script is the ssh-keygen and ssh-copy-id is installed. Assumption Key Auth ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2008
    Location
    Earth
    Posts
    51

    Rotation Of SSH Keys from Central Server


    I have already written a script to handle this, but am always looking to improve. The dependency of my script is the ssh-keygen and ssh-copy-id is installed.

    Assumption Key Auth is already setup
    1. generate a ssh-key with a comment of todays date
    2. ssh-copy-id the new key to a server
    3. run sed over ssh to server where key was just copied removing line containing the string of the previous months date from the authorized_keys file.
    4. Overwrite new generated key file onto old key file.

    Functions below:
    work(){
    if [ -f /tmp/id_rsa_temp ];then
    rm -f /tmp/id_rsa_temp
    fi
    ssh-keygen -b 2048 -C "KEY REFRESHED - $DATE" -t rsa -f /tmp/id_rsa_temp -N ''
    ssh-copy-id -i /tmp/id_rsa_temp.pub $USER@DESTINATION
    cp /tmp/id_rsa_temp ~/.ssh/id_rsa
    cp /tmp/id_rsa_temp.pub ~/.ssh/id_rsa.pub
    chmod 600 ~/.ssh/id_rsa.pub
    chmod 600 ~/.ssh/id_rsa
    }

    clean(){
    ssh $USER@$DESTINATION 'sed -i '/$OLDKEY/d' .ssh/authorized_keys'
    }

  2. #2
    Just Joined!
    Join Date
    Mar 2009
    Location
    Norway
    Posts
    67
    Perhaps not the answer you are looking for; but what's wrong with kerberos? You are basically implementing a service where the keys are valid for 1 day...

    Alternatively, use a patched version of ssh to allow X.509 certificates, set the accepted DN in authorized_keys. When you generate a new certificate, set it valid for 30 hours or something and distribute the new keypair/certificate to the machines needing it. You will then need to patch ssh at the clients as well so they ship the x.509 cert instead of the pubkey.

  3. #3
    Just Joined!
    Join Date
    Sep 2008
    Location
    Earth
    Posts
    51
    Thanks, and I'll look into this, have not used it before. The implementation I have walked into has already established infrastructure and processes, so I wont be able to leverage this, but something Im going to look into for sure.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Mar 2009
    Location
    Norway
    Posts
    67
    As a sidenote; has anyone at your place actually gone through the steps and done a proper analysis of how much added security you get by rotating keys every day? To me this sounds pretty much like security theatre... and a lot of extra hazzle to get it to work.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •