Sunday, June 8, 2008

Distributing New SSH Keys Using Rsh On Linux And Unix

Happy Lazy Sunday,

Today we're going to grind through our "Lazy Sunday" post with a quick script to update SSH keys network-wide, by using rsh (the less secure of the two protocols). Once you've accomplished this (or have already accomplished this) and are happy with your network's SSH setup, I'd suggest disabling rsh altogether. Then you can move on to quickly setting up your SSH keys all over the network, focus on maintaining the integrity of your sessions, if you have issues with that, and even setting simple SCP routines to help keep your network easy to manage.

My feeling is that, no matter what the circumstances (unless they make it so you "have" to use it), rsh should always be disabled, no matter what version of Linux or Unix you're running. Certain software (like SunCluster) can experience very strange issues if you don't allow it. At least, up to version 3.1. I can only afford to keep myself in the almost-very-best, after all ;)

Enjoy your Sunday, and enjoy this little script :) A lot of how you use it depends on the way your network is set up. If it's already secure, you can modify it slightly to use to update host keys, but it was mostly written for folks with a hybrid rsh/SSH setup, who want to move to full SSH implementation, so that keys can be upgraded everywhere at once from the same base set.

The only major assumptions this script makes is that you've built openssl, openssh and zlib from source, want to install in /usr/local and are running this script from the top level directory of those builds. It should be run with a list of servers following the command name:

host # ./ servera serverb serverc...


Creative Commons License

This work is licensed under a
Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License


# - distribute a newly built openssl, openssh and zlib and set up keys
# 2008 - Mike Golvach -
# Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License

cd /usr/local
for x in $@
echo seeding $x...
echo " openssh... \c"
tar cpf - openssh*|rsh $x "cd /usr/local;tar xpf -"
echo "openssl... \c"
tar cpf - openssl*|rsh $x "cd /usr/local;tar xpf -"
echo "zlib... \c"
tar cpf - zlib|rsh $x "cd /usr/local;tar xpf -"
echo done!

echo "Consistency Check..."
for x in $@
echo "${x}: \c"
rsh $x "cd /usr/local;du -sk openssl* openssh* zlib*|xargs echo"

echo "Generating Host Keys..."
for x in $@
echo "${x}...\c"
echo "removing old host and dsa keys..."
rsh $x "rm /usr/local/openssh/ssh/ssh_host*key*"
echo "generating new host key..."
rsh $x "/usr/local/openssh/bin/ssh-keygen -b 1024 -f /usr/local/openssh/ssh/ssh_host_key -N ''"
echo "generating new dsa key..."
rsh $x "/usr/local/openssh/bin/ssh-keygen -d -f /usr/local/openssh/ssh/ssh_host_dsa_key -N ''"
echo "Done!"

echo "Changing the active SSH installation..."

for x in $@
echo "$x... \c"
rsh $x "cd /usr/local;ls -d ssh* >>encap.exclude"
echo "Excluding old ssh from reinstallation and deleting all links..."
rsh $x "cd /usr/local/ssh-1.2.2*/bin;ls|xargs -I {} -t rm /usr/local/bin/{}"
rsh $x "cd /usr/local/ssh-1.2.2*/man/man1;ls|xargs -I {} -t rm /usr/local/man/man1/{}"
rsh $x "cd /usr/local/ssh-1.2.2*/man/man8;ls|xargs -I {} -t rm /usr/local/man/man8/{}"
rsh $x "cd /usr/local/ssh-1.2.2*/sbin;ls|xargs -I {} -t rm /usr/local/sbin/{}"
echo "Stopping old SSH daemon... \c"
rsh $x "ps -ef|grep sshd|grep -v grep|awk '{print \$2}'|xargs kill"
echo "Relinking... \c"
rsh $x "/usr/local/ /usr/local /usr/local"
echo "Starting new SSH daemon... \c"
rsh $x "/usr/local/sbin/sshd"
echo Done!

echo "Sanity Check..."

for x in localhost $@
echo "$x : \c"
rsh $x "ps -ef|grep sshd|grep -v grep"

, Mike