HPE Community
Operating System - HP-UX
1828162 Members
2207 Online
109975 Solutions
New Discussion

ssh question

 
Michael Murphy_2
Frequent Advisor

‎09-08-2010 10:44 AM

‎09-08-2010 10:44 AM

ssh question

if i generate ssh keys on a local machine to a remote machine - can i use the same key on aother box (and if the remote system puts the key in as "valid" for the second box in their authorized_keys file") - will this work? We are investigatine for a DR machine. Thanks
0 Kudos
Reply
3 REPLIES 3
Ryan Green
Valued Contributor

‎09-08-2010 11:17 AM

‎09-08-2010 11:17 AM

Re: ssh question

If you used ssh-keygen -t rsa ..., then you should have generated a file named id_rsa.pub. You can copy this file to another server and then use the command:

ssh-keygen -i -f filename >> authorized_keys

This will allow you use the same key on multiple machines.
0 Kudos
Reply
TwoProc
Honored Contributor

‎09-08-2010 11:22 AM

‎09-08-2010 11:22 AM

Re: ssh question

Yes Micheal, you can use the same key for the same user across multiple machines.

Is it a good idea to do so?

No. You're killing your security. If any gets just one of your keys all systems with that user are compromised.

Make a key for each user.

BUT! A DR machine is different. If that DR machine is essentially the other host "rebuilt" on the fly (scripted, recovered, mirroed, etc), then using the whole environment including keys is generally the expected idea to come up quickly at DR site.


So, yes and no, but in this case - for DR, the answer is probably yes, depending of course.
We are the people our parents warned us about --Jimmy Buffett
0 Kudos
Reply
Jim Walls
Trusted Contributor

‎09-08-2010 12:24 PM

‎09-08-2010 12:24 PM

Re: ssh question

I agree with most of what has been said here. But it is important to understand how (Private Public Keys) PPK keys work.

ssh-keygen generates a pair of keys keys: A private key (e.g. .ssh/id_rsa) and a corresponding public key (e.g. .ssh/id_rsa.pub). The private key must be kept secret and stored in a secure manner by the key's owner. The public key may be distributed freely to any system to which the owner requires access. The public key, on its own, is useless - only the holder of the private key can use it.

For automated processes you have little option but to maintain multiple private keys - and each server should have it's own instances of those key (certainly in the Active/DR example). But there are more secure ways of managing keys.

SSH provides a powerful tool for minimising the number of keys required by individual users for interactive access to multiple keys. Forward Authentication. In this type of setup each individual maintains a single instance of a personal private key (I keep mine on a USB stick) and distributes the corresponding public key to every system that he or she requires access to. Forward Authentication validates the keys back to the original source... even allowing multi-hop access accross any number of systems. Such a setup can also be used for automated processes - but in the case of a DR you may lose access to a single instance of the private key.

In my situation, my private key follows me everywhere I go (literally; it is in my pocket!). With a product such as PuTTY (also kept on my USB stick) and given any suitable desktop PC, I can access all my servers from almost anywhere. And my private key does not have to be stored on any of them.


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.