SSH Introducing Scripts

I find it a huge pain to introduce new machines as authorized hosts when linking them up to my existing servers. While enterprise-level systems exists for sysadmins to manage thousands of SSH Keys, I am but a simple man with his hoard of servers.

Hence, I created these scripts to alleviate the pain & hassle of adding a new hosts to my servers.

Features

  • Simple UI to upload keys
  • Random URL generated for key upload all the time
  • Has TLS to prevent MITM (verify fingerprint before connecting)

Usage

You will need:

  • A host that can already connect to the SSH Server (introducer)
  • A host with the SSH Server (server)
  • A host to introduce to the SSH Server (host)

First, SSH into your server from your introducer.

Set-up Phase (do once)

Download upload-public-key.py into your server, and make it executable:

wget <insert link once created> \
chmod +x ./upload-public-key.py

Download update_authorized_keys.sh into your server under ~/.ssh/, and also make it executable:

wget -O ~/.ssh/update_authorized_keys.sh <insert link once created> \
chmod +x ~/.ssh/update_authorized_keys.sh

If you are using the same folders as I do, create the public_keys/ssh_keys folder hierarchy:

mkdir -p ~/public_keys/ssh_keys

Paste all of your existing public keys into the directory (i.e. in my case, ~/public_keys/ssh_keys).

Key uploading phase

Run ./upload_public_key.py -i <ip address> on your server from your introducer. For security purposes, you must choose an IP address to expose the server to (either use an internal IP address if you are in that environment, or find out your server‘s public IP address with curl ifconfig.me)

You should see something like the following echo’d:

Certificate location: /tmp/tmpec8k2a3w
Keyfile location: /tmp/tmpxs4j0x68
Server listening on: <ip>:43529
Certificate fingerprint: 17:9B:3A:A3:2D:CB:82:B3:CF:43:77:D8:FE:82:3B:EA:69:94:C3:65
GET URL: https://<ip>:43529/rvFmnar-UQw
POST URL: https://<ip>:43529/cDFObUte70SA_2KIFjja8Q

On the host, generate a public/private keypair. Then, navigate to the URL stated in GET, and upload the .pub portion fo the keypair. Name the key as if you will be renaming the file to it, for example, typing in ubuntu-laptop will save the uploaded key as ubuntu-laptop.pub.

Upon successful submission, the script on server will automatically quit. Navigate to ~/.ssh and run ./update_authorized_k

eys.sh. If successful, the new keys will be added into the authorized_keys file.

By admin

Leave a Reply

Your email address will not be published.