ssh-auth-keys

Name

ssh-auth-keys — Update ~/.ssh/authorized_keys file(s) on remote systems.

Synopsis

Description

If you are familiar with using the ssh-agent in combination with the ssh command, you'll learn to love this script.

Basically, it helps you publish your public ID on remote system(s) such that you'll be able to easily log into them. It does this by logging into the system(s) you specify on the command line, and modifying the ${HOME}/.ssh/authorized_keys file for one or more user accounts.

Note

Before you can make use of this utility, you must have a file containing your public key. You can use the ssh-keygen command to generate a RSA public/private key pair using the following command:

[root@dev24 ~]# ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): [PRESS ENTER] 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): UseYourOwn 
Enter same passphrase again: UseYourOwn
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:C9ZhhwOH5y5eVXxZdQ1/WgSD7XnkTGD0nJ7XyS9RvBo root@localhost.rwh.shop
The key's randomart image is:
+---[RSA 2048]----+
|      ...  . +B*B|
|      .o..  +.+B*|
|       o= .. o BO|
|       o.+.   =+X|
|      o.S.   EoBo|
|     ...o.    o.o|
|     . o.    .. .|
|      .        . |
|                 |
+----[SHA256]-----+

[root@dev24 ~]# ls -l ~/.ssh/id_rsa*
-rw------- 1 root root 1766 May 22 12:58 /root/.ssh/id_rsa
-rw-r--r-- 1 root root  405 May 22 12:58 /root/.ssh/id_rsa.pub
[root@dev24 ~]#

The following invocation demonstrates how one would authorize themselves for future ssh access on systems: 10.222.222.192, fortuna, and www.hfxc.com. Authorization will be granted for user accounts root and nst, and you will be prompted for credentials for each system:

[root@dev24 ~]# ssh-auth-keys -v -s 10.222.222.192:www.hfxc.com:fortuna -u root:nst -i /root/.ssh/id_rsa.pub

--------------------------------------------------------------------------
Updating host: 10.222.222.192
Updating users: root nst
Warning: Permanently added '10.222.222.192' (RSA) to the list of known hosts.
root@10.222.222.192's password: PASSWORD1
Using Public Key File: "/root/.ssh/id_rsa.pub"
Updated: "/root/.ssh/authorized_keys" for root on 10.222.222.192
Using Public Key File: "/root/.ssh/id_rsa.pub"
Updated: "/home/nst/.ssh/authorized_keys" for nst on 10.222.222.192
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Updating host: www.hfxc.com
Updating users: root nst
Warning: Permanently added 'www.hfxc.com' (RSA) to the list of known hosts.
root@www.hfxc.com's password: PASSWORD2
Using Public Key File: "/root/.ssh/id_rsa.pub"
Updated: "/root/.ssh/authorized_keys" for root on www.hfxc.com
Using Public Key File: "/root/.ssh/id_rsa.pub"
Updated: "/home/nst/.ssh/authorized_keys" for nst on www.hfxc.com
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Updating host: fortuna
Updating users: root nst
Warning: Permanently added 'www.hfxc.com' (RSA) to the list of known hosts.
root@fortuna's password: PASSWORD3
Using Public Key File: "/root/.ssh/id_rsa.pub"
Updated: "/root/.ssh/authorized_keys" for root on fortuna
Using Public Key File: "/root/.ssh/id_rsa.pub"
Updated: "/home/nst/.ssh/authorized_keys" for nst on fortuna
--------------------------------------------------------------------------

[root@dev24 ~]#

Note

In order to update multiple user accounts as shown above, the first user ID in the list MUST be root.

Once the keys have been distributed, we can make use of ssh-agent and ssh-add to allow us to easily access the new systems:

[root@dev24 ~]# ssh-agent | tee ssh-agent.sh
SH_AUTH_SOCK=/tmp/ssh-eqGKWa3414/agent.3414; export SSH_AUTH_SOCK;
SSH_AGENT_PID=3416; export SSH_AGENT_PID;
echo Agent pid 3416;
[root@dev24 ~]# . ssh-agent.sh
Agent pid 3416
[root@dev24 ~]# rm -f ssh-agent.sh
[root@dev24 ~]# ssh-add
Enter passphrase for /root/.ssh/id_rsa: UseYourOwn
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
[root@dev24 ~]# ssh root@10.222.222.192
Last login: Fri May 22 08:34:40 2016 from 10.222.222.189

===========================================
= Linux Network Security Toolkit (NST 24) =
===========================================


[root@10.22.22.192 ~]# exit
logout
Connection to 10.222.222.192 closed.
[root@dev24 ~]# ssh root@fortuna
Last login: Mon May 21 16:10:15 2016 from 10.222.222.189

===========================================
= Linux Network Security Toolkit (NST 22) =
===========================================


[root@fortuna ~]# exit
logout
Connection to fortuna closed.
[root@dev24 ~]# ssh vpn@fortuna


===========================================
= Linux Network Security Toolkit (NST 24) =
===========================================


[vpn@fortuna ~]$ exit
logout
Connection to fortuna closed.
[root@dev24 ~]#

Note

The important thing to notice in the above output is that once we set up our ssh-agent (which many Linux distribtutions start for you automatically), and added our key via ssh-add, we were then able to freely log in and out of the remote systems without being prompted for credentials.

Options

The following command line options are available:

-s HOSTNAME|IPv4ADDR | --hosts HOSTNAME|IPv4ADDR: List of system(s) which need to have updates made to ~/.ssh/authorized_keys file(s). You may specify multiple hosts (use a colon to separate names). You may use numeric or ASCII names. For example: moon:titan:127.0.0.1.
[-u TEXT] | [--users TEXT]: Optional list of one or more users (separated by colons). If omitted, it defaults to ${USER} (the current user ID). NOTE: You may only specify multiple users if the first user ID in the list is root!
[-i TEXT] | [--id TEXT]: The public key file to distribute (like "$HOME/.ssh/id_dsa.pub"). We search for a default one under "$HOME/.ssh/" starting with "$HOME/.ssh/id_rsa.pub" if you omit this argument.
[-h [true]|false] | [--help [true]|false]: When this option is specified, ssh-auth-keys will display a short one line description of ssh-auth-keys, followed by a short description of each of the supported command line options. After displaying this information ssh-auth-keys will terminate.
[-H [true]|false] | [--help-long [true]|false]: This option will attempt to pull up additional ssh-auth-keys documentation within a text based web browser. You can force which browser we use setting the environment variable TEXTBROWSER, otherwise, we will search for some common ones.
[-v [true]|false] | [--verbose [true]|false]: When you set this option to true, ssh-auth-keys will produce additional output. This is typically used for diagnostic purposes to help track down when things go wrong.
[--version [true]|false]: If this option is specified, the version number of the script is displayed.

Files

${HOME}/.ssh/authorized_keys: The file which is updated on remote system(s) when this command is run successfully. If you specify more than one user, this file will be updated for each user account on each remote system.
${HOME}/.ssh/id_rsa.pub: The first OpenSSH RSA public key ID file we will search for if you don't specify the -i FILE option. This is the typical location for the public RSA key for many OpenSSH distributions.
${HOME}/.ssh/id_dsa.pub: The second OpenSSH DSA public key ID file we will search for if you don't specify the -i FILE option. This is the typical location for the public DSA key for many OpenSSH distributions.

Environment

TEXTBROWSER: This controls what text based browser is used to display help information about the script. If not set, we will search your system for available text-based browsers (Ex: elinks, lynx ...).

Name

Synopsis

Description

Note

Note

Note

Options

Files

Environment

See Also