ssh-auth-keys

Name

ssh-auth-keys — Update ~/.ssh/authorized_keys file(s) on remote systems.

Synopsis

ssh-auth-keys -s HOST|IP | --hosts HOST|IP [ -u TEXT | --users TEXT ] [ -i TEXT | --id TEXT ] [ -h [true]|false | --help [true]|false ] [ -H [true]|false | --help-long [true]|false ] [ -v [true]|false | --verbose [true]|false ] [ --version [true]|false ]

Description

If you are familiar with using the ssh-agent in combination with the ssh command, you'll learn to love this script.

Basically, it helps you publish your public ID on remote system(s) such that you'll be able to easily log into them. It does this by logging into the system(s) you specify on the command line, and modifying the ${HOME}/.ssh/authorized_keys file for one or more user accounts.

Note

Before you can make use of this utility, you must have a file containing your public key. You can use the ssh-keygen command to generate a DSA public/private key pair using the following command:

[root@probe ~]# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): [PRESS ENTER]
/root/.ssh/id_dsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): UseYourOwn
Enter same passphrase again: UseYourOwn
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
a5:67:b7:13:92:27:5b:cd:e4:a6:01:8c:d3:58:cc:c1 root@probe

[root@probe ~]# ls -l ~/.ssh/id_dsa*
-rw-------  1 root root 1264 Oct  3 16:17 /root/.ssh/id_dsa
-rw-r--r--  1 root root 1112 Oct  3 16:17 /root/.ssh/id_dsa.pub
[root@probe ~]#

The following invocation demonstrates how one would authorize themselves for future ssh access on the systems: 192.168.10.10, fortuna, and www.hfxc.com. Authorization will be granted for user accounts root and vpn, and you will be prompted for credentials for each system:

[root@probe ~]# ssh-auth-keys -v -s 192.168.10.10:www.hfxc.com:fortuna -u root:vpn


-------------------------------------------------------------
Updating host:  192.168.10.10
Updating users: root vpn
Warning: Permanently added '192.168.10.10' (DSA) to the list of known hosts.
root@192.168.10.10's password: PASSWORD1
Success: updated /root/.ssh/authorized_keys for root on 192.168.10.10
Success: updated /home/vpn/.ssh/authorized_keys for vpn on 192.168.10.10
-------------------------------------------------------------

-------------------------------------------------------------
Updating host:  www.hfxc.com
Updating users: root vpn
Warning: Permanently added 'www.hfxc.com' (DSA) to the list of known hosts.
root@www.hfxc.com's password: PASSWORD2
Success: updated /root/.ssh/authorized_keys for root on www.hfxc.com
Success: updated /home/vpn/.ssh/authorized_keys for vpn on www.hfxc.com
-------------------------------------------------------------

-------------------------------------------------------------
Updating host:  fortuna
Updating users: root vpn
Warning: Permanently added 'fortuna' (DSA) to the list of known hosts.
root@fortuna's password: PASSWORD3
Success: updated /root/.ssh/authorized_keys for root on fortuna
Success: updated /home/vpn/.ssh/authorized_keys for vpn on fortuna
-------------------------------------------------------------

[root@probe ~]#

Note

In order to update multiple user accounts as shown above, the first user ID in the list MUST be root.

Once the keys have been distributed, we can make use of ssh-agent and ssh-add to allow us to easily access the new systems:

[root@probe ~]# ssh-agent | tee ssh-agent.sh
SH_AUTH_SOCK=/tmp/ssh-eqGKWa3414/agent.3414; export SSH_AUTH_SOCK;
SSH_AGENT_PID=3416; export SSH_AGENT_PID;
echo Agent pid 3416;
[root@probe ~]# . ssh-agent.sh
Agent pid 3416
[root@probe ~]# rm -f ssh-agent.sh
[root@probe ~]# ssh-add
Enter passphrase for /root/.ssh/id_dsa: UseYourOwn
Identity added: /root/.ssh/id_dsa (/root/.ssh/id_dsa)
[root@probe ~]# ssh root@192.168.10.10
Last login: Fri Sep 30 08:34:40 2005 from 192.168.10.11

===============================================
= Linux Network Security Toolkit (NST v1.2.3) =
===============================================


[root@192.168.10.10 ~]# exit
logout
Connection to 192.168.10.10 closed.
[root@probe ~]# ssh root@fortuna
Last login: Mon Oct  3 16:10:15 2005 from 192.168.10.11

===============================================
= Linux Network Security Toolkit (NST v1.4.0) =
===============================================


[root@fortuna ~]# exit
logout
Connection to fortuna closed.
[root@probe ~]# ssh vpn@fortuna


===============================================
= Linux Network Security Toolkit (NST v1.4.0) =
===============================================


[vpn@fortuna ~]$ exit
logout
Connection to fortuna closed.
[root@probe ~]#

Note

The important thing to notice in the above output is that once we set up our ssh-agent (which many Linux distribtutions start for you automatically), and added our key via ssh-add, we were then able to freely log in and out of the remote systems without being prompted for credentials.

Options

The following command line options are available:

-s HOST|IP | --hosts HOST|IP

List of system(s) which need to have updates made to ~/.ssh/authorized_keys file(s). You may specify multiple hosts (use a colon to separate names). You may use numeric or ASCII names. For example: moon:titan:127.0.0.1.

[-u TEXT] | [--users TEXT]

Optional list of one or more users (separated by colons). If omitted, it defaults to ${USER} (the current user ID). NOTE: You may only specify multiple users if the first user ID in the list is root!

[-i TEXT] | [--id TEXT]

The public key file to distribute (like $HOME/.ssh/id_dsa.pub). We search for a standard one (under $HOME/.ssh) if you omit this argument.

[-h [true]|false] | [--help [true]|false]

When this option is specified, ssh-auth-keys will display a short one line description of ssh-auth-keys, followed by a short description of each of the supported command line options. After displaying this information ssh-auth-keys will terminate.

[-H [true]|false] | [--help-long [true]|false]

This option will attempt to pull up additional ssh-auth-keys documentation within a text based web browser. You can force which browser we use setting the environment variable TEXTBROWSER, otherwise, we will search for some common ones.

[-v [true]|false] | [--verbose [true]|false]

When you set this option to true, ssh-auth-keys will produce additional output. This is typically used for diagnostic purposes to help track down when things go wrong.

[--version [true]|false]

If this option is specified, the version number of the script is displayed.

Files

${HOME}/.ssh/authorized_keys

The file which is updated on remote system(s) when this command is run successfully. If you specify more than one user, this file will be updated for each user account on each remote system.

${HOME}/.ssh/id_dsa.pub

The first public ID file we will search for if you don't specify the -i FILE option. This is the typical location for the public DSA key for many OpenSSH distributions.

${HOME}/.ssh/id_rsa.pub

The second public ID file we will search for if you don't specify the -i FILE option. This is the typical location for the public RSA key for many OpenSSH distributions.

/usr/local/share/ssh-auth-keys

Directory containing resource files used by ssh-auth-keys.

Environment

TEXTBROWSER

This controls what text based browser is used to display help information about the script. If not set, we will search your system for available text-based browsers (Ex: elinks, lynx ...).

Authors

Paul Blankenbaker created initial version and did initial conversion to new NST script format.

See Also

ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), OpenSSH, Network Security Toolkit