pssh-copy-id

ssh-copy-id[1] is a well-known command for system administration, specially for those deeply involved in the clustering field. It is common, in a cluster environment, to use ssh keys instead of  passwords on multiple machines, so we can move from one machine to another without the need of typing a password. Even you can use a key for limiting the access of the user to an specified command, instead of allowing the user to spawn a full shell (as you may see in [1] or [2]) .

SSH key pairs are composed by two keys: the public key and the private key. For ssh keys to work, you will need to publish the public key on the remote machine, so it can check if you has the correct private key when accessing. Never publish or make public your private key, as this is an enormous security risk. To publish without risk, you can use the shell script ssh-copy-id, supplied with the openssh package, that will connect to a remote machine  and write the public key.

When you have multiple machines, as in a cluster environment, you need to publish your public key in multiple places. The first approximation may be writing a for script with the mentioned ssh-copy-id, but this faces an awkward problem: Either you have to type multiple times the same key, or you have to pass it insecurely, for example:

for host in host1 host2 host3; do

yes ‘MyPassword’ | ssh-copy-id $host

done

Using this way, your password is exposed to all users (just by issuing a ps command), so it is not a Good Practice.

PhD. Casiano Rodriguez Leon, exposed this problem to me during one of my PhD Courses, and suggested doing a Perl script to make this publishing key issue faster and more secure.

After some work, We’ve come up with a solution called pssh-copy-id, which is a perl script / library, published on google code [4]. We hope to refine and clean the code, so it would be accepted on CPAN and freely available to all the community.

pssh-copy-id, currently work-in-progress, enables to use a syntax similar to ssh-copy-id to publish the key, for example:

$ pssh-copy-id  host1 host2 host3

Will ask four your password (assuming is the same for all of the hosts) , and publish the default key on all the machines listed. The password won’t be exposed in any way*. In addition,pssh-copy-id will check if the key has been already published, in which case it won’t be repeated. Also, pssh-copy-id supports host without password, in example, a host with another key published.

Currently, pssh-copy-id supports also the host definition syntax of net-parscp[5], which allows us to use regular expression to define hosts, the same command as before could be written like this:

$ pssh-copy-id host1..3

Future versions of pssh-copy-id will make the process of key publishing parallel, by spawning one process by host, so the process of publishing the key to several host will be faster.

This utility could be a quite useful tool for system administrators, that will enable them to publish and distribute keys faster, or integrate on bigger a script (like we’re doing on the SAII) to simplify the user key distribution problem.

Notes:

* except maybe under a process memory dump, which has not been tested

References:

[1] http://linux.die.net/man/1/ssh-copy-id

[2] http://oreilly.com/catalog/sshtdg/chapter/ch08.htm

[3]http://blog.ganneff.de/blog/2007/12/29/ssh-triggers.html

[4] http://code.google.com/p/pssh-copy-id/

[5] http://code.google.com/p/net-parscp/


Leave a Reply

Your email address will not be published. Required fields are marked *