Initial add of defaria.com

[clearscm.git] / defaria.com / blogs / Status / 2008 / 07 / preshared-ssh-k.html

<!DOCTYPE html>
<html lang="en-us" itemscope itemtype="http://schema.org/Article">
  <head>
    <meta charset="utf-8">
    <meta name="description" content="Issue Gantry mentioned that we are still having issues with pre-shared key access to various systems using pswit as the log in. This email will serve to document how pre-share key access works, how we are using it here and...">
    <meta name="generator" content="Movable Type 5.2.3">
    <title>Pre-shared ssh keys - Status</title>
    <link rel="alternate" type="application/atom+xml" title="Recent Entries" href="http://defaria.com/blogs/Status/atom.xml">
    <link rel="canonical" href="http://defaria.com/blogs/Status/2008/07/preshared-ssh-k.html">
    <meta name="viewport" content="width=device-width,initial-scale=1">
    <link rel="stylesheet" href="http://defaria.com/blogs/Status/styles.css">
    <!--[if lt IE 9]>
    <link rel="stylesheet" href="http://defaria.com/blogs/Status/styles_ie.css">
    <script src="/mt/mt-static/support/theme_static/rainier/js/html5shiv.js"></script>
    <![endif]-->
    
    <link rel="start" href="http://defaria.com/blogs/Status/">

    <link rel="prev" href="http://defaria.com/blogs/Status/2008/05/post-6.html" title="RantestDB">
    <link rel="next" href="http://defaria.com/blogs/Status/2009/04/cpan-bundles-an.html" title="CPAN Bundles and PREFIX">
    <!-- Open Graph Protocol -->
    <meta property="og:type" content="article">
    <meta property="og:locale" content="en-us">
    <meta property="og:title" content="Pre-shared ssh keys">
    <meta property="og:url" content="http://defaria.com/blogs/Status/2008/07/preshared-ssh-k.html">
    <meta property="og:description" content="Issue Gantry mentioned that we are still having issues with pre-shared key access to various systems using pswit as the log in. This email will serve to document how pre-share key access works, how we are using it here and...">
    <meta property="og:site_name" content="Status">
    <meta property="og:image" content="/mt/mt-static/support/theme_static/rainier/img/siteicon-sample.png">
    <!-- Metadata -->
    <meta itemprop="description" content="Issue Gantry mentioned that we are still having issues with pre-shared key access to various systems using pswit as the log in. This email will serve to document how pre-share key access works, how we are using it here and...">
    <link itemprop="url" href="http://defaria.com/blogs/Status/2008/07/preshared-ssh-k.html">
    <link itemprop="image" href="/mt/mt-static/support/theme_static/rainier/img/siteicon-sample.png">
    
  </head>
  <body>
    <div id="container">
      <div id="container-inner">
        <header id="header" role="banner">
          <div id="header-inner">
            <div id="header-content">
              <h1>
                <a href="http://defaria.com/blogs/Status/">

                  Status

                </a>
              </h1>
              
            </div>

            <nav role="navigation">
          <ul>
            <li><a href="http://defaria.com/blogs/Status/">Home</a></li>


          </ul>
        </nav>

          </div>
        </header>
        <div id="content">
          <div id="content-inner">
            <ul class="breadcrumb breadcrumb-list">
              <li class="breadcrumb-list-item"><a href="http://defaria.com/blogs/Status/">Home</a></li>
              <li class="breadcrumb-list-item">Pre-shared ssh keys</li>
            </ul>
            <div id="individual-main" class="main" role="main">
              <article id="entry-1952" class="entry entry-asset asset hentry">
                <div class="asset-header">
                  <h2 itemprop="name" class="asset-name entry-title">Pre-shared ssh keys</h2>
                  <footer class="asset-meta">
                    <ul class="asset-meta-list">
                      <li class="asset-meta-list-item">Posted on <time datetime="2008-07-30T17:25:01-08:00" itemprop="datePublished">July 30, 2008</time></li>
                      <li class="asset-meta-list-item">by <span class="author entry-author vcard"></span></li>

  
                      <li class="asset-meta-list-item">in <a itemprop="articleSection" rel="tag" href="http://defaria.com/blogs/Status/general-dynamics/">General Dynamics</a></li>
  

                   </ul>
                </footer>
                </div>
                <div class="entry-content asset-content" itemprop="articleBody">
                  <h3>Issue</h3>

<p>Gantry mentioned that we are still having issues with pre-shared key access to various systems using pswit as the log in. This email will serve to document how pre-share key access works, how we are using it here and how the process is breaking down. We could attempt to script it but there are challenges and issues with that, specifically the
gathering of ssh keys requires root access. Or we could simply learn how it works and follow a process, which I'll suggest.</p>

<h3>How pre-shared ssh access works</h3>

<p>In order to ssh to another machine as another user (or any user including yourself) using a pre-shared key you eed have a key to share. Therefore you need to generate an ssh key. We tend to use DSA keys as they are stronger. The process of generating an ssh key will not be discussed here but if you have one then in your home directory you'll have a file name id_dsa.pub under your .ssh directory.</p>

<p>The contents of this file needs to be placed into the "receiving" user's ~/.ssh/authorized_keys file. The act of doing this specifically states "I know &lt;x&gt; and I will allow him to ssh into this machine as me". So if I (p6258c) want to ssh to seast1 as pswit I need to get my DSA key (~p6258c/.ssh/id_dsa.pub) into pswit's authorized_keys file (~pswit/.ssh/authorized_keys).</p>

<h3>NIS domain/Windows considerations</h3>

<p>An additional complication here is that pswit in the RAN NIS domain != pswit in the RANTEST NIS domain. So If I wanted to be able to ssh as pswit to ranray I'd need to <b>also</b> get my DSA key (generated on the RAN NIS domain) into ~pswit/.ssh/authorized_keys. remember pswit's home directory on ranray != pswit's home directory on seast1. Both entities (the pswit user ID in RAN and the pswit user ID in RANTEST) are distinct and different users.</p>

<p>A further complication is that pswit on the 11 Windows machines are all local users to those Windows machines. The Windows machines are in the set (rantm50[1..7], sim[1..4]).</p>

<h3>Gathering ssh keys and building a combined authorzied_keys file</h3>

<p>So we need to collect ssh keys from multiple users, in multiple Unix NIS domains to multiple machines. In the past what I did was to gather all of the ssh keys for the users on the RAN side into an authorized_keys file named ran and then gathered all of the ssh keys for the users on the RANTEST side in an authorized_keys file named east. Normally an ssh key would say "&lt;user&gt;@&lt;machine&gt;" where &lt;machine&gt; is the machine which ssh-keygen was run. To avoid confusion I changed the comment at the end of each key to say "&lt;user&gt;@ran" or "&lt;user&gt;@east" in the respective files. Then I would concatenate the two files, ran and east, to one authorized keys file. This file was then checked into Clearcase under rantest_auto/config.</p>

<h3>Dissemination</h3>

<p>Since the home directory for pswit is always the same home directory for all machines in the RAN domain, and since the same is true in the RANTEST domain, we need only set authorized_keys twice, once in RAN and once in RANTEST, for the Unix side. However we need to also disseminate keys to 11 Windows boxes. Here's, effectively, how I do that.</p>

<div class="code">
<pre>$ machines="\
&gt;  ranray\
&gt;  seast1\
&gt;  rantm501\
&gt;  rantm502\
&gt;  rantm503\
&gt;  rantm504\
&gt;  rantm505\
&gt;  rantm506\
&gt;  rantm507\
&gt;  sim1\
&gt;  sim2\
&gt;  sim3\
&gt;  sim4\
&gt; "

$for machine in $machines; do
  scp -q authorized_keys <a class="moz-txt-link-abbreviated" href="mailto:pswit@$machine:.ssh">pswit@$machine:.ssh</a>
done
</pre>
</div>

<p>This disseminates the authorized_keys file to all the appropriate machines.</p>

<h3>Current state</h3>

<p>Currently, gathering up all authorized_keys files in a reverse fashion to the above, we have:</p>

<table align="center" border="1" cellpadding="2" cellspacing="0"
 width="75%">
  <tbody>
    <tr>
      <th bgcolor="teal" valign="top"><font color="#ffffff">Region/Machine<br>
      </font></th>
      <th bgcolor="teal" valign="top"><font color="#ffffff"># of Entries<br>
      </font></th>
      <th bgcolor="teal" valign="top"><font color="#ffffff">Comments<br>
      </font></th>
    </tr>
    <tr>
      <td align="center" valign="top">master<br>
      </td>
      <td align="center" valign="top">92<br>
      </td>
      <td valign="top">Master authorized_keys file from Clearcase<br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">ran<br>
      </td>
      <td align="center" valign="top">95<br>
      </td>
      <td valign="top">authorized_keys file from RAN<br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">rantm501<br>
      </td>
      <td align="center" valign="top">92<br>
      </td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">rantm502</td>
      <td align="center" valign="top">92</td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">rantm503</td>
      <td align="center" valign="top">92</td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">rantm504</td>
      <td align="center" valign="top">92</td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">rantm505</td>
      <td align="center" valign="top">92</td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">rantm506</td>
      <td align="center" valign="top">92</td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">rantm507</td>
      <td align="center" valign="top">92</td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">seast1<br>
      </td>
      <td align="center" valign="top">97</td>
      <td valign="top">authorized_keys file from RANTEST<br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">sim1<br>
      </td>
      <td align="center" valign="top">93<br>
      </td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">sim2<br>
      </td>
      <td align="center" valign="top">92<br>
      </td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">sim3<br>
      </td>
      <td align="center" valign="top">92<br>
      </td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td align="center" valign="top">sim4<br>
      </td>
      <td align="center" valign="top">92<br>
      </td>
      <td valign="top"><br>
      </td>
    </tr>
  </tbody>
</table>

<p>The way to have pre-shared ssh key access working the best is for each Region/Machine to have the same amount of entries (actually the exact same authorized_keys file). But we can see that people are indiscriminately changing the authorized_keys file only in certain places causing confusion and causing the process to break down.</p>

<h3>Suggested process</h3>

<p>When somebody reports that they are having a problem with ssh access using a pre-shared key to become pswit on another machine they should submit a help desk ticket. The way to resolve the help desk ticket is to:</p>

<ol>
  <li>Generate this user's DSA ssh key (if required) on both the RAN
and the RANTEST NIS domains</li>
  <li>Change the host name associated with the key to "ran" or "east"
as appropriate</li>
  <li>Open a WOR in the RANTEST_Auto project and create a view</li>
  <li>Checkout the rantest_tools/config/authorized_keys file and edit
it appending the two DSA ssh keys</li>
  <li>Checkin and deliver the WOR</li>
  <li>Either execute the above code to disseminate the new
authorized_keys file or perhaps we could write a simple script to do it.<br>
  </li>
</ol>

<p>Comments?</p>
                  
                </div>
                <nav class="page-navigation entry-navigation pagination content-nav">
                  <ul class="page-navigation-list">

                    <li class="page-navigation-list-item page-navigation-prev"><a rel="prev" href="http://defaria.com/blogs/Status/2008/05/post-6.html" title="RantestDB">Previous entry</a></li>


                    <li class="page-navigation-list-item page-navigation-next"><a rel="next" href="http://defaria.com/blogs/Status/2009/04/cpan-bundles-an.html" title="CPAN Bundles and PREFIX">Next entry</a></li>

                  </ul>
                </nav>
                <!--
<aside id="zenback" class="zenback feedback">
  Please paste Zenback script code here.
</aside>
-->
                
                
              </article>
            </div>
            <aside class="widgets related" role="complementary">
              <nav class="widget-search widget">
  <div class="widget-content">
    <form method="get" id="search" action="http://defaria.com/mt/mt-search.cgi">
      <div>
        <input type="text" name="search" value="" placeholder="Search...">

        <input type="hidden" name="IncludeBlogs" value="8">

        <input type="hidden" name="limit" value="20">
        <button type="submit" name="button">
          <img alt="Search" src="/mt/mt-static/support/theme_static/rainier/img/search-icon.png">
        </button>
      </div>
    </form>
  </div>
</nav>
<nav class="widget-archive-category widget">
  <h3 class="widget-header">Categories</h3>
  <div class="widget-content">
    
      
    <ul class="widget-list">
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/ameriquest/">Ameriquest (99)</a>
      
      
      </li>
      
    
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/audience/">Audience (3)</a>
      
      
      </li>
      
    
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/broadcom/">Broadcom (76)</a>
      
      
      </li>
      
    
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/gpdb/">GPDB (35)</a>
      
      
      </li>
      
    
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/general-dynamics/">General Dynamics (61)</a>
      
      
      </li>
      
    
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/general-electric/">General Electric (13)</a>
      
      
      </li>
      
    
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/hewlett-packard/">Hewlett Packard (13)</a>
      
      
      </li>
      
    
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/lynuxworks/">LynuxWorks (162)</a>
      
      
      </li>
      
    
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/pqa/">PQA (35)</a>
      
      
      </li>
      
    
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/salira/">Salira (79)</a>
      
      
      </li>
      
    
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/tellabs/">Tellabs (2)</a>
      
      
      </li>
      
    
      
      
      <li class="widget-list-item"><a href="http://defaria.com/blogs/Status/texas-instruments/">Texas Instruments (31)</a>
      
      
      </li>
      
    </ul>
      
    
  </div>
</nav>
  

<nav class="widget-archive-dropdown widget">
  <h3 class="widget-header">Archives</h3>
  <div class="widget-content">
    <select>
      <option>Select a Month...</option>
    
      <option value="http://defaria.com/blogs/Status/2016/02/">February 2016</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2014/09/">September 2014</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2014/04/">April 2014</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2014/03/">March 2014</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2013/02/">February 2013</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2012/09/">September 2012</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2012/08/">August 2012</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2012/05/">May 2012</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2012/04/">April 2012</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2012/02/">February 2012</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2012/01/">January 2012</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2011/10/">October 2011</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2011/07/">July 2011</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2010/09/">September 2010</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2010/08/">August 2010</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2010/04/">April 2010</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2010/03/">March 2010</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2010/02/">February 2010</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2009/05/">May 2009</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2009/04/">April 2009</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2008/07/">July 2008</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2008/05/">May 2008</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2008/04/">April 2008</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2008/03/">March 2008</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2008/02/">February 2008</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2008/01/">January 2008</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2007/12/">December 2007</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2007/11/">November 2007</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2007/10/">October 2007</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2007/09/">September 2007</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2007/08/">August 2007</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2007/07/">July 2007</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2007/06/">June 2007</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2007/05/">May 2007</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2007/04/">April 2007</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2007/03/">March 2007</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2007/01/">January 2007</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2006/12/">December 2006</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2006/11/">November 2006</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2006/10/">October 2006</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2006/09/">September 2006</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2006/07/">July 2006</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2006/06/">June 2006</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2006/05/">May 2006</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2006/04/">April 2006</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2006/03/">March 2006</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2006/02/">February 2006</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2006/01/">January 2006</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/12/">December 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/11/">November 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/10/">October 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/09/">September 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/08/">August 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/07/">July 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/06/">June 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/05/">May 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/04/">April 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/03/">March 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/02/">February 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2005/01/">January 2005</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2004/12/">December 2004</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2004/09/">September 2004</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2004/08/">August 2004</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2004/07/">July 2004</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2004/06/">June 2004</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2004/05/">May 2004</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2004/04/">April 2004</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2004/03/">March 2004</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2004/02/">February 2004</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2004/01/">January 2004</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2003/12/">December 2003</option>
    
  
    
      <option value="http://defaria.com/blogs/Status/2003/11/">November 2003</option>
    
    </select>
  </div>
</nav>
    
  

<div class="widget-syndication widget section">
  <div class="widget-content">
    <p><img src="http://defaria.com/mt/mt-static/images/status_icons/feed.gif" alt="Subscribe to feed" width="9" height="9" /> <a href="http://defaria.com/blogs/Status/atom.xml">Subscribe to this blog's feed</a></p>

  </div>
</div>

            </aside>
          </div>
        </div>
        <footer id="footer" role="contentinfo">
          <div id="footer-inner">
            <div id="footer-content">
  <nav role="navigation">
          <ul>
            <li><a href="http://defaria.com/blogs/Status/">Home</a></li>


          </ul>
        </nav>

  <p class="license">&copy; Copyright 2016.</p>
  <p class="poweredby">Powered by <a href="http://www.movabletype.org/">Movable Type</a></p>
</div>
          </div>
        </footer>
      </div>
    </div>
    <script src="http://defaria.com/mt/mt-static/jquery/jquery.min.js"></script>
    <script src="http://defaria.com/blogs/Status/mt-theme-scale2.js"></script>
  </body>
</html>