Help with moving ssh keys around
Scott Frazer
where my puppet server sets up all the basics of a new linux box for
me. The last piece of the puzzle is backups.
The way I do backups is fairly simplistic. I just use mysqldump and
tar to create local backup files and then scp them to a central host
once a day. In order to set this up, I have to create a key on the
new linux server and then move that key to the central backup server.
the way I do this by hand looks like this:
# create the key
mkdir /etc/backups
chmod 500 /etc/backups
ssh-keygen -t rsa -f /etc/backups/$HOSTNAME -q -N ""
# copy the public key up to the server:
scp -i /etc/backups/$HOSTNAME /etc/backups/$HOSTNAME.pub
us...@backup.example.com:/c/vshell/publickey/user
The directory looks strange because it's a windows server running the
VShell sshd program. That last line, when run the first time, does
two things that I'm having trouble scripting into puppet:
1) it adds the ssh fingerprint of the backup server to /root/.ssh/
knownhosts
2) it prompts me for the password for the "user" account on the backup
server, and then copies the public key for this new server up to the
backup server.
After I've answered both of these prompts once, I'm able to run scp
sessions to the backup server without intervention.
Has this problem been solved elsewhere? I've done some searching but
come up empty. Is there a better way I should be doing it?
Thanks in advance.
Scott
Mike Renfro
> # copy the public key up to the server:
> scp -i /etc/backups/$HOSTNAME /etc/backups/$HOSTNAME.pub
> us...@backup.example.com:/c/vshell/publickey/user
>
> The directory looks strange because it's a windows server running the
> VShell sshd program. That last line, when run the first time, does
> two things that I'm having trouble scripting into puppet:
>
> 1) it adds the ssh fingerprint of the backup server to /root/.ssh/
> knownhosts
Add the backup server's public key to your puppet manifests with the
sshkey type [1]. This will add the key to /etc/ssh/known_hosts and
bypass that prompt entirely.
> 2) it prompts me for the password for the "user" account on the backup
> server, and then copies the public key for this new server up to the
> backup server.
This one's not as simple. One route would be to distribute a public key
into the Linux systems' /root/.ssh/id_rsa/authorized_keys -- the private
half would be on some privileged account on the backup server. Then, the
Windows system could scp the Linux systems' backup keys to the right
location. However, the Windows system may prompt for new ssh host keys,
or warn if they change.
Another route toward full automation would require collecting up all the
Linux systems' key files and putting them in private folders, one per
system. I use /etc/puppet/private/{fqdn}, and have a mount in
fileserver.conf of
[private]
path /etc/puppet/private/%H
and reference files there as "puppet:///private/ssh_host_dsa_key".
Something like
file { ssh_host_dsa_key:
path => $operatingsystem ? {
default => "/etc/ssh/ssh_host_dsa_key"
},
owner => root, group => root, mode => 600,
source => "puppet:///private/ssh_host_dsa_key";
}
but using your /etc/backups key files instead of the system-level ones.
[1] http://reductivelabs.com/trac/puppet/wiki/TypeReference#sshkey
--
Mike Renfro / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University -- ren...@tntech.edu